masslogger | 3d9944fadf6c7c728f797cc56bed01e2c590e767239e04fcd007306e7bf0a419

General

Target

Anti Markietng Purchase Order Sheets.exe
Size

1.0MB
MD5

879f8158a062005bd3976a45233f8c69
SHA1

d6c3f71339d930006117125c007e2ea199e221f6
SHA256

3f97dfbae448b3eb28d6f08f666029037d890dc94dbce0e372b4dd2a63fd037f
SHA512

306f0f81cc26e2108ab1270be6eb9f1842539079ea174e471a0019b97078df54f257e735cde6d2e076373473d4612bf5f0835e00a963da7b0999fceb216931d9

Score

10^/10

masslogger collection ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note

<|| v2.1.0.0 ||> User Name: Admin IP: 127.0.0.1 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:57:46 AM MassLogger Started: 5/21/2022 2:57:31 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Anti Markietng Purchase Order Sheets.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| USB Spread ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Anti Markietng Purchase Order Sheets.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation	Anti Markietng Purchase Order Sheets.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs

collection

Email Collection

T1114

Processes:

Anti Markietng Purchase Order Sheets.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	Anti Markietng Purchase Order Sheets.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	Anti Markietng Purchase Order Sheets.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	Anti Markietng Purchase Order Sheets.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Anti Markietng Purchase Order Sheets.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Anti Markietng Purchase Order Sheets.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Anti Markietng Purchase Order Sheets.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	Anti Markietng Purchase Order Sheets.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	Anti Markietng Purchase Order Sheets.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Anti Markietng Purchase Order Sheets.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Anti Markietng Purchase Order Sheets.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	Anti Markietng Purchase Order Sheets.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	Anti Markietng Purchase Order Sheets.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Anti Markietng Purchase Order Sheets.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	Anti Markietng Purchase Order Sheets.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Anti Markietng Purchase Order Sheets.exe

description	pid	process	target process
PID 736 set thread context of 2044	736	Anti Markietng Purchase Order Sheets.exe	Anti Markietng Purchase Order Sheets.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Anti Markietng Purchase Order Sheets.exeAnti Markietng Purchase Order Sheets.exe

pid	process
736	Anti Markietng Purchase Order Sheets.exe
736	Anti Markietng Purchase Order Sheets.exe
736	Anti Markietng Purchase Order Sheets.exe
736	Anti Markietng Purchase Order Sheets.exe
736	Anti Markietng Purchase Order Sheets.exe
2044	Anti Markietng Purchase Order Sheets.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Anti Markietng Purchase Order Sheets.exeAnti Markietng Purchase Order Sheets.exe

description	pid	process
Token: SeDebugPrivilege	736	Anti Markietng Purchase Order Sheets.exe
Token: SeDebugPrivilege	2044	Anti Markietng Purchase Order Sheets.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Anti Markietng Purchase Order Sheets.exe

description	pid	process	target process
PID 736 wrote to memory of 2044	736	Anti Markietng Purchase Order Sheets.exe	Anti Markietng Purchase Order Sheets.exe
PID 736 wrote to memory of 2044	736	Anti Markietng Purchase Order Sheets.exe	Anti Markietng Purchase Order Sheets.exe
PID 736 wrote to memory of 2044	736	Anti Markietng Purchase Order Sheets.exe	Anti Markietng Purchase Order Sheets.exe
PID 736 wrote to memory of 2044	736	Anti Markietng Purchase Order Sheets.exe	Anti Markietng Purchase Order Sheets.exe
PID 736 wrote to memory of 2044	736	Anti Markietng Purchase Order Sheets.exe	Anti Markietng Purchase Order Sheets.exe
PID 736 wrote to memory of 2044	736	Anti Markietng Purchase Order Sheets.exe	Anti Markietng Purchase Order Sheets.exe
PID 736 wrote to memory of 2044	736	Anti Markietng Purchase Order Sheets.exe	Anti Markietng Purchase Order Sheets.exe
PID 736 wrote to memory of 2044	736	Anti Markietng Purchase Order Sheets.exe	Anti Markietng Purchase Order Sheets.exe
PID 736 wrote to memory of 2044	736	Anti Markietng Purchase Order Sheets.exe	Anti Markietng Purchase Order Sheets.exe

outlook_office_path 1 IoCs

Processes:

Anti Markietng Purchase Order Sheets.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe

outlook_win_path 1 IoCs

Processes:

Anti Markietng Purchase Order Sheets.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Anti Markietng Purchase Order Sheets.exe

C:\Users\Admin\AppData\Local\Temp\Anti Markietng Purchase Order Sheets.exe
"C:\Users\Admin\AppData\Local\Temp\Anti Markietng Purchase Order Sheets.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Local\Temp\Anti Markietng Purchase Order Sheets.exe
"{path}"
2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2044

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/736-54-0x0000000001160000-0x000000000126C000-memory.dmp

Filesize
1.0MB

Download
memory/736-55-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/736-56-0x0000000005500000-0x000000000558C000-memory.dmp

Filesize
560KB

Download
memory/736-57-0x0000000005960000-0x00000000059F8000-memory.dmp

Filesize
608KB

Download
memory/2044-58-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2044-59-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2044-61-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2044-62-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2044-63-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2044-64-0x00000000004941AE-mapping.dmp

Download
memory/2044-66-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2044-68-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2044-69-0x0000000000980000-0x00000000009C4000-memory.dmp

Filesize
272KB

Download
memory/2044-70-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/2044-71-0x0000000004F95000-0x0000000004FA6000-memory.dmp

Filesize
68KB

Download
memory/2044-72-0x0000000000B40000-0x0000000000B54000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads