Analysis
-
max time kernel
126s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:38
General
-
Target
Inquired Materials.exe
-
Size
2.3MB
-
MD5
47d3bd28eb5dd0d07bf1550987f443fd
-
SHA1
f25d43feefd19d187e64f4bf8bfb33589cc0c32a
-
SHA256
db6d686590ded24cbfc0dfb2be4cd25035d7422c4cf49e6b9bf94469d2573e7d
-
SHA512
76065edd59cb13198de9d7f668977089d02b4bad286f6067141acbca57a54f8da07bc48b78ee04954e5e5f0f916eb113a0eb212dc13702d5c36f27cbddffebec
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\EEB932C954\Log.txt
Family
masslogger
Ransom Note
#################################################################
MassLogger v1.3.3.0
#################################################################
### Logger Details ###
User Name: Admin
IP: 154.61.71.13
Location: United States
OS: Microsoft Windows 10 Pro64bit
CPU: Intel Core Processor (Broadwell)
GPU: Microsoft Basic Display Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 5/21/2022 4:31:43 AM
MassLogger Started: 5/21/2022 4:31:36 AM
Interval: 2 hour
MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
As Administrator: True
Extracted
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Dmacdavid
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
-
Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inquired Materials.exe"C:\Users\Admin\AppData\Local\Temp\Inquired Materials.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1008-165-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-139-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-643-0x0000000008180000-0x000000000821C000-memory.dmpFilesize
624KB
-
memory/1008-642-0x0000000008090000-0x00000000080E0000-memory.dmpFilesize
320KB
-
memory/1008-134-0x0000000000000000-mapping.dmp
-
memory/1008-169-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-137-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-167-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-141-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-143-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-145-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-147-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-149-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-151-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-153-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-155-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-157-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-159-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-161-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-163-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-641-0x0000000006560000-0x000000000656A000-memory.dmpFilesize
40KB
-
memory/1008-640-0x0000000006110000-0x0000000006176000-memory.dmpFilesize
408KB
-
memory/1008-135-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-171-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-173-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-175-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-177-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-179-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-181-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-183-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-185-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-187-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-189-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-191-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-193-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-195-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1008-197-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/4920-131-0x0000000005D80000-0x0000000006324000-memory.dmpFilesize
5.6MB
-
memory/4920-133-0x0000000005CE0000-0x0000000005D24000-memory.dmpFilesize
272KB
-
memory/4920-130-0x0000000000AE0000-0x0000000000D30000-memory.dmpFilesize
2.3MB
-
memory/4920-132-0x0000000005870000-0x0000000005902000-memory.dmpFilesize
584KB