Overview

overview

10

Static

static

Order Spec...ns.exe

windows7_x64

10

Order Spec...ns.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    95s
  • max time network
    100s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order Specifications.exe

  • Size

    737KB

  • MD5

    1ea58404a64b36f8e367510d6c4d7062

  • SHA1

    9590069d7efa8767f8362c7d74a39ffd117c054d

  • SHA256

    f17e96a6ff93adedce32a09ce613d3e9bc33bf1a0555a56f3ec5882dee032b15

  • SHA512

    57065dc6de25ae00a7d9d3fc0990d5c8f9a2a072363575ef2a334613baefc0703a4bcf618eb8137cf17e90a4e01a847fe62b598a28c1a6958b02548cf95a6c7a

Score
10/10
massloggercollectionspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 33 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order Specifications.exe
    "C:\Users\Admin\AppData\Local\Temp\Order Specifications.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Users\Admin\AppData\Local\Temp\Order Specifications.exe
      "C:\Users\Admin\AppData\Local\Temp\Order Specifications.exe"
      2⤵
        PID:1136
      • C:\Users\Admin\AppData\Local\Temp\Order Specifications.exe
        "C:\Users\Admin\AppData\Local\Temp\Order Specifications.exe"
        2⤵
        • Checks computer location settings
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:2040

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1512-54-0x0000000000BC0000-0x0000000000C7E000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1512-55-0x0000000000310000-0x0000000000318000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1512-56-0x00000000009D0000-0x0000000000A74000-memory.dmp

      Filesize

      656KB

      Download

    • memory/1512-57-0x00000000005A0000-0x00000000005B6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1512-58-0x0000000000B20000-0x0000000000B34000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2040-59-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-60-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-62-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-64-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-63-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-65-0x00000000004A15EE-mapping.dmp

      Download

    • memory/2040-67-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-69-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-71-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-73-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-75-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-77-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-79-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-81-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-83-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-85-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-87-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-89-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-91-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-93-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-95-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-97-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-99-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-101-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-103-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-105-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-107-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-109-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-111-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-113-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-115-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-117-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-119-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-121-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-123-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2040-571-0x00000000053F0000-0x0000000005434000-memory.dmp

      Filesize

      272KB

      Download