Overview

overview

10

Static

static

10

Q2020-07-466am.exe

windows7_x64

10

Q2020-07-466am.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Q2020-07-466am.exe

  • Size

    1.4MB

  • MD5

    93a02efc3319e40884d86f0603d6073d

  • SHA1

    df7966c6dda6c785ad4bcf5b7a49f0a99a9bc51e

  • SHA256

    de7e69ec920dccdc40220e414a2d1b3bc05e53c5f5ea34e309bd3365aa5dae78

  • SHA512

    620172b1822721b279eb1b92d288a2ee82056b77c91c59134edc1aa727524bee2e5211cc41d69e67b1dc1caf9c555e5f475b3fca97d3dd3b94b224443e5fc2c7

Score
10/10
massloggercollectionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F293CD6622\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.6.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 10 Pro64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 4:34:33 AM MassLogger Started: 5/21/2022 4:34:13 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    y8wG[wgBvT]F

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 35 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Q2020-07-466am.exe
    "C:\Users\Admin\AppData\Local\Temp\Q2020-07-466am.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3824
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v chulo /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chulo.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v chulo /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chulo.exe"
        3⤵
        • Adds Run key to start application
        PID:2656
    • C:\Users\Admin\AppData\Roaming\chulo.exe
      "C:\Users\Admin\AppData\Roaming\chulo.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:3440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit
  • C:\Users\Admin\AppData\Roaming\chulo.exe
    Filesize

    1.4MB

    MD5

    93a02efc3319e40884d86f0603d6073d

    SHA1

    df7966c6dda6c785ad4bcf5b7a49f0a99a9bc51e

    SHA256

    de7e69ec920dccdc40220e414a2d1b3bc05e53c5f5ea34e309bd3365aa5dae78

    SHA512

    620172b1822721b279eb1b92d288a2ee82056b77c91c59134edc1aa727524bee2e5211cc41d69e67b1dc1caf9c555e5f475b3fca97d3dd3b94b224443e5fc2c7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\chulo.exe
    Filesize

    1.4MB

    MD5

    93a02efc3319e40884d86f0603d6073d

    SHA1

    df7966c6dda6c785ad4bcf5b7a49f0a99a9bc51e

    SHA256

    de7e69ec920dccdc40220e414a2d1b3bc05e53c5f5ea34e309bd3365aa5dae78

    SHA512

    620172b1822721b279eb1b92d288a2ee82056b77c91c59134edc1aa727524bee2e5211cc41d69e67b1dc1caf9c555e5f475b3fca97d3dd3b94b224443e5fc2c7

    Download Submit
  • memory/1656-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2656-134-0x0000000000000000-mapping.dmp
    Download
  • memory/3440-163-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-173-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-138-0x0000000000000000-mapping.dmp
    Download
  • memory/3440-139-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-659-0x0000000007BA0000-0x0000000007BF0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3440-658-0x00000000070E0000-0x00000000070EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3440-143-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-145-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-147-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-149-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-151-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-153-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-155-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-157-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-159-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-161-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-657-0x0000000005AC0000-0x0000000005B26000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3440-165-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-167-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-169-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-171-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-656-0x0000000005650000-0x00000000056EC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3440-175-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-179-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-177-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-181-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-183-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-185-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-187-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-189-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-191-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-193-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-195-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-197-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-199-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-201-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3440-203-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3540-133-0x0000000000000000-mapping.dmp
    Download
  • memory/3824-130-0x0000000000F80000-0x00000000010E6000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/3824-131-0x0000000006730000-0x0000000006CD4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3824-132-0x0000000006280000-0x0000000006312000-memory.dmp
    Filesize

    584KB

    Download