Analysis
-
max time kernel
77s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:43
Static task
static1
Behavioral task
behavioral1
Sample
New order (R.R) 1808202.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
New order (R.R) 1808202.exe
Resource
win10v2004-20220414-en
General
-
Target
New order (R.R) 1808202.exe
-
Size
802KB
-
MD5
26e0d9642410c40bc095fb579e4b2bc8
-
SHA1
8b142703d79970003a0dfe108b3920a0181b97f2
-
SHA256
a9f8d8a5503dca2d63d36e17041e6d065a6bf7bad41c000dd6d5a1e73d18d786
-
SHA512
7a9bcab29cb487a8c7b8bc4bf12553504a8639cfb6108baee07e16d8a3abbde0614c4ed2f12f414370cc2395ee22b0c641c42ec40dc684c0935f12efddadb445
Malware Config
Extracted
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
New order (R.R) 1808202.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation New order (R.R) 1808202.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
Processes:
New order (R.R) 1808202.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook New order (R.R) 1808202.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook New order (R.R) 1808202.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook New order (R.R) 1808202.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook New order (R.R) 1808202.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook New order (R.R) 1808202.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook New order (R.R) 1808202.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook New order (R.R) 1808202.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook New order (R.R) 1808202.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook New order (R.R) 1808202.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook New order (R.R) 1808202.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook New order (R.R) 1808202.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook New order (R.R) 1808202.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook New order (R.R) 1808202.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook New order (R.R) 1808202.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New order (R.R) 1808202.exedescription pid process target process PID 960 set thread context of 1352 960 New order (R.R) 1808202.exe New order (R.R) 1808202.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
New order (R.R) 1808202.exepid process 1352 New order (R.R) 1808202.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
New order (R.R) 1808202.exeNew order (R.R) 1808202.exePowershell.exepid process 960 New order (R.R) 1808202.exe 960 New order (R.R) 1808202.exe 1352 New order (R.R) 1808202.exe 1352 New order (R.R) 1808202.exe 1160 Powershell.exe 1352 New order (R.R) 1808202.exe 1352 New order (R.R) 1808202.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
New order (R.R) 1808202.exeNew order (R.R) 1808202.exePowershell.exedescription pid process Token: SeDebugPrivilege 960 New order (R.R) 1808202.exe Token: SeDebugPrivilege 1352 New order (R.R) 1808202.exe Token: SeDebugPrivilege 1160 Powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
New order (R.R) 1808202.exepid process 1352 New order (R.R) 1808202.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
New order (R.R) 1808202.exedescription pid process target process PID 960 wrote to memory of 1352 960 New order (R.R) 1808202.exe New order (R.R) 1808202.exe PID 960 wrote to memory of 1352 960 New order (R.R) 1808202.exe New order (R.R) 1808202.exe PID 960 wrote to memory of 1352 960 New order (R.R) 1808202.exe New order (R.R) 1808202.exe PID 960 wrote to memory of 1352 960 New order (R.R) 1808202.exe New order (R.R) 1808202.exe PID 960 wrote to memory of 1352 960 New order (R.R) 1808202.exe New order (R.R) 1808202.exe PID 960 wrote to memory of 1352 960 New order (R.R) 1808202.exe New order (R.R) 1808202.exe PID 960 wrote to memory of 1352 960 New order (R.R) 1808202.exe New order (R.R) 1808202.exe PID 960 wrote to memory of 1352 960 New order (R.R) 1808202.exe New order (R.R) 1808202.exe PID 960 wrote to memory of 1352 960 New order (R.R) 1808202.exe New order (R.R) 1808202.exe PID 960 wrote to memory of 1160 960 New order (R.R) 1808202.exe Powershell.exe PID 960 wrote to memory of 1160 960 New order (R.R) 1808202.exe Powershell.exe PID 960 wrote to memory of 1160 960 New order (R.R) 1808202.exe Powershell.exe PID 960 wrote to memory of 1160 960 New order (R.R) 1808202.exe Powershell.exe -
outlook_office_path 1 IoCs
Processes:
New order (R.R) 1808202.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe -
outlook_win_path 1 IoCs
Processes:
New order (R.R) 1808202.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New order (R.R) 1808202.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New order (R.R) 1808202.exe"C:\Users\Admin\AppData\Local\Temp\New order (R.R) 1808202.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\New order (R.R) 1808202.exe"C:\Users\Admin\AppData\Local\Temp\New order (R.R) 1808202.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1352
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-