Overview

overview

10

Static

static

10

PO 7405591...40.exe

windows7_x64

10

PO 7405591...40.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    107s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO 7405591, 7756947 ,7756740.exe

  • Size

    1.2MB

  • MD5

    63831c721dddee09571fe4d9df808576

  • SHA1

    6fdd675db58fe108ec77ad19f72d05d908cbe07c

  • SHA256

    f8a4be5923387077b32e65cfea383db1576e5dd068b926a1e9833ff24e48fd64

  • SHA512

    c40638ecfab9b4de4756a29a09d68a4b896adbfedf8a43a0ebe7e09647d24a3d5e1c7bbe8fe324d090ebcf00424f59f5884cde0ac8f3974796d22a36b86da4c0

Score
10/10
massloggerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.7.1 ################################################################# ### Logger Details ### User Name: Admin IP: 127.0.0.1 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 4:41:34 AM MassLogger Started: 5/21/2022 4:41:22 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 8 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO 7405591, 7756947 ,7756740.exe
    "C:\Users\Admin\AppData\Local\Temp\PO 7405591, 7756947 ,7756740.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start /b powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RegAsm.exe' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RegAsm.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1136
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:908
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1960
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD22E.tmp.bat""
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:300
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1732
        • C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
          "C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"
          4⤵
          • Executes dropped EXE
          PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    b58b926c3574d28d5b7fdd2ca3ec30d5

    SHA1

    d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

    SHA256

    6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

    SHA512

    b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    b58b926c3574d28d5b7fdd2ca3ec30d5

    SHA1

    d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

    SHA256

    6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

    SHA512

    b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpD22E.tmp.bat
    Filesize

    156B

    MD5

    8c1c52af5b996185a46c297183b7c5c8

    SHA1

    0c67a233bc2400ab81ff3b2d2fcf233c1489ac7f

    SHA256

    a8b609b20409f8e9422a91c49eeb314d5a0f0b25fe43075231536f00ce7c9fc3

    SHA512

    9fad60b3a1aba420818e25379ae593a19765acfc144c967010922fa00e4e7935ab1db1abb161b14e2d8fff392cec7d441e9c525dcf28b72c1e966be6f82fdc13

    Download Submit
  • C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
    Filesize

    63KB

    MD5

    b58b926c3574d28d5b7fdd2ca3ec30d5

    SHA1

    d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

    SHA256

    6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

    SHA512

    b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

    Download Submit
  • C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
    Filesize

    63KB

    MD5

    b58b926c3574d28d5b7fdd2ca3ec30d5

    SHA1

    d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

    SHA256

    6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

    SHA512

    b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    b58b926c3574d28d5b7fdd2ca3ec30d5

    SHA1

    d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

    SHA256

    6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

    SHA512

    b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    b58b926c3574d28d5b7fdd2ca3ec30d5

    SHA1

    d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

    SHA256

    6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

    SHA512

    b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

    Download Submit
  • \Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
    Filesize

    63KB

    MD5

    b58b926c3574d28d5b7fdd2ca3ec30d5

    SHA1

    d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

    SHA256

    6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

    SHA512

    b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

    Download Submit
  • memory/300-87-0x0000000000000000-mapping.dmp
    Download
  • memory/908-85-0x0000000000000000-mapping.dmp
    Download
  • memory/1056-77-0x00000000001A0000-0x0000000000248000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1056-61-0x00000000001A0000-0x0000000000248000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1056-65-0x00000000001A0000-0x0000000000248000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1056-70-0x00000000001A0000-0x0000000000248000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1056-69-0x00000000001A0000-0x0000000000248000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1056-74-0x00000000001A0000-0x0000000000248000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1056-89-0x0000000000760000-0x00000000007A0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1056-64-0x00000000001A0000-0x0000000000248000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1056-79-0x0000000075951000-0x0000000075953000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1056-62-0x00000000001A0000-0x0000000000248000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1056-81-0x00000000007A0000-0x00000000007E4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1056-67-0x00000000004A2DCE-mapping.dmp
    Download
  • memory/1136-91-0x0000000073EC0000-0x000000007446B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1136-83-0x0000000000000000-mapping.dmp
    Download
  • memory/1424-56-0x0000000000530000-0x0000000000546000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1424-59-0x00000000005D0000-0x00000000005D8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1424-58-0x0000000000590000-0x0000000000598000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1424-54-0x0000000000FA0000-0x00000000010E0000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1424-57-0x00000000004A0000-0x00000000004A8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1424-55-0x0000000000370000-0x0000000000378000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1512-94-0x0000000000000000-mapping.dmp
    Download
  • memory/1512-96-0x00000000000F0000-0x0000000000102000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1640-82-0x0000000000000000-mapping.dmp
    Download
  • memory/1732-90-0x0000000000000000-mapping.dmp
    Download
  • memory/1960-86-0x0000000000000000-mapping.dmp
    Download