masslogger | f80bf078233f75b4226bf4a5b16ef4bb3f32dd13826871353b4a39fad167e13c

General

Target

Order-411546.exe
Size

806KB
MD5

22ffcd520fe68ef6d11c131577091fff
SHA1

08ba8ae52078a1ad86ea3b8bde4f619b23d0eb04
SHA256

c8174141c60baa057aa9780fdb5fe1e4af59b9d3a9d5a1d8ab7d929b13d3882b
SHA512

f53c611e64a76cf46be0c8941edf987e0f25db0c4682d15aa60d595fddb4ead053f3fdd3d0cb0996d13f76a6e2ce1dcf2ecd15db6debabe5ef44b0a91478eac7

Score

10^/10

masslogger collection evasion ransomware rezer0 spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v2.0.0.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:44:32 AM MassLogger Started: 5/21/2022 2:44:25 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Order-411546.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger log file 1 IoCs

Detects a log file produced by MassLogger.

yara_rule
masslogger_log_file

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/1972-57-0x00000000055B0000-0x0000000005646000-memory.dmp	rezer0

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Order-411546.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Order-411546.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	Order-411546.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Order-411546.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Order-411546.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order-411546.exe
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Order-411546.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order-411546.exe
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order-411546.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order-411546.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Order-411546.exe
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Order-411546.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order-411546.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order-411546.exe
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Order-411546.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order-411546.exe
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order-411546.exe
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order-411546.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Order-411546.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Order-411546.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 1688	1972	Order-411546.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1364	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1688	Order-411546.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1972	Order-411546.exe
1688	Order-411546.exe
1688	Order-411546.exe
1688	Order-411546.exe
1676	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	Order-411546.exe
Token: SeDebugPrivilege	1688	Order-411546.exe
Token: SeDebugPrivilege	1676	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1688	Order-411546.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1364	1972	Order-411546.exe	28
PID 1972 wrote to memory of 1364	1972	Order-411546.exe	28
PID 1972 wrote to memory of 1364	1972	Order-411546.exe	28
PID 1972 wrote to memory of 1364	1972	Order-411546.exe	28
PID 1972 wrote to memory of 1688	1972	Order-411546.exe	30
PID 1972 wrote to memory of 1688	1972	Order-411546.exe	30
PID 1972 wrote to memory of 1688	1972	Order-411546.exe	30
PID 1972 wrote to memory of 1688	1972	Order-411546.exe	30
PID 1972 wrote to memory of 1688	1972	Order-411546.exe	30
PID 1972 wrote to memory of 1688	1972	Order-411546.exe	30
PID 1972 wrote to memory of 1688	1972	Order-411546.exe	30
PID 1972 wrote to memory of 1688	1972	Order-411546.exe	30
PID 1972 wrote to memory of 1688	1972	Order-411546.exe	30
PID 1688 wrote to memory of 2032	1688	Order-411546.exe	31
PID 1688 wrote to memory of 2032	1688	Order-411546.exe	31
PID 1688 wrote to memory of 2032	1688	Order-411546.exe	31
PID 1688 wrote to memory of 2032	1688	Order-411546.exe	31
PID 2032 wrote to memory of 1676	2032	cmd.exe	33
PID 2032 wrote to memory of 1676	2032	cmd.exe	33
PID 2032 wrote to memory of 1676	2032	cmd.exe	33
PID 2032 wrote to memory of 1676	2032	cmd.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order-411546.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order-411546.exe

C:\Users\Admin\AppData\Local\Temp\Order-411546.exe
"C:\Users\Admin\AppData\Local\Temp\Order-411546.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CCllnFRcWGdXpZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA2C.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1364
- C:\Users\Admin\AppData\Local\Temp\Order-411546.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Order-411546.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Order-411546.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Hidden Files and Directories

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Hidden Files and Directories

Modify Registry

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBA2C.tmp

Filesize
1KB

MD5
77b954fc78e8766f4312d872bc02cd4d

SHA1
30ba21b2070991f8be48c918f58c71068cf808a7

SHA256
451e2cf9c11e8d9c53a159237a246b35e022d0871712e6106fef074ad9425216

SHA512
e2903615f794a51c1c0e5c6921bda4c53202e8eafbebf35403cbd2daf17b43953a8c230d627b530f0bc3f68fbeecda359b680ae80fb275332fdca8fd1135c8c0

Download Submit
memory/1676-78-0x000000006F280000-0x000000006F82B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-65-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1688-60-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1688-61-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1688-64-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1688-63-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1688-77-0x00000000010C5000-0x00000000010D6000-memory.dmp

Filesize
68KB

Download
memory/1688-73-0x00000000008C0000-0x00000000008D4000-memory.dmp

Filesize
80KB

Download
memory/1688-68-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1688-70-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1688-71-0x0000000000510000-0x0000000000554000-memory.dmp

Filesize
272KB

Download
memory/1972-57-0x00000000055B0000-0x0000000005646000-memory.dmp

Filesize
600KB

Download
memory/1972-56-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/1972-54-0x00000000012B0000-0x0000000001380000-memory.dmp

Filesize
832KB

Download
memory/1972-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads