Overview

overview

10

Static

static

Request fo...er.exe

windows7_x64

10

Request fo...er.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    106s
  • max time network
    106s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Request for new order.exe

  • Size

    948KB

  • MD5

    379abf3d912c4360aa57dcc1bf36425d

  • SHA1

    8d93efda1d50ba3dc65c4def509a14ded2559b15

  • SHA256

    31b2c043dac09d9f3c0050f5bdce779a26e4612f501573728d65188bb7684fbc

  • SHA512

    d4fbf4c9c0dbaaf913c5328f96e3775b465c1f7bd4ea29bbc354f66d9a2f737276862c956c53c8c3d485b6d26bc2f94032e8087295d8e2a2ddf8187b5765fe50

Score
10/10
massloggercollectionevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3B8E3C2477\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.7.1 ################################################################# ### Logger Details ### User Name: Admin IP: 127.0.0.1 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:46:43 AM MassLogger Started: 5/21/2022 3:46:07 AM Interval: 9 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Request for new order.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Modifies visibility of file extensions in Explorer 2 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Request for new order.exe
    "C:\Users\Admin\AppData\Local\Temp\Request for new order.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1944
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOfprlxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC24.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1340

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpEC24.tmp
    Filesize

    1KB

    MD5

    8b1f3c9b3971222e70175d38149921ad

    SHA1

    a7efe1e487fe3a4f95e1b41615e85d909843ff9b

    SHA256

    b672e9392ccc8cefdb26c0f94b1a31388f55cc2823b5368cf7155e871b4e5d49

    SHA512

    7d97bd70620c62c8a179f2e92d0e2978adb634ddf84386cd540597d2affe6053685f5f02d29b44deb54ba5732d1884abe9a66238519c2bfc34ed695946015f58

    Download Submit

  • memory/1340-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1944-54-0x0000000000EC0000-0x0000000000FB2000-memory.dmp

    Filesize

    968KB

    Download

  • memory/1944-55-0x00000000765C1000-0x00000000765C3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1944-56-0x00000000003E0000-0x00000000003E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1944-57-0x0000000005EB0000-0x0000000005F60000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1944-60-0x0000000009600000-0x00000000096A8000-memory.dmp

    Filesize

    672KB

    Download

  • memory/1944-61-0x0000000005070000-0x00000000050B4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1944-62-0x0000000004A25000-0x0000000004A36000-memory.dmp

    Filesize

    68KB

    Download