Overview

overview

10

Static

static

167647227-...df.exe

windows7_x64

10

167647227-...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    43s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    167647227-54134-sdfnt4-2.pdf.exe

  • Size

    845KB

  • MD5

    7dc2565dadc8f091295dfe0b87fb40d8

  • SHA1

    05de206b83b43fa25e199ac07a38eae56cc97e8d

  • SHA256

    c75eff508f62cf4acb9960a32a93e15f4037325a66b8b669649c83d08ee70730

  • SHA512

    dd1c27d1349c55056ce1af23c0f0123aeface0188c898b0dfa9d29fb78f45280430f00b8e775f85ad1a9bcac456c244b745bb2a2522b59ddb0990ed2b571e612

Score
10/10
massloggerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:00:07 AM MassLogger Started: 5/21/2022 1:59:56 AM Interval: 5 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe As Administrator: True

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\167647227-54134-sdfnt4-2.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\167647227-54134-sdfnt4-2.pdf.exe"
    1⤵
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1884
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1068
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8344.tmp.bat""
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:316
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:600
        • C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
          "C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"
          4⤵
          • Executes dropped EXE
          PID:2012

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp8344.tmp.bat
    Filesize

    156B

    MD5

    5f61e8fc324d5d7c0a36087e1fdce6c6

    SHA1

    ee39d23030a5012dc04d49e608477d602af47425

    SHA256

    777235467a1100e22a02d5308c29d8d9eba9bec965ad81ade78310afba87bb1e

    SHA512

    f61f5544d9b4457c1992771f8e886310322808fbfd12686c6dff913f0cda0315ed7e6bc70659c41a56d5819fc327d96c48300ce9b3c8da2d7c431734ddccf888

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit

  • \Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit

  • memory/316-62-0x0000000000000000-mapping.dmp

    Download

  • memory/600-65-0x0000000000000000-mapping.dmp

    Download

  • memory/784-59-0x0000000000510000-0x0000000000513000-memory.dmp

    Filesize

    12KB

    Download

  • memory/784-54-0x00000000008B0000-0x000000000098A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/784-56-0x0000000004A90000-0x0000000004B3C000-memory.dmp

    Filesize

    688KB

    Download

  • memory/784-55-0x00000000049B0000-0x0000000004A92000-memory.dmp

    Filesize

    904KB

    Download

  • memory/884-60-0x0000000075701000-0x0000000075703000-memory.dmp

    Filesize

    8KB

    Download

  • memory/884-58-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/884-57-0x00000000004A1AAE-mapping.dmp

    Download

  • memory/1068-63-0x0000000000000000-mapping.dmp

    Download

  • memory/1884-61-0x0000000000000000-mapping.dmp

    Download

  • memory/2012-68-0x0000000000000000-mapping.dmp

    Download

  • memory/2012-70-0x0000000001150000-0x000000000115C000-memory.dmp

    Filesize

    48KB

    Download