Overview

overview

10

Static

static

167647227-...df.exe

windows7_x64

10

167647227-...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    112s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    167647227-54134-sdfnt4-2.pdf.exe

  • Size

    845KB

  • MD5

    7dc2565dadc8f091295dfe0b87fb40d8

  • SHA1

    05de206b83b43fa25e199ac07a38eae56cc97e8d

  • SHA256

    c75eff508f62cf4acb9960a32a93e15f4037325a66b8b669649c83d08ee70730

  • SHA512

    dd1c27d1349c55056ce1af23c0f0123aeface0188c898b0dfa9d29fb78f45280430f00b8e775f85ad1a9bcac456c244b745bb2a2522b59ddb0990ed2b571e612

Score
10/10
massloggerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F293CD6622\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 4:01:36 AM MassLogger Started: 5/21/2022 4:01:25 AM Interval: 5 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe As Administrator: True

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\167647227-54134-sdfnt4-2.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\167647227-54134-sdfnt4-2.pdf.exe"
    1⤵
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4040
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:5072
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5ED9.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3700
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:2764
        • C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
          "C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"
          4⤵
          • Executes dropped EXE
          PID:5048

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5ED9.tmp.bat
    Filesize

    156B

    MD5

    0388225f5a505545fe6a4516312815bf

    SHA1

    c636938995ee797981fce2fc213de0005544a725

    SHA256

    aba2a658ae79eb624905a5b1a1605da68d955d172b7603cd23e84781e14d774b

    SHA512

    4edea89564c5fbe776cacf29e5bacc989b0edd41ea2ca1bf603c968a78a6239b0c9f4e1fcab07d7fe481068630b4e07763f489a6970f98d91385b7e678fe2db2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit

  • memory/2104-130-0x00000000003B0000-0x000000000048A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2104-131-0x0000000005670000-0x0000000005C14000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2764-140-0x0000000000000000-mapping.dmp

    Download

  • memory/3692-135-0x0000000005D50000-0x0000000005DB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3692-134-0x0000000005780000-0x0000000005812000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3692-133-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/3692-132-0x0000000000000000-mapping.dmp

    Download

  • memory/3700-137-0x0000000000000000-mapping.dmp

    Download

  • memory/4040-136-0x0000000000000000-mapping.dmp

    Download

  • memory/5048-141-0x0000000000000000-mapping.dmp

    Download

  • memory/5048-144-0x0000000000820000-0x000000000082C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/5048-145-0x0000000002A50000-0x0000000002A6A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5072-138-0x0000000000000000-mapping.dmp

    Download