Analysis
-
max time kernel
94s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:33
General
-
Target
Product-7783887.exe
-
Size
880KB
-
MD5
f35fc88f11874e02e90bb0aa88e2fccf
-
SHA1
0aa0f21d88688af2e38bf574a18c97f9939b6b42
-
SHA256
235bae9ae04ff1860775c42e55671d3bb84d5abdf4f0f0267c66c46050f8aaca
-
SHA512
e4bc231916f44dd6cd8785a741537ebe364e0d4656b57977046df2e4f1deb8b236c46abe6b8549102755b64cc653e6e5d61a3600965c9c3ac2cb88736400d0be
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt
Family
masslogger
Ransom Note
#################################################################
MassLogger v1.3.7.1
#################################################################
### Logger Details ###
User Name: Admin
IP: 127.0.0.1
Location: United States
Windows OS: Microsoft Windows 7 Ultimate 64bit
Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
CPU: Intel Core Processor (Broadwell)
GPU: Standard VGA Graphics Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 5/21/2022 4:22:41 AM
MassLogger Started: 5/21/2022 4:22:04 AM
Interval: 2 hour
MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe
MassLogger Melt: true
MassLogger Exit after delivery: false
As Administrator: True
Processes:
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 6 IoCs
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe"C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe"{path}"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe'4⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
68KB
-
Filesize
672KB
-
-
Filesize
672KB
-
Filesize
272KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
904KB
-
Filesize
32KB
-
Filesize
704KB
-
Filesize
8KB
-
-
Filesize
5.7MB