Overview

overview

10

Static

static

Product-7783887.exe

windows7_x64

10

Product-7783887.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    94s
  • max time network
    58s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Product-7783887.exe

  • Size

    880KB

  • MD5

    f35fc88f11874e02e90bb0aa88e2fccf

  • SHA1

    0aa0f21d88688af2e38bf574a18c97f9939b6b42

  • SHA256

    235bae9ae04ff1860775c42e55671d3bb84d5abdf4f0f0267c66c46050f8aaca

  • SHA512

    e4bc231916f44dd6cd8785a741537ebe364e0d4656b57977046df2e4f1deb8b236c46abe6b8549102755b64cc653e6e5d61a3600965c9c3ac2cb88736400d0be

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.7.1 ################################################################# ### Logger Details ### User Name: Admin IP: 127.0.0.1 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 4:22:41 AM MassLogger Started: 5/21/2022 4:22:04 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe MassLogger Melt: true MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 6 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe
    "C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:956
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:368
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe'
          4⤵
          • Deletes itself
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/368-72-0x0000000000000000-mapping.dmp
    Download
  • memory/956-63-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/956-62-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/956-71-0x0000000001275000-0x0000000001286000-memory.dmp
    Filesize

    68KB

    Download
  • memory/956-58-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/956-64-0x00000000004A2D0E-mapping.dmp
    Download
  • memory/956-61-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/956-69-0x00000000003A0000-0x00000000003E4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/956-68-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/956-59-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/956-66-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1672-54-0x0000000001300000-0x00000000013E2000-memory.dmp
    Filesize

    904KB

    Download
  • memory/1672-56-0x0000000000470000-0x0000000000478000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1672-57-0x00000000008D0000-0x0000000000980000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1672-55-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1760-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1760-75-0x0000000074C50000-0x00000000751FB000-memory.dmp
    Filesize

    5.7MB

    Download