Overview

overview

10

Static

static

Product-7783887.exe

windows7_x64

10

Product-7783887.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Product-7783887.exe

  • Size

    880KB

  • MD5

    f35fc88f11874e02e90bb0aa88e2fccf

  • SHA1

    0aa0f21d88688af2e38bf574a18c97f9939b6b42

  • SHA256

    235bae9ae04ff1860775c42e55671d3bb84d5abdf4f0f0267c66c46050f8aaca

  • SHA512

    e4bc231916f44dd6cd8785a741537ebe364e0d4656b57977046df2e4f1deb8b236c46abe6b8549102755b64cc653e6e5d61a3600965c9c3ac2cb88736400d0be

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F95B724EDE\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.7.1 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 10 Pro64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 4:22:49 AM MassLogger Started: 5/21/2022 4:22:45 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe MassLogger Melt: true MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe
    "C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe
      "{path}"
      2⤵
        PID:4848
      • C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe
        "{path}"
        2⤵
          PID:2196
        • C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe
          "{path}"
          2⤵
          • Checks computer location settings
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:4236
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe' & exit
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3748
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Product-7783887.exe'
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5024

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Product-7783887.exe.log
        Filesize

        1KB

        MD5

        8783efc818e6c4b08cdd7dc7e06641d0

        SHA1

        481a410d390aefdd28ff1bc005d1ee46e7b092f2

        SHA256

        735a7e96c6b2d91b062f378d14291656b72c92d36b1a21584ce5b606b4ea8572

        SHA512

        1d48c97192d9ca4deca93a2a62dc6230d2752b1710c95660b41e89413b9b022a0139570d946580968bd04cf48497a6dc31e25d4aca7f477525b346ab0a302d32

        Download Submit

      • memory/2196-138-0x0000000000000000-mapping.dmp

        Download

      • memory/3748-143-0x0000000000000000-mapping.dmp

        Download

      • memory/4236-142-0x0000000008570000-0x00000000085C0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4236-141-0x0000000005840000-0x00000000058A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4236-140-0x0000000000400000-0x00000000004A8000-memory.dmp

        Filesize

        672KB

        Download

      • memory/4236-139-0x0000000000000000-mapping.dmp

        Download

      • memory/4848-137-0x0000000000000000-mapping.dmp

        Download

      • memory/4888-136-0x0000000008BF0000-0x0000000008C8C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4888-130-0x0000000000700000-0x00000000007E2000-memory.dmp

        Filesize

        904KB

        Download

      • memory/4888-135-0x0000000005BF0000-0x0000000005C12000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4888-134-0x0000000005BA0000-0x0000000005BB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4888-133-0x0000000005060000-0x000000000506A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4888-132-0x00000000050E0000-0x0000000005172000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4888-131-0x00000000055F0000-0x0000000005B94000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/5024-145-0x0000000000000000-mapping.dmp

        Download

      • memory/5024-146-0x0000000004BC0000-0x0000000004BF6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/5024-147-0x0000000005360000-0x0000000005988000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/5024-148-0x0000000005990000-0x00000000059F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5024-149-0x0000000006160000-0x000000000617E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/5024-150-0x00000000077A0000-0x0000000007E1A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/5024-151-0x0000000007140000-0x000000000715A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/5024-152-0x0000000007260000-0x00000000072F6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/5024-153-0x00000000071F0000-0x0000000007212000-memory.dmp

        Filesize

        136KB

        Download