masslogger | ef14c04357ab1b9fabd4f11d838b55dea45d9a900d4f0292b53150410d0e2677

Analysis

max time kernel
116s
max time network
122s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mpUN2haQz3Hh396.exe
Size

872KB
MD5

b616ebc834b650fee67ce3e99095dc6f
SHA1

c59a55cfb577b14589024ac0a34edcdb39d02c74
SHA256

f058f245d06f4d059132d2b9e90f84a332d0471ff0c421d49ca828d76874b8f3
SHA512

9b971064e009f3c52da0998fc31956bd3b156bb0a69447a1ef4960e54b4b145d8104b88b18b8a72a65b66cbd59445ec9210439e9b41a25b9cd919d15b9c11ee7

Score

10^/10

masslogger collection coreentity evasion rezer0 spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
whyworry1090#

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/1040-56-0x0000000000270000-0x0000000000278000-memory.dmp	coreentity

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

yara_rule
masslogger_log_file

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1040-57-0x0000000004D30000-0x0000000004DDE000-memory.dmp	rezer0

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mpUN2haQz3Hh396.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mpUN2haQz3Hh396.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mpUN2haQz3Hh396.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mpUN2haQz3Hh396.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation	mpUN2haQz3Hh396.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs

collection

Email Collection

T1114

Processes:

mpUN2haQz3Hh396.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mpUN2haQz3Hh396.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	mpUN2haQz3Hh396.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mpUN2haQz3Hh396.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mpUN2haQz3Hh396.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	mpUN2haQz3Hh396.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mpUN2haQz3Hh396.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mpUN2haQz3Hh396.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mpUN2haQz3Hh396.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mpUN2haQz3Hh396.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mpUN2haQz3Hh396.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	mpUN2haQz3Hh396.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	mpUN2haQz3Hh396.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mpUN2haQz3Hh396.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	mpUN2haQz3Hh396.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	mpUN2haQz3Hh396.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org

flow	ioc
4	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

mpUN2haQz3Hh396.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	mpUN2haQz3Hh396.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	mpUN2haQz3Hh396.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

mpUN2haQz3Hh396.exe

description pid process target process

PID 1040 set thread context of 1384 1040 mpUN2haQz3Hh396.exe mpUN2haQz3Hh396.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1712 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

mpUN2haQz3Hh396.exe

pid process

1384 mpUN2haQz3Hh396.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

mpUN2haQz3Hh396.exe

pid process

1384 mpUN2haQz3Hh396.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

mpUN2haQz3Hh396.exe

description pid process

Token: SeDebugPrivilege 1384 mpUN2haQz3Hh396.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

mpUN2haQz3Hh396.exe

pid process

1384 mpUN2haQz3Hh396.exe

description	pid	process	target process
PID 1040 set thread context of 1384	1040	mpUN2haQz3Hh396.exe	mpUN2haQz3Hh396.exe

pid	process
1712	schtasks.exe

pid	process
1384	mpUN2haQz3Hh396.exe

pid	process
1384	mpUN2haQz3Hh396.exe

description	pid	process
Token: SeDebugPrivilege	1384	mpUN2haQz3Hh396.exe

pid	process
1384	mpUN2haQz3Hh396.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

mpUN2haQz3Hh396.exe

description	pid	process	target process
PID 1040 wrote to memory of 1712	1040	mpUN2haQz3Hh396.exe	schtasks.exe
PID 1040 wrote to memory of 1712	1040	mpUN2haQz3Hh396.exe	schtasks.exe
PID 1040 wrote to memory of 1712	1040	mpUN2haQz3Hh396.exe	schtasks.exe
PID 1040 wrote to memory of 1712	1040	mpUN2haQz3Hh396.exe	schtasks.exe
PID 1040 wrote to memory of 1384	1040	mpUN2haQz3Hh396.exe	mpUN2haQz3Hh396.exe
PID 1040 wrote to memory of 1384	1040	mpUN2haQz3Hh396.exe	mpUN2haQz3Hh396.exe
PID 1040 wrote to memory of 1384	1040	mpUN2haQz3Hh396.exe	mpUN2haQz3Hh396.exe
PID 1040 wrote to memory of 1384	1040	mpUN2haQz3Hh396.exe	mpUN2haQz3Hh396.exe
PID 1040 wrote to memory of 1384	1040	mpUN2haQz3Hh396.exe	mpUN2haQz3Hh396.exe
PID 1040 wrote to memory of 1384	1040	mpUN2haQz3Hh396.exe	mpUN2haQz3Hh396.exe
PID 1040 wrote to memory of 1384	1040	mpUN2haQz3Hh396.exe	mpUN2haQz3Hh396.exe
PID 1040 wrote to memory of 1384	1040	mpUN2haQz3Hh396.exe	mpUN2haQz3Hh396.exe
PID 1040 wrote to memory of 1384	1040	mpUN2haQz3Hh396.exe	mpUN2haQz3Hh396.exe

outlook_office_path 1 IoCs

Processes:

mpUN2haQz3Hh396.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mpUN2haQz3Hh396.exe

outlook_win_path 1 IoCs

Processes:

mpUN2haQz3Hh396.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mpUN2haQz3Hh396.exe

C:\Users\Admin\AppData\Local\Temp\mpUN2haQz3Hh396.exe
"C:\Users\Admin\AppData\Local\Temp\mpUN2haQz3Hh396.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PdNcIoxjxwGkp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA890.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1712
- C:\Users\Admin\AppData\Local\Temp\mpUN2haQz3Hh396.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA890.tmp

Filesize
1KB

MD5
cc5e348c7cc46a4f368df2b92e15f803

SHA1
207a7d83c3a75ba36d46d5d940864d2c965e1639

SHA256
6dd0b5e43b5021bb433fb15386acd1f1e36dcfdb1782087dbc4b404bc0611caf

SHA512
4a6304b9b0740878efcd76106a481418f032c49d6c782557bb3b1e66eba7dbb9dfdb740d159526d6550fd48e168aaf346e27ae53a73442c162a0aaa7af427e45

Download Submit
memory/1040-55-0x0000000076811000-0x0000000076813000-memory.dmp

Filesize
8KB

Download
memory/1040-56-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/1040-57-0x0000000004D30000-0x0000000004DDE000-memory.dmp

Filesize
696KB

Download
memory/1040-54-0x0000000000CE0000-0x0000000000DC0000-memory.dmp

Filesize
896KB

Download
memory/1384-84-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-88-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-61-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-63-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-64-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-65-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-66-0x00000000004A150E-mapping.dmp

Download
memory/1384-68-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-70-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-72-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-74-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-80-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-78-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-76-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-86-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-570-0x0000000000BF0000-0x0000000000C34000-memory.dmp

Filesize
272KB

Download
memory/1384-82-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-60-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-92-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-90-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-94-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-96-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-100-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-98-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-102-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-106-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-104-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-110-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-108-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-116-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-114-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-112-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-120-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-118-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1384-122-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1712-58-0x0000000000000000-mapping.dmp

Download