Overview

overview

10

Static

static

[C38226] #...fg.exe

windows7_x64

10

[C38226] #...fg.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 02:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    [C38226] #TD JMMasuda_Mfg.exe

  • Size

    817KB

  • MD5

    6ca7ca71e6777e838bb32c911e5e68eb

  • SHA1

    a3c11cc089fd8f5db0d673d9f4f63d495ee3cffe

  • SHA256

    fbc70395ea55477b8827145c12f85133565b1be20e31f71327ea17d2706127be

  • SHA512

    c772675fe56dc2d95bdf7ff59c0a0ea81f0743f074cb5c7e9c29fc78e8f9eb19eb023d9b0a2bf2f9aadef2250dba78667a454db46275c7a9a91a800180ccef58

Score
10/10
massloggercoreentityransomwarerezer0spywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.2.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 6:04:01 AM MassLogger Started: 5/21/2022 6:03:34 AM Interval: 6 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe As Administrator: True

Signatures

  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 32 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[C38226] #TD JMMasuda_Mfg.exe
    "C:\Users\Admin\AppData\Local\Temp\[C38226] #TD JMMasuda_Mfg.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CIbVwu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5439.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1752
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1300
        3⤵
        • Program crash
        PID:1700

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5439.tmp
    Filesize

    1KB

    MD5

    fe02e3e13abc46e2e96f0f4adf80b8cf

    SHA1

    c34c3f26589423074e6708d80619f2d15ef06e71

    SHA256

    142b2d4e3addec12f5652d1d4d753bc3e4a851f3064a3b615691ea943ba898ac

    SHA512

    bbd44be01e5e9cc0cab0d343747ed5c9666aaff9d6027719c3110cc26398c54d758e50c3a2eecbf475c631dbafaf626b4f76aa42f85a60ffbdbe591203a01e28

    Download Submit
  • memory/1700-572-0x0000000000000000-mapping.dmp
    Download
  • memory/1752-58-0x0000000000000000-mapping.dmp
    Download
  • memory/2000-84-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-122-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-88-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-60-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-61-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-63-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-64-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-65-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-86-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-68-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-70-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-72-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-74-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-76-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-78-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-80-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-82-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-120-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-66-0x00000000004A1CBE-mapping.dmp
    Download
  • memory/2000-118-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-100-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-92-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-94-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-96-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-98-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-90-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-102-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-104-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-106-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-108-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-110-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-112-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-114-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2000-116-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2016-57-0x0000000005D60000-0x0000000005E0E000-memory.dmp
    Filesize

    696KB

    Download
  • memory/2016-54-0x0000000000890000-0x0000000000962000-memory.dmp
    Filesize

    840KB

    Download
  • memory/2016-56-0x00000000004F0000-0x00000000004F8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2016-55-0x0000000075F21000-0x0000000075F23000-memory.dmp
    Filesize

    8KB

    Download