masslogger | 79690d4fb9d6c28644bb6ffaf431fb985b626ab681c857397e54c05ff221b46d

Analysis

max time kernel
109s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[C38226] #TD JMMasuda_Mfg.exe
Size

817KB
MD5

6ca7ca71e6777e838bb32c911e5e68eb
SHA1

a3c11cc089fd8f5db0d673d9f4f63d495ee3cffe
SHA256

fbc70395ea55477b8827145c12f85133565b1be20e31f71327ea17d2706127be
SHA512

c772675fe56dc2d95bdf7ff59c0a0ea81f0743f074cb5c7e9c29fc78e8f9eb19eb023d9b0a2bf2f9aadef2250dba78667a454db46275c7a9a91a800180ccef58

Score

10^/10

masslogger collection ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F293CD6622\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.2.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 6:03:06 AM MassLogger Started: 5/21/2022 6:02:55 AM Interval: 6 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe As Administrator: True

Extracted

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Amfl6kh#?~N0

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 32 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1044-139-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-141-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-143-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-145-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-147-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-149-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-151-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-155-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-153-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-157-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-159-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-161-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-163-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-165-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-167-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-169-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-171-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-173-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-175-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-177-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-179-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-181-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-183-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-185-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-187-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-189-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-191-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-193-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-195-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-197-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-201-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/1044-199-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger

MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

[C38226] #TD JMMasuda_Mfg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	[C38226] #TD JMMasuda_Mfg.exe

Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

[C38226] #TD JMMasuda_Mfg.exe

description pid process target process

PID 4028 set thread context of 1044 4028 [C38226] #TD JMMasuda_Mfg.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4964 schtasks.exe

flow	ioc
34	api.ipify.org

description	pid	process	target process
PID 4028 set thread context of 1044	4028	[C38226] #TD JMMasuda_Mfg.exe	RegSvcs.exe

pid	process
4964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

[C38226] #TD JMMasuda_Mfg.exeRegSvcs.exe

pid	process
4028	[C38226] #TD JMMasuda_Mfg.exe
4028	[C38226] #TD JMMasuda_Mfg.exe
4028	[C38226] #TD JMMasuda_Mfg.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe
1044	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

[C38226] #TD JMMasuda_Mfg.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 4028 [C38226] #TD JMMasuda_Mfg.exe
Token: SeDebugPrivilege 1044 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4028	[C38226] #TD JMMasuda_Mfg.exe
Token: SeDebugPrivilege	1044	RegSvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

[C38226] #TD JMMasuda_Mfg.exe

description	pid	process	target process
PID 4028 wrote to memory of 4964	4028	[C38226] #TD JMMasuda_Mfg.exe	schtasks.exe
PID 4028 wrote to memory of 4964	4028	[C38226] #TD JMMasuda_Mfg.exe	schtasks.exe
PID 4028 wrote to memory of 4964	4028	[C38226] #TD JMMasuda_Mfg.exe	schtasks.exe
PID 4028 wrote to memory of 3228	4028	[C38226] #TD JMMasuda_Mfg.exe	RegSvcs.exe
PID 4028 wrote to memory of 3228	4028	[C38226] #TD JMMasuda_Mfg.exe	RegSvcs.exe
PID 4028 wrote to memory of 3228	4028	[C38226] #TD JMMasuda_Mfg.exe	RegSvcs.exe
PID 4028 wrote to memory of 1044	4028	[C38226] #TD JMMasuda_Mfg.exe	RegSvcs.exe
PID 4028 wrote to memory of 1044	4028	[C38226] #TD JMMasuda_Mfg.exe	RegSvcs.exe
PID 4028 wrote to memory of 1044	4028	[C38226] #TD JMMasuda_Mfg.exe	RegSvcs.exe
PID 4028 wrote to memory of 1044	4028	[C38226] #TD JMMasuda_Mfg.exe	RegSvcs.exe
PID 4028 wrote to memory of 1044	4028	[C38226] #TD JMMasuda_Mfg.exe	RegSvcs.exe
PID 4028 wrote to memory of 1044	4028	[C38226] #TD JMMasuda_Mfg.exe	RegSvcs.exe
PID 4028 wrote to memory of 1044	4028	[C38226] #TD JMMasuda_Mfg.exe	RegSvcs.exe
PID 4028 wrote to memory of 1044	4028	[C38226] #TD JMMasuda_Mfg.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\[C38226] #TD JMMasuda_Mfg.exe
"C:\Users\Admin\AppData\Local\Temp\[C38226] #TD JMMasuda_Mfg.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CIbVwu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA82B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:3228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA82B.tmp

Filesize
1KB

MD5
e947751c98ed88191982eded53edc942

SHA1
79e28d3ba72667e8ab13d80d4302ef9db5e88039

SHA256
f39b96b2fa142424aa8891d6a371ee1422b8d8a1d3263a6d2861999460059cac

SHA512
7dd9cd3f19ecc35307d560490eb137a231f3cc1503c74fabe53867c85ec2f1e66b80de039288d0f7ced3194fa2775131157085d5d11a74950efe9de493ab9687

Download Submit
memory/1044-161-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-138-0x0000000000000000-mapping.dmp

Download
memory/1044-167-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-641-0x00000000068B0000-0x0000000006900000-memory.dmp

Filesize
320KB

Download
memory/1044-640-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/1044-199-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-201-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-165-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-139-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-141-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-143-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-145-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-163-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-149-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-151-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-155-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-153-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-157-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-159-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-197-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-147-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-195-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-193-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-169-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-171-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-173-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-175-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-177-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-179-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-181-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-183-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-185-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-187-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-189-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1044-191-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3228-137-0x0000000000000000-mapping.dmp

Download
memory/4028-133-0x00000000051D0000-0x00000000051DA000-memory.dmp

Filesize
40KB

Download
memory/4028-132-0x0000000005230000-0x00000000052C2000-memory.dmp

Filesize
584KB

Download
memory/4028-130-0x0000000000730000-0x0000000000802000-memory.dmp

Filesize
840KB

Download
memory/4028-131-0x0000000005740000-0x0000000005CE4000-memory.dmp

Filesize
5.6MB

Download
memory/4028-134-0x0000000008E40000-0x0000000008EDC000-memory.dmp

Filesize
624KB

Download
memory/4964-135-0x0000000000000000-mapping.dmp

Download