Overview

overview

10

Static

static

Documents.pdf.exe

windows7_x64

10

Documents.pdf.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 01:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents.pdf.exe

  • Size

    842KB

  • MD5

    301e1a6b59a0e2249372ee47aec99f37

  • SHA1

    614105ff4c3c6677a8c44f734a7ba282db17ad0c

  • SHA256

    44a9da622295549820b1eb9645b524cc0a54b3c91832be3ba44630866a179607

  • SHA512

    fd773441e5012d9d45d62537b47921fc4ba7ac0e9f5cff084e8e9ffa6994a551728aabeb24beae6b4094df8c00713f1580a642f31874fe4c3f6b3aa1923b0484

Score
10/10
massloggercollectionransomwarerezer0spywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.7.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 4:53:57 AM MassLogger Started: 5/21/2022 4:53:39 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 6 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmZtCG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A0C.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:104
    • C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4A0C.tmp
    Filesize

    1KB

    MD5

    b51b7fd96d23527dce1d02c6648eda45

    SHA1

    d6fe76e5c35c740d14566558df78edd42c3e69a8

    SHA256

    daf685c9ce1acd6563a9c7d8390ffdc2d9509da01df74b34ecb2a6418d7292d7

    SHA512

    b428f6fd5c71e7dfa99c839ead71182e9d76bc8fb1a09b83a117c44c45b595ad4f32e3fb38a5c05483ebd910076d4066caaf53118949ac0fbef3f4ba6e91638b

    Download Submit
  • memory/104-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1840-54-0x0000000001360000-0x0000000001438000-memory.dmp
    Filesize

    864KB

    Download
  • memory/1840-55-0x0000000000380000-0x0000000000390000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1840-56-0x0000000006750000-0x00000000067FE000-memory.dmp
    Filesize

    696KB

    Download
  • memory/1956-63-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1956-60-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1956-62-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1956-59-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1956-65-0x00000000004A2C8E-mapping.dmp
    Download
  • memory/1956-64-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1956-67-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1956-69-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1956-70-0x00000000006C0000-0x0000000000704000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1956-71-0x00000000751C1000-0x00000000751C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1956-72-0x0000000004DC5000-0x0000000004DD6000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1956-73-0x0000000001340000-0x0000000001354000-memory.dmp
    Filesize

    80KB

    Download