Overview

overview

10

Static

static

Documents.pdf.exe

windows7_x64

10

Documents.pdf.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 01:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents.pdf.exe

  • Size

    842KB

  • MD5

    301e1a6b59a0e2249372ee47aec99f37

  • SHA1

    614105ff4c3c6677a8c44f734a7ba282db17ad0c

  • SHA256

    44a9da622295549820b1eb9645b524cc0a54b3c91832be3ba44630866a179607

  • SHA512

    fd773441e5012d9d45d62537b47921fc4ba7ac0e9f5cff084e8e9ffa6994a551728aabeb24beae6b4094df8c00713f1580a642f31874fe4c3f6b3aa1923b0484

Score
10/10
massloggerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F95B724EDE\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.7.0 ################################################################# ### Logger Details ### User Name: Admin IP: 127.0.0.1 Location: United States Windows OS: Microsoft Windows 10 Pro64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 4:54:22 AM MassLogger Started: 5/21/2022 4:53:24 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmZtCG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB3EE.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:5072
    • C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe
      "{path}"
      2⤵
        PID:2304
      • C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe
        "{path}"
        2⤵
        • Checks computer location settings
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2236

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpB3EE.tmp
      Filesize

      1KB

      MD5

      75c0c559a9135119b544089492ec308f

      SHA1

      71de193e0eff7444f110b6f689ae5265ca6b6f2c

      SHA256

      5a6ca3b3748109f1ee3656a821c82775b50c8fa35f7dbfe0ee48fbcff9489080

      SHA512

      a43559bd61242433da2a6360909b0b10bcac058ca2f79a4df110f32a3bdde8c284ad3b89caf5aef2ebe0c94e19c86d4f3eec28849439b1d57da729a62cfa00b0

      Download Submit
    • memory/2236-138-0x0000000000000000-mapping.dmp
      Download
    • memory/2236-139-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

      Download
    • memory/2236-140-0x0000000005940000-0x00000000059A6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2236-141-0x0000000007250000-0x000000000725A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2304-137-0x0000000000000000-mapping.dmp
      Download
    • memory/2736-131-0x0000000000F50000-0x0000000001028000-memory.dmp
      Filesize

      864KB

      Download
    • memory/2736-132-0x0000000005890000-0x000000000592C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2736-133-0x0000000005A40000-0x0000000005AD2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2736-134-0x0000000007970000-0x0000000007F14000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/5072-135-0x0000000000000000-mapping.dmp
      Download