masslogger | ca65b4f4e502d041504096fc855bf98d75bf824331442f6df97e2150df9c5821

Analysis

max time kernel
30s
max time network
146s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shipment document pdf.exe
Size

825KB
MD5

58d90785308067dbb5b317014a3d3b41
SHA1

11ce185684c80f65946c9f36029725fa48b56058
SHA256

96fddf8ed5ba87a03b03c5e0387ab1f3ef44df00ce11d0761a108d6407472c86
SHA512

cf1662deb92f5e6cbd87ba395931eab5c9d12ba2bda0a6ce3564dec5c63307a22bfbdbf689b8b8562d05381e7f9bfa865141bc98a87f99885d3731ab33ff87bd

Score

10^/10

masslogger coreentity ransomware rezer0 spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 5:16:31 AM MassLogger Started: 5/21/2022 5:16:20 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/916-56-0x0000000000860000-0x0000000000868000-memory.dmp	coreentity

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 32 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1324-63-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-64-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-65-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-66-0x00000000004A2E6E-mapping.dmp	family_masslogger
behavioral1/memory/1324-68-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-70-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-72-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-74-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-76-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-78-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-80-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-82-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-84-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-86-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-88-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-90-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-92-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-94-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-96-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-98-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-100-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-102-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-104-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-106-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-108-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-110-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-112-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-114-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-116-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-118-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-120-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral1/memory/1324-122-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger

MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/916-57-0x00000000050A0000-0x0000000005150000-memory.dmp	rezer0

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

shipment document pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation	shipment document pdf.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

shipment document pdf.exe

description pid process target process

PID 916 set thread context of 1324 916 shipment document pdf.exe shipment document pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

852 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

shipment document pdf.exe

pid process

1324 shipment document pdf.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

shipment document pdf.exeshipment document pdf.exe

pid process

916 shipment document pdf.exe
916 shipment document pdf.exe
1324 shipment document pdf.exe
1324 shipment document pdf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shipment document pdf.exeshipment document pdf.exe

description pid process

Token: SeDebugPrivilege 916 shipment document pdf.exe
Token: SeDebugPrivilege 1324 shipment document pdf.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

shipment document pdf.exe

pid process

1324 shipment document pdf.exe

flow	ioc
3	api.ipify.org

description	pid	process	target process
PID 916 set thread context of 1324	916	shipment document pdf.exe	shipment document pdf.exe

pid	process
852	schtasks.exe

pid	process
1324	shipment document pdf.exe

pid	process
916	shipment document pdf.exe
916	shipment document pdf.exe
1324	shipment document pdf.exe
1324	shipment document pdf.exe

description	pid	process
Token: SeDebugPrivilege	916	shipment document pdf.exe
Token: SeDebugPrivilege	1324	shipment document pdf.exe

pid	process
1324	shipment document pdf.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

shipment document pdf.exe

description	pid	process	target process
PID 916 wrote to memory of 852	916	shipment document pdf.exe	schtasks.exe
PID 916 wrote to memory of 852	916	shipment document pdf.exe	schtasks.exe
PID 916 wrote to memory of 852	916	shipment document pdf.exe	schtasks.exe
PID 916 wrote to memory of 852	916	shipment document pdf.exe	schtasks.exe
PID 916 wrote to memory of 1324	916	shipment document pdf.exe	shipment document pdf.exe
PID 916 wrote to memory of 1324	916	shipment document pdf.exe	shipment document pdf.exe
PID 916 wrote to memory of 1324	916	shipment document pdf.exe	shipment document pdf.exe
PID 916 wrote to memory of 1324	916	shipment document pdf.exe	shipment document pdf.exe
PID 916 wrote to memory of 1324	916	shipment document pdf.exe	shipment document pdf.exe
PID 916 wrote to memory of 1324	916	shipment document pdf.exe	shipment document pdf.exe
PID 916 wrote to memory of 1324	916	shipment document pdf.exe	shipment document pdf.exe
PID 916 wrote to memory of 1324	916	shipment document pdf.exe	shipment document pdf.exe
PID 916 wrote to memory of 1324	916	shipment document pdf.exe	shipment document pdf.exe

C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
"C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SHxDJYNQYtY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp46D1.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:852
- C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp46D1.tmp

Filesize
1KB

MD5
64138be51175adf53614cfbf4860ae46

SHA1
88410d1fb75007ddbe4f71f273a318cf46522f1a

SHA256
c6b3a3bd2e473f5583e5867e2a15c837bda2e27e08660bb0ac3ecfce9b387ab3

SHA512
afd2e4620b4db46705eb49a4b19f5a2e9f6464cbb2d9c248722e82e498321472d43bfce5a73f1ff54084d88dc2dce919e24882527477e79268ff1bb73ec458d6

Download Submit
memory/852-58-0x0000000000000000-mapping.dmp

Download
memory/916-54-0x0000000001240000-0x0000000001314000-memory.dmp

Filesize
848KB

Download
memory/916-55-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/916-56-0x0000000000860000-0x0000000000868000-memory.dmp

Filesize
32KB

Download
memory/916-57-0x00000000050A0000-0x0000000005150000-memory.dmp

Filesize
704KB

Download
memory/1324-84-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-90-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-63-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-64-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-65-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-66-0x00000000004A2E6E-mapping.dmp

Download
memory/1324-68-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-70-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-72-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-74-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-76-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-78-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-80-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-82-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-60-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-86-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-88-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-61-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-92-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-94-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-96-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-98-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-100-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-102-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-104-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-106-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-108-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-110-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-112-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-114-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-116-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-118-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-120-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-122-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-578-0x00000000006E5000-0x00000000006F6000-memory.dmp

Filesize
68KB

Download