Analysis
-
max time kernel
160s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:18
General
-
Target
Proforma Invoice.exe
-
Size
1.0MB
-
MD5
a009bf5f0bc5b29b3c7f70203584c20c
-
SHA1
1f95f553fb11d4d6f6b7a6a15a3ed19aba8403ba
-
SHA256
8c3156c901bae62d20fce1aa07a4c0e0252ac6ab6443877396a37f83441f2b65
-
SHA512
4185e273e76f21c4521f243d6f7aab693996269e4937053c053bba3ac2f83dcf0039b02ff7da23ae2648bc906e96e18f2f82e21a58956268518d4b1fd688b9bd
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 32 IoCs
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\efLaWx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1306.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"{path}"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
1KB
MD5bf923425b8bc0686f8308c314ecc5e7d
SHA1babc2d6e48d671b3a647b8d486d5b6aa28c609b2
SHA256f87306540eec5bf1d74b7560c958ad8010bd7e2d62887d4b0a4132869bf4e418
SHA512db7c0d9138cb49f7b6ffe03874c6278863d22c7a379e551a308eb8362566843d9508348dc1e3358fbed829515abf031aaa82b39cd04520f5b09658e3a24f0f36
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
1.0MB
-
Filesize
712KB
-
Filesize
712KB
-
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
408KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-