Overview

overview

10

Static

static

Proforma Invoice.exe

windows7_x64

10

Proforma Invoice.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    160s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 02:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Proforma Invoice.exe

  • Size

    1.0MB

  • MD5

    a009bf5f0bc5b29b3c7f70203584c20c

  • SHA1

    1f95f553fb11d4d6f6b7a6a15a3ed19aba8403ba

  • SHA256

    8c3156c901bae62d20fce1aa07a4c0e0252ac6ab6443877396a37f83441f2b65

  • SHA512

    4185e273e76f21c4521f243d6f7aab693996269e4937053c053bba3ac2f83dcf0039b02ff7da23ae2648bc906e96e18f2f82e21a58956268518d4b1fd688b9bd

Score
10/10
massloggerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.6.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 10 Pro64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 5:30:40 AM MassLogger Started: 5/21/2022 5:30:29 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 32 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1844
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\efLaWx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1306.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4332
    • C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proforma Invoice.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp1306.tmp
    Filesize

    1KB

    MD5

    bf923425b8bc0686f8308c314ecc5e7d

    SHA1

    babc2d6e48d671b3a647b8d486d5b6aa28c609b2

    SHA256

    f87306540eec5bf1d74b7560c958ad8010bd7e2d62887d4b0a4132869bf4e418

    SHA512

    db7c0d9138cb49f7b6ffe03874c6278863d22c7a379e551a308eb8362566843d9508348dc1e3358fbed829515abf031aaa82b39cd04520f5b09658e3a24f0f36

    Download Submit
  • memory/1844-131-0x0000000005670000-0x0000000005C14000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1844-132-0x00000000051C0000-0x0000000005252000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1844-133-0x0000000005270000-0x000000000527A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1844-134-0x00000000089B0000-0x0000000008A4C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1844-130-0x0000000000730000-0x000000000083C000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4228-161-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-169-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-137-0x0000000000000000-mapping.dmp
    Download
  • memory/4228-141-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-143-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-145-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-147-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-149-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-151-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-153-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-155-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-157-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-159-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-656-0x0000000005870000-0x00000000058D6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4228-163-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-165-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-167-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-138-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-171-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-173-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-175-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-177-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-179-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-181-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-183-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-185-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-187-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-189-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-191-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-193-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-195-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-197-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-201-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4228-199-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4332-135-0x0000000000000000-mapping.dmp
    Download