Overview

overview

10

Static

static

00068dc51d...6c.exe

windows7_x64

10

00068dc51d...6c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 03:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe

  • Size

    981KB

  • MD5

    96de546b32289587f7db830e1e385a26

  • SHA1

    60f2925dc7ebdb8aa4c844edcaa3b0b5c6b4954b

  • SHA256

    00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c

  • SHA512

    f26fe0d399a4b428a80a828c29e63145c7eb406200829fa473ae40e77c055f45071d4cacb02c8a59c87969ecb0dc3f7a7e97387bc0ecf34d080ede36b18951fd

Score
10/10
massloggerspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 32 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
    "C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hffwylP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4997.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4556
    • C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
      "{path}"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3312
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3224
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe.log
    Filesize

    1KB

    MD5

    400f1cc1a0a0ce1cdabda365ab3368ce

    SHA1

    1ecf683f14271d84f3b6063493dce00ff5f42075

    SHA256

    c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

    SHA512

    14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp4997.tmp
    Filesize

    1KB

    MD5

    10e1face4ffdc6121038160de5dfb2e5

    SHA1

    2e30a7f9112f7a2a9523552639d86ac37c654273

    SHA256

    4ce635aba88296abd1f9b93a5d4afda4c2b86b72b9fcd39f9baec3d7a8bbcfc5

    SHA512

    e065ea15dc9bee086707abf38042705f797d012a2495acf5abc23ae7a5271b36484f9293b4477ab4c307016f8d1ff57dd87de646081cce7597ea63a4d5e3d975

    Download Submit

  • memory/1728-660-0x0000000005450000-0x0000000005A78000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1728-663-0x00000000062F0000-0x000000000630E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1728-662-0x0000000005BF0000-0x0000000005C56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1728-661-0x0000000005410000-0x0000000005432000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1728-659-0x0000000004D20000-0x0000000004D56000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1728-658-0x0000000000000000-mapping.dmp

    Download

  • memory/1848-133-0x000000000A840000-0x000000000A84A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1848-134-0x000000000E030000-0x000000000E0CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1848-132-0x000000000A880000-0x000000000A912000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1848-130-0x0000000000400000-0x00000000004FE000-memory.dmp

    Filesize

    1016KB

    Download

  • memory/1848-131-0x000000000AC90000-0x000000000B234000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3224-656-0x0000000000000000-mapping.dmp

    Download

  • memory/3312-170-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-184-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-154-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-156-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-158-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-160-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-162-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-164-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-166-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-168-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-150-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-174-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-176-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-172-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-178-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-180-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-182-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-152-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-186-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-188-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-190-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-192-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-194-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-196-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-198-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-200-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-655-0x00000000058B0000-0x0000000005916000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3312-148-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-146-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-144-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-142-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-140-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-138-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3312-137-0x0000000000000000-mapping.dmp

    Download

  • memory/4556-135-0x0000000000000000-mapping.dmp

    Download