masslogger | 6e8d5f2efa0d7a26b6e1adbfc706b33f6b8ff84021558465a1692da0c165a239

Analysis

max time kernel
152s
max time network
171s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scan00465.pdf.exe
Size

1.1MB
MD5

6689c734a79172a09227598c7befc88c
SHA1

245ff8f832b627de99615d7b6396883c4abfbf13
SHA256

1583e4f9d42db06490a42d0a0fe911a0e4d390ad07b9b8f2d8245e675dff0a33
SHA512

7bbea317fb7c3c593390b12b9161d2baca584bad32ef7bdc754219b3c04b6ca08c2e82bf55907b9a4e9d026e55180b977430bc791130c05ef789d3f55125d0d2

Score

10^/10

masslogger ransomware rezer0 spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3B8E3C2477\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 6:15:18 AM MassLogger Started: 5/21/2022 6:15:07 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\scan00465.pdf.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1752-57-0x0000000005260000-0x0000000005318000-memory.dmp	rezer0

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

scan00465.pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation	scan00465.pdf.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

scan00465.pdf.exe

description pid process target process

PID 1752 set thread context of 1152 1752 scan00465.pdf.exe scan00465.pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2016 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

scan00465.pdf.exescan00465.pdf.exe

pid process

1752 scan00465.pdf.exe
1752 scan00465.pdf.exe
1152 scan00465.pdf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

scan00465.pdf.exescan00465.pdf.exe

description pid process

Token: SeDebugPrivilege 1752 scan00465.pdf.exe
Token: SeDebugPrivilege 1152 scan00465.pdf.exe

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 1752 set thread context of 1152	1752	scan00465.pdf.exe	scan00465.pdf.exe

pid	process
2016	schtasks.exe

pid	process
1752	scan00465.pdf.exe
1752	scan00465.pdf.exe
1152	scan00465.pdf.exe

description	pid	process
Token: SeDebugPrivilege	1752	scan00465.pdf.exe
Token: SeDebugPrivilege	1152	scan00465.pdf.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

scan00465.pdf.exe

description	pid	process	target process
PID 1752 wrote to memory of 2016	1752	scan00465.pdf.exe	schtasks.exe
PID 1752 wrote to memory of 2016	1752	scan00465.pdf.exe	schtasks.exe
PID 1752 wrote to memory of 2016	1752	scan00465.pdf.exe	schtasks.exe
PID 1752 wrote to memory of 2016	1752	scan00465.pdf.exe	schtasks.exe
PID 1752 wrote to memory of 1796	1752	scan00465.pdf.exe	scan00465.pdf.exe
PID 1752 wrote to memory of 1796	1752	scan00465.pdf.exe	scan00465.pdf.exe
PID 1752 wrote to memory of 1796	1752	scan00465.pdf.exe	scan00465.pdf.exe
PID 1752 wrote to memory of 1796	1752	scan00465.pdf.exe	scan00465.pdf.exe
PID 1752 wrote to memory of 1152	1752	scan00465.pdf.exe	scan00465.pdf.exe
PID 1752 wrote to memory of 1152	1752	scan00465.pdf.exe	scan00465.pdf.exe
PID 1752 wrote to memory of 1152	1752	scan00465.pdf.exe	scan00465.pdf.exe
PID 1752 wrote to memory of 1152	1752	scan00465.pdf.exe	scan00465.pdf.exe
PID 1752 wrote to memory of 1152	1752	scan00465.pdf.exe	scan00465.pdf.exe
PID 1752 wrote to memory of 1152	1752	scan00465.pdf.exe	scan00465.pdf.exe
PID 1752 wrote to memory of 1152	1752	scan00465.pdf.exe	scan00465.pdf.exe
PID 1752 wrote to memory of 1152	1752	scan00465.pdf.exe	scan00465.pdf.exe
PID 1752 wrote to memory of 1152	1752	scan00465.pdf.exe	scan00465.pdf.exe

C:\Users\Admin\AppData\Local\Temp\scan00465.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\scan00465.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bycmYDDQAzBI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp68F1.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\scan00465.pdf.exe
  "{path}"
  2⤵
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\scan00465.pdf.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp68F1.tmp

Filesize
1KB

MD5
d4d9e766fa0eeba8452c16030db320ce

SHA1
c33d52c1c3d03917a068b2f62a183e11536dfd65

SHA256
bc77829bfd649b96c0599200ee527f84faa5b70bebc27cf00af96996db13ceb4

SHA512
2f3a3d9f11eb9b2033e09293ccc90d3012e5d895ac87266a01c4573349896d11ebcc4d8d8e18a12a45f65c58834b71f2585a2ddca43eb8ce72a922ea8a26c64e

Download Submit
memory/1152-84-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-114-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-581-0x0000000001F80000-0x0000000001FC4000-memory.dmp

Filesize
272KB

Download
memory/1152-122-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-120-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-61-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-82-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-63-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-64-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-65-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-66-0x00000000004AB99E-mapping.dmp

Download
memory/1152-68-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-70-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-72-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-74-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-76-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-78-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-86-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-60-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-118-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-80-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-88-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-90-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-92-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-94-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-96-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-98-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-100-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-102-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-104-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-106-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-108-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-110-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-112-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1152-116-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1752-54-0x0000000000240000-0x0000000000356000-memory.dmp

Filesize
1.1MB

Download
memory/1752-56-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/1752-55-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1752-57-0x0000000005260000-0x0000000005318000-memory.dmp

Filesize
736KB

Download
memory/2016-58-0x0000000000000000-mapping.dmp

Download