masslogger | 198f0de0ad9295ded03239d689b9a6e64ce4d694dfdfd27bc002230d1886e38b

Analysis

max time kernel
106s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER202.exe
Size

941KB
MD5

0a3d357409cb2337a4d533b64b8265cd
SHA1

33cd12b0333af20dcb611b1f42d6a62f8167e90b
SHA256

5f678c283847316bd366cc6a5dcd2b20072271080f493607a03ecd5d26ba65a7
SHA512

8b2f1ad1c8260e2afabf8290d680ee29249fe2edb79d7740b039729f9cc5bbd3231836ac249a206488cb375efe9c3f5979b9b1b7e30e56b19c5692365b67fb64

Score

10^/10

masslogger collection evasion spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 32 IoCs

resource	yara_rule
behavioral2/memory/4740-139-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-141-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-143-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-145-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-147-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-149-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-151-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-153-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-155-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-157-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-159-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-161-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-165-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-163-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-167-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-169-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-171-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-173-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-175-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-177-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-179-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-181-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-183-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-185-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-187-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-189-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-191-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-193-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-195-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-197-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-199-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-201-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger

MassLogger log file 1 IoCs

Detects a log file produced by MassLogger.

yara_rule
masslogger_log_file

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	ORDER202.exe

Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4828 set thread context of 4740	4828	ORDER202.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2088	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4740	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4828	ORDER202.exe
4828	ORDER202.exe
4740	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	ORDER202.exe
Token: SeDebugPrivilege	4740	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4740	RegSvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 2088	4828	ORDER202.exe	83
PID 4828 wrote to memory of 2088	4828	ORDER202.exe	83
PID 4828 wrote to memory of 2088	4828	ORDER202.exe	83
PID 4828 wrote to memory of 2196	4828	ORDER202.exe	86
PID 4828 wrote to memory of 2196	4828	ORDER202.exe	86
PID 4828 wrote to memory of 2196	4828	ORDER202.exe	86
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	87
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	87
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	87
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	87
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	87
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	87
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	87
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	87

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\ORDER202.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER202.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hkEmZYRoabC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F3E.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2F3E.tmp

Filesize
1KB

MD5
5f3b8012c2dac08869c4241594b55fa2

SHA1
d7bb06856c8561fd3d9b93700f877e30634d1002

SHA256
17505127dd776ded11e44ce620c99366e897bdcd49a3f27f1ed8214e216dfe80

SHA512
0cf4b0474c04641adf32697a9acee849ea54a9872a2b9b805ac11508c3a824896c838833b91fc779f95bbd21dfcc053ee91252938ab5abc2f027af1960b7752c

Download Submit
memory/4740-161-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-195-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-639-0x0000000006D60000-0x0000000006DB0000-memory.dmp

Filesize
320KB

Download
memory/4740-638-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/4740-201-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-165-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-141-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-143-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-145-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-147-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-149-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-151-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-153-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-155-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-157-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-159-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-167-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-139-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-199-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-197-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-169-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-171-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-173-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-175-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-177-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-179-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-181-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-183-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-185-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-187-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-189-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-191-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-193-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-163-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4828-130-0x00000000000A0000-0x0000000000192000-memory.dmp

Filesize
968KB

Download
memory/4828-134-0x0000000009990000-0x0000000009A2C000-memory.dmp

Filesize
624KB

Download
memory/4828-131-0x0000000007670000-0x0000000007C14000-memory.dmp

Filesize
5.6MB

Download
memory/4828-132-0x0000000007160000-0x00000000071F2000-memory.dmp

Filesize
584KB

Download
memory/4828-133-0x0000000007100000-0x000000000710A000-memory.dmp

Filesize
40KB

Download