Overview

overview

10

Static

static

5

Company Profile.exe

windows7_x64

10

Company Profile.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 10:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Company Profile.exe

  • Size

    3.4MB

  • MD5

    b09ce7efdb241a6dc395ea44cf0e86ac

  • SHA1

    ee40b55737d3bbb010514ae32c0d9da5cdc2c529

  • SHA256

    0e39910988f4e5f6a89354c7f83321db4ea548d20d5e217480559b308a85ea11

  • SHA512

    54805f70714d6d9a8e1640434de9d4f3a0394911b62b1e1d99f481907237897adb6a15408469adf7d2bc29ac940fd181ea0f023547b5b5cfb8ddc4f3b0cec46b

Score
10/10
massloggercollectionspywarestealerupx

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger log file 3 IoCs

    Detects a log file produced by MassLogger.

  • ACProtect 1.3x - 1.4x DLL software 4 IoCs

    Detects file using ACProtect software.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 24 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Company Profile.exe
    "C:\Users\Admin\AppData\Local\Temp\Company Profile.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
      • Loads dropped DLL
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1888
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
        PID:2684
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
        2⤵
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:2772
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4536

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
      Filesize

      1KB

      MD5

      34e8b2171354c453d797ba87994835cd

      SHA1

      1ca22625dc440c47b70759fa7243959780b2d5ac

      SHA256

      f04d43abaa67f2f4c2dacb207dc58cd5cc20a3d5334e7ea0c03a4338320a2e89

      SHA512

      445246ffaf59e2ab67fa9135fe15549013e19f94b44de3a725fdea5bd9e002b6c0a24f67a2a3ec6101b65951ebeaf58eed6945a9a2af3de6ba63518668a7d770

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll
      Filesize

      594KB

      MD5

      e81aeac387c5db32b7f9b07d15e788e0

      SHA1

      829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3

      SHA256

      44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06

      SHA512

      cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll
      Filesize

      594KB

      MD5

      e81aeac387c5db32b7f9b07d15e788e0

      SHA1

      829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3

      SHA256

      44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06

      SHA512

      cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll
      Filesize

      594KB

      MD5

      e81aeac387c5db32b7f9b07d15e788e0

      SHA1

      829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3

      SHA256

      44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06

      SHA512

      cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll
      Filesize

      594KB

      MD5

      e81aeac387c5db32b7f9b07d15e788e0

      SHA1

      829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3

      SHA256

      44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06

      SHA512

      cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e

      Download Submit
    • memory/1888-134-0x00000000056C0000-0x0000000005C64000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1888-136-0x00000000053B0000-0x0000000005442000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1888-137-0x0000000006060000-0x00000000060C6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1888-138-0x00000000069C0000-0x00000000069CA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1888-139-0x0000000007720000-0x0000000007770000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1888-140-0x000000000E9A0000-0x000000000EA3C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1888-132-0x0000000000400000-0x000000000055E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1888-131-0x0000000000000000-mapping.dmp
      Download
    • memory/2184-135-0x0000000007600000-0x00000000078B1000-memory.dmp
      Filesize

      2.7MB

      Download
    • memory/2184-130-0x0000000007340000-0x00000000075F1000-memory.dmp
      Filesize

      2.7MB

      Download
    • memory/2772-141-0x0000000000000000-mapping.dmp
      Download
    • memory/4536-145-0x0000000000000000-mapping.dmp
      Download