Analysis
-
max time kernel
108s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
inquiry Nasser Al Falahy.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
inquiry Nasser Al Falahy.exe
Resource
win10v2004-20220414-en
General
-
Target
inquiry Nasser Al Falahy.exe
-
Size
1.0MB
-
MD5
a553824d8e07c030ee3d8c8c7ffbde82
-
SHA1
105230ce033771a93e3be121bcbb2b1511ceb008
-
SHA256
5a08d0f514ac2efd07cc045c1b896cf7c6426dd0013ad523a14bbdbce2b25edd
-
SHA512
854c2af6efe2ff5bfb00b7d10dd3d2a0a682ba746180a4d38d4fc9761ffe508867a7827103379c9b32b8cc8b9ceb79cbac80e1bad3e70cecbd0aa335f93bbeab
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\3B8E3C2477\Log.txt
masslogger
Extracted
Protocol: smtp- Host:
mail.samlogistics.pk - Port:
587 - Username:
imp@samlogistics.pk - Password:
Seaimport121@
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 32 IoCs
Processes:
resource yara_rule behavioral1/memory/2016-64-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-65-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-66-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-67-0x00000000004ACD3E-mapping.dmp family_masslogger behavioral1/memory/2016-69-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-71-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-73-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-75-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-77-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-79-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-81-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-83-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-85-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-87-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-89-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-91-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-93-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-95-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-97-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-99-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-101-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-103-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-105-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-107-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-111-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-109-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-113-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-115-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-117-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-119-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-121-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral1/memory/2016-123-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Modifies visibility of file extensions in Explorer 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
inquiry Nasser Al Falahy.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation inquiry Nasser Al Falahy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
Processes:
inquiry Nasser Al Falahy.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook inquiry Nasser Al Falahy.exe Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 inquiry Nasser Al Falahy.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 inquiry Nasser Al Falahy.exe Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 inquiry Nasser Al Falahy.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 inquiry Nasser Al Falahy.exe Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook inquiry Nasser Al Falahy.exe Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 inquiry Nasser Al Falahy.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 inquiry Nasser Al Falahy.exe Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook inquiry Nasser Al Falahy.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 inquiry Nasser Al Falahy.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook inquiry Nasser Al Falahy.exe Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook inquiry Nasser Al Falahy.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook inquiry Nasser Al Falahy.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 inquiry Nasser Al Falahy.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 inquiry Nasser Al Falahy.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
inquiry Nasser Al Falahy.exedescription pid process target process PID 1652 set thread context of 2016 1652 inquiry Nasser Al Falahy.exe inquiry Nasser Al Falahy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
inquiry Nasser Al Falahy.exeinquiry Nasser Al Falahy.exepid process 1652 inquiry Nasser Al Falahy.exe 2016 inquiry Nasser Al Falahy.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
inquiry Nasser Al Falahy.exeinquiry Nasser Al Falahy.exedescription pid process Token: SeDebugPrivilege 1652 inquiry Nasser Al Falahy.exe Token: SeDebugPrivilege 2016 inquiry Nasser Al Falahy.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
inquiry Nasser Al Falahy.exedescription pid process target process PID 1652 wrote to memory of 2024 1652 inquiry Nasser Al Falahy.exe schtasks.exe PID 1652 wrote to memory of 2024 1652 inquiry Nasser Al Falahy.exe schtasks.exe PID 1652 wrote to memory of 2024 1652 inquiry Nasser Al Falahy.exe schtasks.exe PID 1652 wrote to memory of 2024 1652 inquiry Nasser Al Falahy.exe schtasks.exe PID 1652 wrote to memory of 2028 1652 inquiry Nasser Al Falahy.exe inquiry Nasser Al Falahy.exe PID 1652 wrote to memory of 2028 1652 inquiry Nasser Al Falahy.exe inquiry Nasser Al Falahy.exe PID 1652 wrote to memory of 2028 1652 inquiry Nasser Al Falahy.exe inquiry Nasser Al Falahy.exe PID 1652 wrote to memory of 2028 1652 inquiry Nasser Al Falahy.exe inquiry Nasser Al Falahy.exe PID 1652 wrote to memory of 2016 1652 inquiry Nasser Al Falahy.exe inquiry Nasser Al Falahy.exe PID 1652 wrote to memory of 2016 1652 inquiry Nasser Al Falahy.exe inquiry Nasser Al Falahy.exe PID 1652 wrote to memory of 2016 1652 inquiry Nasser Al Falahy.exe inquiry Nasser Al Falahy.exe PID 1652 wrote to memory of 2016 1652 inquiry Nasser Al Falahy.exe inquiry Nasser Al Falahy.exe PID 1652 wrote to memory of 2016 1652 inquiry Nasser Al Falahy.exe inquiry Nasser Al Falahy.exe PID 1652 wrote to memory of 2016 1652 inquiry Nasser Al Falahy.exe inquiry Nasser Al Falahy.exe PID 1652 wrote to memory of 2016 1652 inquiry Nasser Al Falahy.exe inquiry Nasser Al Falahy.exe PID 1652 wrote to memory of 2016 1652 inquiry Nasser Al Falahy.exe inquiry Nasser Al Falahy.exe PID 1652 wrote to memory of 2016 1652 inquiry Nasser Al Falahy.exe inquiry Nasser Al Falahy.exe -
outlook_office_path 1 IoCs
Processes:
inquiry Nasser Al Falahy.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 inquiry Nasser Al Falahy.exe -
outlook_win_path 1 IoCs
Processes:
inquiry Nasser Al Falahy.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 inquiry Nasser Al Falahy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\inquiry Nasser Al Falahy.exe"C:\Users\Admin\AppData\Local\Temp\inquiry Nasser Al Falahy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NRQOUAsHhOY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp658.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\inquiry Nasser Al Falahy.exe"C:\Users\Admin\AppData\Local\Temp\inquiry Nasser Al Falahy.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\inquiry Nasser Al Falahy.exe"C:\Users\Admin\AppData\Local\Temp\inquiry Nasser Al Falahy.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp658.tmpFilesize
1KB
MD5f4dabe9803265de8880f13c8bdcd51ef
SHA1a7feaac1d5419c1e5b8c49e8e0ecd9dae1047c48
SHA256694bfd75c0bcb791ab834d81afc52769db0ea847a30f17bf03d68c7f5394cc4e
SHA51209638117c06f7388ab83ef3945aec9769f92e2e3f38263e101886965ec0fff8eee574d7ddb5ce125d071aeb16229197263d0a0a1949d7c1d2c96ed762e167abc
-
memory/1652-55-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1652-56-0x0000000000230000-0x0000000000238000-memory.dmpFilesize
32KB
-
memory/1652-57-0x00000000057A0000-0x0000000005892000-memory.dmpFilesize
968KB
-
memory/1652-58-0x0000000004F00000-0x0000000004FC2000-memory.dmpFilesize
776KB
-
memory/1652-54-0x0000000000C80000-0x0000000000D88000-memory.dmpFilesize
1.0MB
-
memory/2016-87-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-93-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-62-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-64-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-65-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-66-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-67-0x00000000004ACD3E-mapping.dmp
-
memory/2016-69-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-71-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-73-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-75-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-77-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-79-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-81-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-83-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-85-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-591-0x0000000000C60000-0x0000000000C74000-memory.dmpFilesize
80KB
-
memory/2016-89-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-91-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-61-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-95-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-97-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-99-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-101-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-103-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-105-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-107-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-111-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-109-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-113-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-115-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-117-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-119-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-121-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-123-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2016-588-0x0000000000580000-0x00000000005C4000-memory.dmpFilesize
272KB
-
memory/2016-590-0x0000000002295000-0x00000000022A6000-memory.dmpFilesize
68KB
-
memory/2024-59-0x0000000000000000-mapping.dmp