Overview

overview

10

Static

static

PO__1003.exe

windows7_x64

10

PO__1003.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO__1003.exe

  • Size

    1.0MB

  • MD5

    47d10c95e38be0cfbd670a1b378c26a2

  • SHA1

    ad33ec21b4d327c036f207e62c59e85258a57502

  • SHA256

    34fd5c49f828705b2f744802f7f11c4fea6715817906c331e6052d09bedf62fa

  • SHA512

    094345c9b41e3516248cf507ec616b663615b73dd73a9b7253f69cc774aad5ccc268586de24f887c3924ac0ebbcc776f5e033d17a9975783439249f3c372afb7

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.7.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 10 Pro64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:54:33 PM MassLogger Started: 5/21/2022 2:54:26 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\PO__1003.exe MassLogger Melt: true MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO__1003.exe
    "C:\Users\Admin\AppData\Local\Temp\PO__1003.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Users\Admin\AppData\Local\Temp\PO__1003.exe
      "{path}"
      2⤵
        PID:5024
      • C:\Users\Admin\AppData\Local\Temp\PO__1003.exe
        "{path}"
        2⤵
          PID:1376
        • C:\Users\Admin\AppData\Local\Temp\PO__1003.exe
          "{path}"
          2⤵
          • Checks computer location settings
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:2312
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO__1003.exe' & exit
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2384
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO__1003.exe'
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2260

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO__1003.exe.log
        Filesize

        507B

        MD5

        8cf94b5356be60247d331660005941ec

        SHA1

        fdedb361f40f22cb6a086c808fc0056d4e421131

        SHA256

        52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

        SHA512

        b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

        Download Submit

      • memory/1376-135-0x0000000000000000-mapping.dmp

        Download

      • memory/2260-145-0x0000000004F90000-0x00000000055B8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2260-148-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2260-152-0x00000000063C0000-0x00000000063E2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2260-151-0x0000000007040000-0x00000000070D6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2260-150-0x00000000062F0000-0x000000000630A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2260-149-0x0000000007620000-0x0000000007C9A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2260-147-0x0000000005730000-0x0000000005796000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2260-146-0x0000000004F30000-0x0000000004F52000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2260-144-0x0000000004870000-0x00000000048A6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2260-143-0x0000000000000000-mapping.dmp

        Download

      • memory/2312-141-0x0000000006AA0000-0x0000000006AF0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2312-140-0x0000000006680000-0x000000000668A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2312-139-0x0000000005170000-0x00000000051D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2312-137-0x0000000000400000-0x00000000004A8000-memory.dmp

        Filesize

        672KB

        Download

      • memory/2312-136-0x0000000000000000-mapping.dmp

        Download

      • memory/2384-142-0x0000000000000000-mapping.dmp

        Download

      • memory/4536-130-0x0000000000010000-0x000000000011A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4536-131-0x000000000A960000-0x000000000AF04000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4536-133-0x000000000A5D0000-0x000000000A66C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4536-132-0x000000000A490000-0x000000000A522000-memory.dmp

        Filesize

        584KB

        Download

      • memory/5024-134-0x0000000000000000-mapping.dmp

        Download