masslogger | 04ef0a62b8d14320163fa5bd84f000d05cbecffe1f65adfac23db9825c7f10ba

General

Target

scan00465.pdf.exe
Size

1.2MB
MD5

52555fd6673c6f44b7b57d6e1833d1ef
SHA1

6c7dc7a759845917b43da8d5dd73e8f34623adff
SHA256

9ae31235da17306c07a77f94a3541a835f0033df9bc7636a39c984e8cea9e72a
SHA512

a217c4dc99f575c76d3894f2a4e78d810d00a8e5423093c3e9e622b4f94f46261efb74be76278d72c139f0196d20774ecc0ceb2f670768932fcf4e439df38847

Score

10^/10

masslogger collection ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\0F48153F20\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:02:37 PM MassLogger Started: 5/21/2022 1:02:34 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\scan00465.pdf.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Credentials

Protocol: smtp
Host:
mail.saritatravels.com
Port:
587
Username:
[email protected]
Password:
sumits%$321

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

scan00465.pdf.exescan00465.pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	scan00465.pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	scan00465.pdf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs

collection

Email Collection

T1114

Processes:

scan00465.pdf.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	scan00465.pdf.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scan00465.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scan00465.pdf.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scan00465.pdf.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scan00465.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scan00465.pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scan00465.pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scan00465.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scan00465.pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scan00465.pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	scan00465.pdf.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	scan00465.pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	scan00465.pdf.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	scan00465.pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scan00465.pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	scan00465.pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scan00465.pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scan00465.pdf.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

scan00465.pdf.exe

description pid process target process

PID 2160 set thread context of 1760 2160 scan00465.pdf.exe scan00465.pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1868 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

scan00465.pdf.exescan00465.pdf.exe

pid process

2160 scan00465.pdf.exe
2160 scan00465.pdf.exe
2160 scan00465.pdf.exe
2160 scan00465.pdf.exe
2160 scan00465.pdf.exe
1760 scan00465.pdf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

scan00465.pdf.exescan00465.pdf.exe

description pid process

Token: SeDebugPrivilege 2160 scan00465.pdf.exe
Token: SeDebugPrivilege 1760 scan00465.pdf.exe

flow	ioc
14	api.ipify.org

description	pid	process	target process
PID 2160 set thread context of 1760	2160	scan00465.pdf.exe	scan00465.pdf.exe

pid	process
1868	schtasks.exe

pid	process
2160	scan00465.pdf.exe
2160	scan00465.pdf.exe
2160	scan00465.pdf.exe
2160	scan00465.pdf.exe
2160	scan00465.pdf.exe
1760	scan00465.pdf.exe

description	pid	process
Token: SeDebugPrivilege	2160	scan00465.pdf.exe
Token: SeDebugPrivilege	1760	scan00465.pdf.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

scan00465.pdf.exe

description	pid	process	target process
PID 2160 wrote to memory of 1868	2160	scan00465.pdf.exe	schtasks.exe
PID 2160 wrote to memory of 1868	2160	scan00465.pdf.exe	schtasks.exe
PID 2160 wrote to memory of 1868	2160	scan00465.pdf.exe	schtasks.exe
PID 2160 wrote to memory of 888	2160	scan00465.pdf.exe	scan00465.pdf.exe
PID 2160 wrote to memory of 888	2160	scan00465.pdf.exe	scan00465.pdf.exe
PID 2160 wrote to memory of 888	2160	scan00465.pdf.exe	scan00465.pdf.exe
PID 2160 wrote to memory of 1600	2160	scan00465.pdf.exe	scan00465.pdf.exe
PID 2160 wrote to memory of 1600	2160	scan00465.pdf.exe	scan00465.pdf.exe
PID 2160 wrote to memory of 1600	2160	scan00465.pdf.exe	scan00465.pdf.exe
PID 2160 wrote to memory of 1760	2160	scan00465.pdf.exe	scan00465.pdf.exe
PID 2160 wrote to memory of 1760	2160	scan00465.pdf.exe	scan00465.pdf.exe
PID 2160 wrote to memory of 1760	2160	scan00465.pdf.exe	scan00465.pdf.exe
PID 2160 wrote to memory of 1760	2160	scan00465.pdf.exe	scan00465.pdf.exe
PID 2160 wrote to memory of 1760	2160	scan00465.pdf.exe	scan00465.pdf.exe
PID 2160 wrote to memory of 1760	2160	scan00465.pdf.exe	scan00465.pdf.exe
PID 2160 wrote to memory of 1760	2160	scan00465.pdf.exe	scan00465.pdf.exe
PID 2160 wrote to memory of 1760	2160	scan00465.pdf.exe	scan00465.pdf.exe

outlook_office_path 1 IoCs

Processes:

scan00465.pdf.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scan00465.pdf.exe

outlook_win_path 1 IoCs

Processes:

scan00465.pdf.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scan00465.pdf.exe

C:\Users\Admin\AppData\Local\Temp\scan00465.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\scan00465.pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LOPSNfzrlbcrm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFA33.tmp"
2⤵
- Creates scheduled task(s)
PID:1868

C:\Users\Admin\AppData\Local\Temp\scan00465.pdf.exe
"{path}"
2⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\scan00465.pdf.exe
"{path}"
2⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\scan00465.pdf.exe
"{path}"
2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\scan00465.pdf.exe.log
Filesize
1KB

MD5
45242be47e5fefb0e8ca1070ed4d9b98

SHA1
42d6890eaae85ad3423231b13e6f96e1a93c8165

SHA256
d9bde55febcd84b87cbe03e0a754bf24337f479c55f9853f5e991e24e5da2b3f

SHA512
d0c7c161749ec6310733d16159be5af15614744749396d785f84652c74a1ca09b4418eac99f3edc6c5922d6e264ba9bdc219359878199fed6c05326041115ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA33.tmp
Filesize
1KB

MD5
bad012c5c36930227c79c2f562956a0f

SHA1
7691427645a6052a96b6c2e7d618043c6f0a6561

SHA256
5febb6be409b01782bec414c390b9fe174ed57143137fd86f360677641ecbed7

SHA512
a4b043f1024bbd1d7e0542d95a6d55a9ad40ebaeca8e304de588a03c22ec54b7193d23ed7a79d864b4d685713f0702e2062643f3d665985f3a0c4edbc228fd18

Download Submit
memory/888-137-0x0000000000000000-mapping.dmp

Download
memory/1600-138-0x0000000000000000-mapping.dmp

Download
memory/1760-163-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-189-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-653-0x0000000007410000-0x0000000007460000-memory.dmp

Filesize
320KB

Download
memory/1760-167-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-652-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/1760-171-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-140-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-169-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-143-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-145-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-147-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-149-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-151-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-153-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-155-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-157-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-159-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-161-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-203-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-165-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-201-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-199-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-139-0x0000000000000000-mapping.dmp

Download
memory/1760-173-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-175-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-177-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-179-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-181-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-183-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-185-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-187-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-197-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-191-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-193-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1760-195-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1868-135-0x0000000000000000-mapping.dmp

Download
memory/2160-131-0x000000000A090000-0x000000000A122000-memory.dmp

Filesize
584KB

Download
memory/2160-133-0x000000000A270000-0x000000000A27A000-memory.dmp

Filesize
40KB

Download
memory/2160-130-0x0000000000030000-0x0000000000160000-memory.dmp

Filesize
1.2MB

Download
memory/2160-132-0x000000000A6E0000-0x000000000AC84000-memory.dmp

Filesize
5.6MB

Download
memory/2160-134-0x0000000004DB0000-0x0000000004E4C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads