Analysis
-
max time kernel
98s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:13
Static task
static1
Behavioral task
behavioral1
Sample
catalogues lists.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
catalogues lists.exe
Resource
win10v2004-20220414-en
General
-
Target
catalogues lists.exe
-
Size
847KB
-
MD5
f6d7d69e4daa79e5a61cee1dd563f372
-
SHA1
6fa906729eafee56d8c077215881cbb0f7a8ad36
-
SHA256
1a1e5e11d4fc8b5b0b1b8d7ba56879a75c9079aa63c613d2f266a1b84bc15cfd
-
SHA512
28a9ccfa6b1d20ccae445d41989c2115e6a2bb5f16b828fc4dc22f588f27c826edec7a590243db2e38d0de9956469604bb58c97f773c7310bffc49f4408aa380
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\F95B724EDE\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
catalogues lists.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion catalogues lists.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion catalogues lists.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
catalogues lists.execatalogues lists.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation catalogues lists.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation catalogues lists.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
Processes:
catalogues lists.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook catalogues lists.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catalogues lists.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catalogues lists.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catalogues lists.exe Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catalogues lists.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catalogues lists.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catalogues lists.exe Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catalogues lists.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catalogues lists.exe Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook catalogues lists.exe Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catalogues lists.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catalogues lists.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catalogues lists.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catalogues lists.exe Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook catalogues lists.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook catalogues lists.exe Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook catalogues lists.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook catalogues lists.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 api.ipify.org 27 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
catalogues lists.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum catalogues lists.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 catalogues lists.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
catalogues lists.exedescription pid process target process PID 1960 set thread context of 4232 1960 catalogues lists.exe catalogues lists.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
catalogues lists.exepid process 4232 catalogues lists.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
catalogues lists.exepid process 4232 catalogues lists.exe 4232 catalogues lists.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
catalogues lists.exedescription pid process Token: SeDebugPrivilege 4232 catalogues lists.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
catalogues lists.exepid process 4232 catalogues lists.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
catalogues lists.exedescription pid process target process PID 1960 wrote to memory of 5068 1960 catalogues lists.exe schtasks.exe PID 1960 wrote to memory of 5068 1960 catalogues lists.exe schtasks.exe PID 1960 wrote to memory of 5068 1960 catalogues lists.exe schtasks.exe PID 1960 wrote to memory of 4232 1960 catalogues lists.exe catalogues lists.exe PID 1960 wrote to memory of 4232 1960 catalogues lists.exe catalogues lists.exe PID 1960 wrote to memory of 4232 1960 catalogues lists.exe catalogues lists.exe PID 1960 wrote to memory of 4232 1960 catalogues lists.exe catalogues lists.exe PID 1960 wrote to memory of 4232 1960 catalogues lists.exe catalogues lists.exe PID 1960 wrote to memory of 4232 1960 catalogues lists.exe catalogues lists.exe PID 1960 wrote to memory of 4232 1960 catalogues lists.exe catalogues lists.exe PID 1960 wrote to memory of 4232 1960 catalogues lists.exe catalogues lists.exe -
outlook_office_path 1 IoCs
Processes:
catalogues lists.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catalogues lists.exe -
outlook_win_path 1 IoCs
Processes:
catalogues lists.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 catalogues lists.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\catalogues lists.exe"C:\Users\Admin\AppData\Local\Temp\catalogues lists.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZBHCZCxhdAG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEEE9.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\catalogues lists.exe"C:\Users\Admin\AppData\Local\Temp\catalogues lists.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\catalogues lists.exe.logFilesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
C:\Users\Admin\AppData\Local\Temp\tmpEEE9.tmpFilesize
1KB
MD57e285f85deb3008bc26968f4c151a0f8
SHA15f79f3f9dc5b1a092b83e2ceb966403b95aa048a
SHA256fd535d8b86dd1ed3907fb2e127a8f5c709cdf2a44a095a27b86c3710c6ecfae8
SHA5121d691b17180f7b79de637f52036773b0be4e7347526f859653022370d921fe77d85f02580639a2d9ef596a7f0d8fcd219f22333ee37fcf38f9e926b93615c190
-
memory/1960-131-0x00000000056F0000-0x0000000005C94000-memory.dmpFilesize
5.6MB
-
memory/1960-132-0x0000000005240000-0x00000000052D2000-memory.dmpFilesize
584KB
-
memory/1960-133-0x00000000053E0000-0x00000000053EA000-memory.dmpFilesize
40KB
-
memory/1960-134-0x0000000006170000-0x000000000620C000-memory.dmpFilesize
624KB
-
memory/1960-135-0x00000000062D0000-0x0000000006336000-memory.dmpFilesize
408KB
-
memory/1960-130-0x0000000000920000-0x00000000009FA000-memory.dmpFilesize
872KB
-
memory/4232-160-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-170-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-138-0x0000000000000000-mapping.dmp
-
memory/4232-142-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-144-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-146-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-148-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-150-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-152-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-154-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-156-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-158-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-651-0x0000000007A30000-0x0000000007A80000-memory.dmpFilesize
320KB
-
memory/4232-162-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-164-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-166-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-168-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-139-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-172-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-174-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-176-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-178-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-180-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-182-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-184-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-186-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-188-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-190-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-192-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-194-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-196-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-200-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-198-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4232-202-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/5068-136-0x0000000000000000-mapping.dmp