Analysis

  • max time kernel
    164s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 12:19

General

  • Target

    Enquiry.exe

  • Size

    797KB

  • MD5

    f71557e9155556d4f0ea0e03b307f11d

  • SHA1

    a04a977026b26e1da0f43ba3fd6a1112df109db9

  • SHA256

    1f4f66b6c25fcf9e510c93af0fb57942013de942175617a7b3a515709a44bed5

  • SHA512

    8a575f1a4364f35d3187cb9eb117a7bfdbc4d152ce2a72bfbca4dc80f6007493109de56ec4e870a2486df30bd17904970f08c463119280df07b06f7d8c9596f7

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.7.1 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:32:54 PM MassLogger Started: 5/21/2022 2:32:43 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Enquiry.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 6 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Enquiry.exe
    "C:\Users\Admin\AppData\Local\Temp\Enquiry.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BOWbzufm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB5C9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1536
    • C:\Users\Admin\AppData\Local\Temp\Enquiry.exe
      "{path}"
      2⤵
        PID:1764
      • C:\Users\Admin\AppData\Local\Temp\Enquiry.exe
        "{path}"
        2⤵
        • Checks computer location settings
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:1064

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpB5C9.tmp
      Filesize

      1KB

      MD5

      61f6ce0ef4e13a72ed8777044ddca6e3

      SHA1

      6828fc4ebc86b43f054c50800ad7b9298a276fbe

      SHA256

      24ec2bc9414764d24a28a0c1839f47e4baa4636b38b292f1d25c36b40adb6e18

      SHA512

      8755b449db60e3d7e525a52e4ef57df3cc7f86a8551000e82e33d2fea0aa31469c4b1748caff2af90b4a5e149c11c4715498e76fcfafc7b4335bafd243e125c3

    • memory/624-55-0x0000000000200000-0x0000000000210000-memory.dmp
      Filesize

      64KB

    • memory/624-56-0x0000000005970000-0x0000000005A20000-memory.dmp
      Filesize

      704KB

    • memory/624-54-0x0000000000E90000-0x0000000000F5E000-memory.dmp
      Filesize

      824KB

    • memory/1064-62-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

    • memory/1064-59-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

    • memory/1064-60-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

    • memory/1064-63-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

    • memory/1064-69-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

    • memory/1064-67-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

    • memory/1064-65-0x00000000004A303E-mapping.dmp
    • memory/1064-64-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

    • memory/1064-70-0x0000000000770000-0x00000000007B4000-memory.dmp
      Filesize

      272KB

    • memory/1064-71-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
      Filesize

      8KB

    • memory/1064-72-0x0000000004D75000-0x0000000004D86000-memory.dmp
      Filesize

      68KB

    • memory/1536-57-0x0000000000000000-mapping.dmp