Overview

overview

10

Static

static

3246744-28-06.exe

windows7_x64

10

3246744-28-06.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3246744-28-06.exe

  • Size

    1.1MB

  • MD5

    a60ca849b4d2490671b6e54a97b09e87

  • SHA1

    8d02d04d3bbd2ad7c4aae65189d8e289adabbbe1

  • SHA256

    b51612fb244526a66524e234ccae2d57f1c98a37080fd94664626bcdcf6c4bbb

  • SHA512

    33ffd9ac6db80c40d7f3970d25149378c7cd606c603541cf4544076ad80b6aea628df1bc8466dbd0c870f322b05cb0da47668af8758581b0f7e3d0d041dfc0ed

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F293CD6622\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:07:35 PM MassLogger Started: 5/21/2022 3:06:51 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe As Administrator: True

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    m4cfund@yandex.com
  • Password:
    Dmacdavid

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3246744-28-06.exe
    "C:\Users\Admin\AppData\Local\Temp\3246744-28-06.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4408
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit
  • memory/2916-163-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-141-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-134-0x0000000000000000-mapping.dmp
    Download
  • memory/2916-167-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-645-0x00000000075C0000-0x000000000765C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2916-171-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-139-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-169-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-143-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-145-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-147-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-149-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-151-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-153-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-155-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-157-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-161-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-159-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-644-0x0000000007010000-0x0000000007060000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2916-165-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-135-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-643-0x00000000063C0000-0x00000000063CA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2916-642-0x0000000005F00000-0x0000000005F66000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2916-173-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-175-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-177-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-179-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-181-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-183-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-185-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-187-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-189-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-191-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-193-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-195-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-197-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2916-199-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/4408-131-0x000000000AA70000-0x000000000AB02000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4408-133-0x0000000004ED0000-0x0000000004F14000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4408-130-0x0000000000970000-0x0000000000A86000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/4408-132-0x000000000B0C0000-0x000000000B664000-memory.dmp
    Filesize

    5.6MB

    Download