Analysis

  • max time kernel
    89s
  • max time network
    80s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 12:20

General

  • Target

    DHL_MAY_.exe

  • Size

    1MB

  • MD5

    7f56bc3c202c7284b09d069b1fe4e0df

  • SHA1

    5218641a49868df36c1ee409c22ce14e56b7dfb8

  • SHA256

    15fca9cc94b9a0632fe98a3a15e0c75d1f3ff2ce42a47d7b9d76217ca4bfca05

  • SHA512

    d0e7a060a67227891b54385432ae39f4572cb26e7c844b6d6222b7a454cbbeb9ab1013a157afaac605ea62b34b023e2d02b30eae9abea23b4b1ce2d7b46fedf2

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3B8E3C2477\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 127.0.0.1 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:07:23 PM MassLogger Started: 5/21/2022 3:07:05 PM Interval: 96 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 58 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1112-58-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-59-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-61-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-62-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-64-0x00000000004ABEAE-mapping.dmp
  • memory/1112-66-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-65-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-70-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-73-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-75-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-76-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-77-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-79-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-78-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-74-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-80-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-82-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-81-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-84-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-83-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-85-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-87-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-86-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-88-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-90-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-89-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-91-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-93-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-92-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-95-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-94-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-96-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-98-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-99-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-100-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-97-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-102-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-101-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-103-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-104-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-106-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-105-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-108-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-107-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-110-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-109-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-112-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-113-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-111-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-115-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-114-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-117-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-116-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-118-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-120-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-119-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-121-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-122-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-123-0x00000000001E0000-0x0000000000290000-memory.dmp
    Filesize

    704KB

  • memory/1112-328-0x0000000000750000-0x0000000000794000-memory.dmp
    Filesize

    272KB

  • memory/1112-330-0x00000000020B5000-0x00000000020C6000-memory.dmp
    Filesize

    68KB

  • memory/1824-54-0x0000000000080000-0x00000000001D4000-memory.dmp
    Filesize

    1MB

  • memory/1824-55-0x00000000003C0000-0x00000000003D4000-memory.dmp
    Filesize

    80KB

  • memory/1824-56-0x0000000000420000-0x0000000000428000-memory.dmp
    Filesize

    32KB

  • memory/1824-57-0x0000000000550000-0x0000000000558000-memory.dmp
    Filesize

    32KB