Analysis

  • max time kernel
    153s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 12:22

General

  • Target

    OUR_NEW_.exe

  • Size

    766KB

  • MD5

    2bd29021de1827a18eb2ba749724809a

  • SHA1

    939c8d922f9fe7f04b1fedeb4032609c83e23fcf

  • SHA256

    110e9666025176f94b715b77f8677d5eb9049c6a79d61716be8e1646b70b36bb

  • SHA512

    0ace069a3bafdfb14a7589c1f50dd0fd43ee05da4e5553d5706eef727d77dfaca5995a532a8752e76e45948f343559cf63ae09aa2f432d6e9ee880fa26252dcf

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:32:44 PM MassLogger Started: 5/21/2022 2:32:16 PM Interval: 96 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\OUR_NEW_.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 32 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OUR_NEW_.exe
    "C:\Users\Admin\AppData\Local\Temp\OUR_NEW_.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Users\Admin\AppData\Local\Temp\OUR_NEW_.exe
      "C:\Users\Admin\AppData\Local\Temp\OUR_NEW_.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4692

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/864-131-0x0000000000CC0000-0x0000000000D86000-memory.dmp
    Filesize

    792KB

  • memory/864-132-0x0000000005D30000-0x00000000062D4000-memory.dmp
    Filesize

    5.6MB

  • memory/864-133-0x0000000005780000-0x0000000005812000-memory.dmp
    Filesize

    584KB

  • memory/864-134-0x0000000005820000-0x00000000058BC000-memory.dmp
    Filesize

    624KB

  • memory/4692-135-0x0000000000000000-mapping.dmp
  • memory/4692-136-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-138-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-140-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-142-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-144-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-146-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-148-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-150-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-152-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-156-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-154-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-158-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-160-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-162-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-164-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-166-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-168-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-170-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-172-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-174-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-178-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-176-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-180-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-182-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-184-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-186-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-190-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-192-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-194-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-196-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-188-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-198-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

  • memory/4692-645-0x0000000005880000-0x00000000058E6000-memory.dmp
    Filesize

    408KB

  • memory/4692-646-0x0000000006FB0000-0x0000000006FBA000-memory.dmp
    Filesize

    40KB