Analysis

  • max time kernel
    108s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 18:54

General

  • Target

    PO#556361TW.exe

  • Size

    704KB

  • MD5

    ff87250b9ebf0cddd524ba8e4282d94f

  • SHA1

    af575cb114ce44e76ec94d5e5bd29f59230042c1

  • SHA256

    4c4ee69bd58db589d202dcfb5872fb970e4367547e4ba90f57d9db502daa1c65

  • SHA512

    f2244aaed8910aa338a15e4dd1e0128839ea053ca837955c40ba1d79829504e8a7276c8c4879ba52561757375b310507102868900c30d44ae2b444e586df79c8

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\19E979543A\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v2.0.0.0 ################################################################# ### Logger Details ### User Name: Admin IP: 127.0.0.1 Location: United States Windows OS: Microsoft Windows 10 Pro 64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 8:55:23 PM MassLogger Started: 5/21/2022 8:55:08 PM Interval: 12 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\PO#556361TW.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO#556361TW.exe
    "C:\Users\Admin\AppData\Local\Temp\PO#556361TW.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • outlook_office_path
    • outlook_win_path
    PID:4916

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4916-130-0x0000000000310000-0x00000000003C6000-memory.dmp
    Filesize

    728KB

  • memory/4916-131-0x0000000004DE0000-0x0000000004E46000-memory.dmp
    Filesize

    408KB

  • memory/4916-132-0x0000000005990000-0x0000000005F34000-memory.dmp
    Filesize

    5.6MB

  • memory/4916-133-0x0000000005050000-0x00000000050EC000-memory.dmp
    Filesize

    624KB

  • memory/4916-134-0x00000000050F0000-0x0000000005182000-memory.dmp
    Filesize

    584KB

  • memory/4916-135-0x0000000006E50000-0x0000000006E5A000-memory.dmp
    Filesize

    40KB

  • memory/4916-136-0x0000000007B50000-0x0000000007BA0000-memory.dmp
    Filesize

    320KB