Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
31-05-2022 00:00
General
-
Target
DHL BILL OF LADING 62803217763.exe
-
Size
736KB
-
MD5
5577d22b593e5d028b779dd76891acf2
-
SHA1
c6ab92abb2f50e484aa672f71f5d04093a21cc2b
-
SHA256
64c4c850be4f8e9a0e12eeeb015c503dd5a2d0f22b8d872678227729bb6db757
-
SHA512
3376f5c418b824343624ef1a38337f63ad49d03f71330a8419a60befdc5c355a5e8e2e862967ef846b8270832f0c6b9504b6620ea985d102ad7ecee83de84834
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt
Family
masslogger
Ransom Note
#################################################################
MassLogger v1.3.2.0
#################################################################
### Logger Details ###
User Name: Admin
IP: 154.61.71.50
Location: United States
OS: Microsoft Windows 7 Ultimate 64bit
CPU: Intel Core Processor (Broadwell)
GPU: Standard VGA Graphics Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 5/31/2022 3:41:12 AM
MassLogger Started: 5/31/2022 3:41:02 AM
Interval: 6 hour
MassLogger Process: C:\Users\Admin\AppData\Local\Temp\DHL BILL OF LADING 62803217763.exe
As Administrator: True
Extracted
Credentials
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
eurotoolz@returntolz.com - Password:
Protected@123
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 32 IoCs
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL BILL OF LADING 62803217763.exe"C:\Users\Admin\AppData\Local\Temp\DHL BILL OF LADING 62803217763.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL BILL OF LADING 62803217763.exe"C:\Users\Admin\AppData\Local\Temp\DHL BILL OF LADING 62803217763.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/316-54-0x0000000000800000-0x00000000008BE000-memory.dmpFilesize
760KB
-
memory/316-55-0x0000000072D10000-0x000000007409F000-memory.dmpFilesize
19.6MB
-
memory/316-56-0x0000000074970000-0x0000000074B04000-memory.dmpFilesize
1.6MB
-
memory/316-57-0x00000000769D1000-0x00000000769D3000-memory.dmpFilesize
8KB
-
memory/316-58-0x00000000003A0000-0x00000000003A8000-memory.dmpFilesize
32KB
-
memory/316-59-0x0000000004C00000-0x0000000004CA8000-memory.dmpFilesize
672KB
-
memory/316-60-0x00000000715E0000-0x00000000722FD000-memory.dmpFilesize
13.1MB
-
memory/316-61-0x00000000003D0000-0x00000000003E6000-memory.dmpFilesize
88KB
-
memory/316-62-0x0000000070E00000-0x00000000715E0000-memory.dmpFilesize
7.9MB
-
memory/316-63-0x0000000074870000-0x000000007496C000-memory.dmpFilesize
1008KB
-
memory/316-64-0x00000000706C0000-0x0000000070DFE000-memory.dmpFilesize
7.2MB
-
memory/316-65-0x0000000000770000-0x0000000000786000-memory.dmpFilesize
88KB
-
memory/316-66-0x0000000072300000-0x0000000072D10000-memory.dmpFilesize
10.1MB
-
memory/316-67-0x00000000743B0000-0x0000000074581000-memory.dmpFilesize
1.8MB
-
memory/316-68-0x0000000070590000-0x00000000706B3000-memory.dmpFilesize
1.1MB
-
memory/316-69-0x0000000072D10000-0x000000007409F000-memory.dmpFilesize
19.6MB
-
memory/316-70-0x00000000715E0000-0x00000000722FD000-memory.dmpFilesize
13.1MB
-
memory/316-71-0x0000000070E00000-0x00000000715E0000-memory.dmpFilesize
7.9MB
-
memory/316-72-0x00000000007E0000-0x00000000007F4000-memory.dmpFilesize
80KB
-
memory/316-83-0x00000000743B0000-0x0000000074581000-memory.dmpFilesize
1.8MB
-
memory/316-81-0x0000000072300000-0x0000000072D10000-memory.dmpFilesize
10.1MB
-
memory/316-90-0x0000000072D10000-0x000000007409F000-memory.dmpFilesize
19.6MB
-
memory/668-73-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-74-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-77-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-76-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-78-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-79-0x00000000004A218E-mapping.dmp
-
memory/668-82-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-85-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-87-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-89-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-92-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-94-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-97-0x0000000072D10000-0x000000007409F000-memory.dmpFilesize
19.6MB
-
memory/668-96-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-99-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-101-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-103-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-105-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-108-0x0000000072300000-0x0000000072D10000-memory.dmpFilesize
10.1MB
-
memory/668-107-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-110-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-112-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-114-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-116-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-118-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-120-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-122-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-128-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-126-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-132-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-136-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-140-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-138-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-134-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-130-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-124-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/668-590-0x0000000071B20000-0x0000000072300000-memory.dmpFilesize
7.9MB
-
memory/668-591-0x0000000072D10000-0x000000007409F000-memory.dmpFilesize
19.6MB
-
memory/668-592-0x0000000072300000-0x0000000072D10000-memory.dmpFilesize
10.1MB
-
memory/668-593-0x0000000074930000-0x0000000074AC4000-memory.dmpFilesize
1.6MB
-
memory/668-594-0x0000000070E00000-0x0000000071B1D000-memory.dmpFilesize
13.1MB
-
memory/668-595-0x0000000074750000-0x000000007484C000-memory.dmpFilesize
1008KB
-
memory/668-596-0x000000006FF80000-0x00000000706BE000-memory.dmpFilesize
7.2MB
-
memory/668-597-0x0000000074410000-0x0000000074533000-memory.dmpFilesize
1.1MB
-
memory/668-598-0x0000000074930000-0x0000000074AC4000-memory.dmpFilesize
1.6MB
-
memory/668-599-0x0000000070E00000-0x0000000071B1D000-memory.dmpFilesize
13.1MB
-
memory/668-600-0x0000000074750000-0x000000007484C000-memory.dmpFilesize
1008KB
-
memory/668-601-0x0000000074410000-0x0000000074533000-memory.dmpFilesize
1.1MB
-
memory/668-602-0x0000000004C40000-0x0000000004C84000-memory.dmpFilesize
272KB
-
memory/668-603-0x00000000708C0000-0x000000007098F000-memory.dmpFilesize
828KB
-
memory/668-604-0x00000000706E0000-0x00000000708B1000-memory.dmpFilesize
1.8MB
-
memory/668-605-0x0000000072D10000-0x000000007409F000-memory.dmpFilesize
19.6MB
-
memory/668-606-0x0000000072300000-0x0000000072D10000-memory.dmpFilesize
10.1MB
-
memory/668-607-0x0000000071B20000-0x0000000072300000-memory.dmpFilesize
7.9MB
-
memory/668-608-0x0000000074930000-0x0000000074AC4000-memory.dmpFilesize
1.6MB
-
memory/668-609-0x0000000070E00000-0x0000000071B1D000-memory.dmpFilesize
13.1MB
-
memory/668-610-0x0000000074750000-0x000000007484C000-memory.dmpFilesize
1008KB
-
memory/668-611-0x000000006FF80000-0x00000000706BE000-memory.dmpFilesize
7.2MB