m00nd3v_logger | 0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf

Analysis

max time kernel
164s
max time network
161s
platform
windows7_x64
resource
win7-20220414-en
submitted
31-05-2022 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
Size

986KB
MD5

45dd85c126af01c7e0a4d68a11b860dd
SHA1

62b3ec81fe6b2e9a8d1b2b3946997569328d878b
SHA256

0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf
SHA512

8cfb49dfb56ce81cb98025bc9353535514d64702126686a2db8bf695977d6b66f8dbcff5bd76a82498918bbd16d749934d3b0014a779eb8f8890d6ab5c9d572c

Score

10^/10

m00nd3v_logger infostealer spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/1724-67-0x0000000000402000-0x000000000048B200-memory.dmp	m00nd3v_logger
behavioral1/memory/1724-71-0x0000000000402000-0x000000000048B200-memory.dmp	m00nd3v_logger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 bot.whatismyipaddress.com

flow	ioc
10	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe

description	pid	process	target process
PID 2024 set thread context of 1724	2024	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe

Drops file in Windows directory 2 IoCs

Processes:

0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe

description pid process

Token: SeDebugPrivilege 2024 0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe

description	pid	process
Token: SeDebugPrivilege	2024	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe

description	pid	process	target process
PID 2024 wrote to memory of 1724	2024	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
PID 2024 wrote to memory of 1724	2024	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
PID 2024 wrote to memory of 1724	2024	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
PID 2024 wrote to memory of 1724	2024	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
PID 2024 wrote to memory of 1724	2024	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
PID 2024 wrote to memory of 1724	2024	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
PID 2024 wrote to memory of 1724	2024	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
PID 2024 wrote to memory of 1724	2024	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
PID 2024 wrote to memory of 1724	2024	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe	0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe

C:\Users\Admin\AppData\Local\Temp\0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
"C:\Users\Admin\AppData\Local\Temp\0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe
"C:\Users\Admin\AppData\Local\Temp\0647075334a86764440847c4a96f489308de78cc3b7ce4ac935c12681ec5d5bf.exe"
2⤵
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-86-0x00000000712B0000-0x00000000717E6000-memory.dmp

Filesize
5.2MB

Download
memory/1724-91-0x00000000717F0000-0x000000007198B000-memory.dmp

Filesize
1.6MB

Download
memory/1724-96-0x0000000071BD0000-0x00000000727AE000-memory.dmp

Filesize
11.9MB

Download
memory/1724-76-0x0000000074090000-0x0000000074218000-memory.dmp

Filesize
1.5MB

Download
memory/1724-95-0x00000000727B0000-0x0000000072F4C000-memory.dmp

Filesize
7.6MB

Download
memory/1724-78-0x00000000717F0000-0x000000007198B000-memory.dmp

Filesize
1.6MB

Download
memory/1724-94-0x0000000072F50000-0x0000000073A48000-memory.dmp

Filesize
11.0MB

Download
memory/1724-77-0x0000000071BD0000-0x00000000727AE000-memory.dmp

Filesize
11.9MB

Download
memory/1724-93-0x00000000744F0000-0x00000000745F4000-memory.dmp

Filesize
1.0MB

Download
memory/1724-92-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1724-90-0x0000000071BD0000-0x00000000727AE000-memory.dmp

Filesize
11.9MB

Download
memory/1724-84-0x00000000744F0000-0x00000000745F4000-memory.dmp

Filesize
1.0MB

Download
memory/1724-89-0x00000000727B0000-0x0000000072F4C000-memory.dmp

Filesize
7.6MB

Download
memory/1724-67-0x0000000000402000-0x000000000048B200-memory.dmp

Filesize
548KB

Download
memory/1724-69-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1724-68-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1724-71-0x0000000000402000-0x000000000048B200-memory.dmp

Filesize
548KB

Download
memory/1724-73-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1724-74-0x0000000072F50000-0x0000000073A48000-memory.dmp

Filesize
11.0MB

Download
memory/1724-75-0x00000000727B0000-0x0000000072F4C000-memory.dmp

Filesize
7.6MB

Download
memory/1724-88-0x0000000072F50000-0x0000000073A48000-memory.dmp

Filesize
11.0MB

Download
memory/1724-87-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1724-85-0x0000000073F90000-0x0000000074081000-memory.dmp

Filesize
964KB

Download
memory/2024-65-0x0000000071990000-0x0000000071BC5000-memory.dmp

Filesize
2.2MB

Download
memory/2024-80-0x0000000072F50000-0x0000000073A48000-memory.dmp

Filesize
11.0MB

Download
memory/2024-81-0x00000000727B0000-0x0000000072F4C000-memory.dmp

Filesize
7.6MB

Download
memory/2024-82-0x0000000074090000-0x0000000074218000-memory.dmp

Filesize
1.5MB

Download
memory/2024-83-0x0000000071BD0000-0x00000000727AE000-memory.dmp

Filesize
11.9MB

Download
memory/2024-79-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-59-0x0000000071BD0000-0x00000000727AE000-memory.dmp

Filesize
11.9MB

Download
memory/2024-54-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download
memory/2024-61-0x0000000072F50000-0x0000000073A48000-memory.dmp

Filesize
11.0MB

Download
memory/2024-57-0x00000000727B0000-0x0000000072F4C000-memory.dmp

Filesize
7.6MB

Download
memory/2024-66-0x0000000071990000-0x0000000071BC5000-memory.dmp

Filesize
2.2MB

Download
memory/2024-55-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-64-0x0000000071BD0000-0x00000000727AE000-memory.dmp

Filesize
11.9MB

Download
memory/2024-63-0x0000000074090000-0x0000000074218000-memory.dmp

Filesize
1.5MB

Download
memory/2024-62-0x00000000727B0000-0x0000000072F4C000-memory.dmp

Filesize
7.6MB

Download
memory/2024-60-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-58-0x0000000074090000-0x0000000074218000-memory.dmp

Filesize
1.5MB

Download
memory/2024-56-0x0000000072F50000-0x0000000073A48000-memory.dmp

Filesize
11.0MB

Download