m00nd3v_logger | 0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2

General

Target

0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe
Size

1.5MB
MD5

4268a67c503b51b1405af8e986a96b87
SHA1

651b495b929ee0eb7d232fa8b8938e9154575140
SHA256

0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2
SHA512

40a4dbd99bbbe4b98d97ea021e63c39eb0132818a495ed3af0d9f825358fee951b16f3d229432492041188eeb265f6a7fd67a3b42fce0c8096004abb32737c57

Score

10^/10

m00nd3v_logger infostealer spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/908-63-0x0000000005240000-0x00000000052D0000-memory.dmp	m00nd3v_logger

Drops startup file 1 IoCs

Processes:

cscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win32.Lnk cscript.exe
Loads dropped DLL 1 IoCs

Processes:

cscript.exe

pid process

1692 cscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win32.Lnk	cscript.exe

pid	process
1692	cscript.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe

pid	process
908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe
908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe
908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe

description pid process

Token: SeDebugPrivilege 908 0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe

description	pid	process
Token: SeDebugPrivilege	908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe

description	pid	process	target process
PID 908 wrote to memory of 1692	908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe	cscript.exe
PID 908 wrote to memory of 1692	908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe	cscript.exe
PID 908 wrote to memory of 1692	908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe	cscript.exe
PID 908 wrote to memory of 1692	908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe	cscript.exe
PID 908 wrote to memory of 1616	908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe	RegAsm.exe
PID 908 wrote to memory of 1616	908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe	RegAsm.exe
PID 908 wrote to memory of 1616	908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe	RegAsm.exe
PID 908 wrote to memory of 1616	908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe	RegAsm.exe
PID 908 wrote to memory of 1616	908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe	RegAsm.exe
PID 908 wrote to memory of 1616	908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe	RegAsm.exe
PID 908 wrote to memory of 1616	908	0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe
"C:\Users\Admin\AppData\Local\Temp\0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\win32.vbs
2⤵
- Drops startup file
- Loads dropped DLL
PID:1692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:1616

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\win32.exe
Filesize
1.5MB

MD5
4268a67c503b51b1405af8e986a96b87

SHA1
651b495b929ee0eb7d232fa8b8938e9154575140

SHA256
0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2

SHA512
40a4dbd99bbbe4b98d97ea021e63c39eb0132818a495ed3af0d9f825358fee951b16f3d229432492041188eeb265f6a7fd67a3b42fce0c8096004abb32737c57

Download Submit
C:\Users\Admin\win32.vbs
Filesize
301B

MD5
bb19a425fe7febb5170c4c857ca7cdf7

SHA1
1cff91a568bd3945144bd58abeb5bb42ba6f58b4

SHA256
710e665eb73240b8907ea09851e369e6343f95f51d57b6d522f714ed6d052f50

SHA512
7e904897e9ac0257cb30cc6f1593bf61560e59501395a180ba6ca23f233f9d580d294dd55ab1cddfa477da5e8b1fa174f0f47e6a5dd28ef2b00dd67461f08abf

Download Submit
\Users\Admin\AppData\Roaming\win32.exe
Filesize
1.5MB

MD5
4268a67c503b51b1405af8e986a96b87

SHA1
651b495b929ee0eb7d232fa8b8938e9154575140

SHA256
0e5d0fddd0a16d73df5ae711b7cdc4404471286ed7f12c049c3763c5426a3fb2

SHA512
40a4dbd99bbbe4b98d97ea021e63c39eb0132818a495ed3af0d9f825358fee951b16f3d229432492041188eeb265f6a7fd67a3b42fce0c8096004abb32737c57

Download Submit
memory/908-67-0x0000000071E30000-0x0000000072840000-memory.dmp

Filesize
10.1MB

Download
memory/908-65-0x0000000072840000-0x0000000073BCF000-memory.dmp

Filesize
19.6MB

Download
memory/908-57-0x0000000000650000-0x0000000000678000-memory.dmp

Filesize
160KB

Download
memory/908-56-0x0000000004B70000-0x0000000004C32000-memory.dmp

Filesize
776KB

Download
memory/908-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/908-63-0x0000000005240000-0x00000000052D0000-memory.dmp

Filesize
576KB

Download
memory/908-64-0x00000000702F0000-0x00000000704C1000-memory.dmp

Filesize
1.8MB

Download
memory/908-70-0x0000000070890000-0x0000000070FCE000-memory.dmp

Filesize
7.2MB

Download
memory/908-66-0x0000000073EE0000-0x00000000746C0000-memory.dmp

Filesize
7.9MB

Download
memory/908-54-0x0000000000D50000-0x0000000000ED0000-memory.dmp

Filesize
1.5MB

Download
memory/908-68-0x0000000072840000-0x0000000073BCF000-memory.dmp

Filesize
19.6MB

Download
memory/908-69-0x0000000070FD0000-0x00000000710CC000-memory.dmp

Filesize
1008KB

Download
memory/908-71-0x00000000710D0000-0x0000000071E26000-memory.dmp

Filesize
13.3MB

Download
memory/1692-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads