Overview

overview

10

Static

static

10

8ecc3131ea...8b.exe

windows7_x64

10

8ecc3131ea...8b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 09:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe

  • Size

    1.6MB

  • MD5

    701689a69877d6fd71e7872be77bcab6

  • SHA1

    dd2cfff32e2de1d6ce99e0ea5814c6ca905b507c

  • SHA256

    8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b

  • SHA512

    5cd5ce167184bf375eace9f3f9d3983e255769a5809ed14994f13eecf37f5f88ba0f5b36be63dc2d25ad358b0f0a9ccf3e2b8c8b56b6dd8c0e6324c2e204727c

Score
10/10
massloggerpersistencespywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 35 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe
    "C:\Users\Admin\AppData\Local\Temp\8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v VideoLanApps /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v VideoLanApps /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe"
        3⤵
        • Adds Run key to start application
        PID:3248
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3732
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          4⤵
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1088
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c start /b powershell Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe' & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3712
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3456

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    1KB

    MD5

    def65711d78669d7f8e69313be4acf2e

    SHA1

    6522ebf1de09eeb981e270bd95114bc69a49cda6

    SHA256

    aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

    SHA512

    05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    15KB

    MD5

    8f1a4a4150485cb3a576f7fc2250aa28

    SHA1

    3627ef5455eb201cf3face70567c74d47f490fe2

    SHA256

    9d48ddd05cfe1f629f25a7d720c165347e792151b23b8399ffad2d3497b28e97

    SHA512

    42311312780b993853dfa5314227623c060d597128aaaabfb4298a4bceb88b11bf51f54cbf554b636252f1a1217263d8948ae04b53f526743d5d6dac5684c331

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe
    Filesize

    1.6MB

    MD5

    701689a69877d6fd71e7872be77bcab6

    SHA1

    dd2cfff32e2de1d6ce99e0ea5814c6ca905b507c

    SHA256

    8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b

    SHA512

    5cd5ce167184bf375eace9f3f9d3983e255769a5809ed14994f13eecf37f5f88ba0f5b36be63dc2d25ad358b0f0a9ccf3e2b8c8b56b6dd8c0e6324c2e204727c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe
    Filesize

    1.6MB

    MD5

    701689a69877d6fd71e7872be77bcab6

    SHA1

    dd2cfff32e2de1d6ce99e0ea5814c6ca905b507c

    SHA256

    8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b

    SHA512

    5cd5ce167184bf375eace9f3f9d3983e255769a5809ed14994f13eecf37f5f88ba0f5b36be63dc2d25ad358b0f0a9ccf3e2b8c8b56b6dd8c0e6324c2e204727c

    Download Submit

  • memory/1088-200-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-204-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-174-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-652-0x0000000006EF0000-0x0000000006EFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1088-176-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-212-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-210-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-208-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-206-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-202-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-198-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-196-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-194-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-192-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-190-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-150-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-152-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-154-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-156-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-158-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-160-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-162-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-164-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-178-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-168-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-170-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-172-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-188-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-186-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-166-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-180-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-182-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1088-184-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1908-138-0x0000000005340000-0x0000000005968000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1908-144-0x0000000006750000-0x000000000676A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1908-143-0x00000000067E0000-0x0000000006876000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1908-140-0x0000000005BA0000-0x0000000005C06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1908-137-0x0000000004CD0000-0x0000000004D06000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1908-145-0x00000000067A0000-0x00000000067C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1908-139-0x00000000052D0000-0x00000000052F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1908-141-0x0000000005C80000-0x0000000005CE6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1908-142-0x00000000062A0000-0x00000000062BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3456-657-0x000000006FA90000-0x000000006FADC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3456-660-0x0000000007320000-0x000000000732A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3456-656-0x0000000007180000-0x00000000071B2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3456-659-0x0000000007940000-0x0000000007FBA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3456-658-0x0000000006560000-0x000000000657E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4192-131-0x0000000005BE0000-0x0000000006184000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4192-132-0x0000000005730000-0x00000000057C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4192-130-0x00000000002C0000-0x000000000046A000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4192-133-0x0000000006A90000-0x0000000006AD4000-memory.dmp

    Filesize

    272KB

    Download