Overview

overview

10

Static

static

LIST OF PR...ED.exe

windows7-x64

10

LIST OF PR...ED.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 16:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LIST OF PRODUCTS NEEDED.exe

  • Size

    1.1MB

  • MD5

    af517807c4b6160d07314ba228f333de

  • SHA1

    9020081ebc00595e57d5d40a742682f4de0b7671

  • SHA256

    e97151ce51e9463bd45ad41571141614fc0ffc8a8cbf2c74f36c20028a769f41

  • SHA512

    8647a9336ff7e33b60c7f9903d9214de5842bc195f4460870f9dda8205397ef9aaddf0a371ceb90b280e9b26017e53e0c10422844ce0f30fda14b7dccc310b00

Score
10/10
massloggerspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LIST OF PRODUCTS NEEDED.exe
    "C:\Users\Admin\AppData\Local\Temp\LIST OF PRODUCTS NEEDED.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "{path}"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 760
        3⤵
        • Drops file in Windows directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1100-132-0x0000000000000000-mapping.dmp
    Download
  • memory/1100-133-0x0000000000400000-0x000000000048C000-memory.dmp
    Filesize

    560KB

    Download
  • memory/1100-136-0x0000000075520000-0x0000000075AD1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1100-137-0x0000000075520000-0x0000000075AD1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1652-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4228-130-0x0000000075520000-0x0000000075AD1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4228-131-0x0000000075520000-0x0000000075AD1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4228-135-0x0000000075520000-0x0000000075AD1000-memory.dmp
    Filesize

    5.7MB

    Download