Overview

overview

10

Static

static

1

img014012022.exe

windows7-x64

10

img014012022.exe

windows10-2004-x64

10

Resubmissions

28-01-2023 20:16

230128-y18sjagb93 10

15-12-2022 12:15

221215-pexcyafc8w 10

Analysis

  • max time kernel
    42s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2022 12:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    img014012022.exe

  • Size

    667KB

  • MD5

    0d8c9a1bf7c59fc5623bc97992c84d68

  • SHA1

    f83fd12fc4ba8c891f01f93e4dbec5dd7106cbc3

  • SHA256

    f0e3d1d1dd4b0b69a99c24ce4217194e9cbbb4f1efd8edcb8831f6e889c9b5cd

  • SHA512

    776d9e66da6c499d54b760f930b7c080be33daabff33e4b9670701f21373f307af602e124ce414b3b354277c5604ae7811105dd9a8d2d8f03571e467947a3d2d

  • SSDEEP

    12288:aRW65WWrYINieIUYXPFvWYGegce9pZIdTPxM6uMdmLN4NQ/h1aikvhmF:mW65WWrYIUeIUYXP9WYGegceQN766NKL

Score
10/10
massloggercollectionspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\img014012022.exe
    "C:\Users\Admin\AppData\Local\Temp\img014012022.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe
      "C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe" C:\Users\Admin\AppData\Local\Temp\gjoxrlrsi.k
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:308
      • C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe
        "C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\djgcoe.ef
    Filesize

    577KB

    MD5

    ec34e86bfd01061019a84fe7c04a7bd6

    SHA1

    903985c33ce607533cf6deb19b13aed83bd97e1a

    SHA256

    93ac2fc5a1127495112cad16ace27883257d91de544c78c1bf06892d6f86e44b

    SHA512

    fe1452b12bb64b92ee02452fdcd382c512135894a2d635301dd4f1ed3d1cf584321b6726b51997f39ffcff2b47107bb4e1d9d16bc6817eae5300c45ae6184b1d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gjoxrlrsi.k
    Filesize

    5KB

    MD5

    cc754a54f4c748a05942f7676fe5eb50

    SHA1

    1f22f0c2b3360d16a7ebabca3fe6b023870d9535

    SHA256

    f7bba681f02389bdb4471bcef5f576db7639879e61d7260ff63ba1185e291fca

    SHA512

    23ecc16053523547411b7279a0a3493a92daae77974d87cc44c29513f59730049b383ef197a194a77392830481bf51edb6eeeecae285945ec9c845cff656eabe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe
    Filesize

    327KB

    MD5

    a4cc2d055427ab48e6323360250433e8

    SHA1

    a88fe1182074a402a28862c66d0ac404116e8a4a

    SHA256

    d46d25a70976db5f373fb7a2e93adaf9b3ace962dc95d3c45f4f58f5de033f60

    SHA512

    6f5cae9adaed2d7e982276a075bb69aa6206cec918f74f6f6c207e1066dbb0882ed1368ca2b5f63601f7a3ba786ec9ee31bf471a9eff30ac2a30c5ab2ff11869

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe
    Filesize

    327KB

    MD5

    a4cc2d055427ab48e6323360250433e8

    SHA1

    a88fe1182074a402a28862c66d0ac404116e8a4a

    SHA256

    d46d25a70976db5f373fb7a2e93adaf9b3ace962dc95d3c45f4f58f5de033f60

    SHA512

    6f5cae9adaed2d7e982276a075bb69aa6206cec918f74f6f6c207e1066dbb0882ed1368ca2b5f63601f7a3ba786ec9ee31bf471a9eff30ac2a30c5ab2ff11869

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe
    Filesize

    327KB

    MD5

    a4cc2d055427ab48e6323360250433e8

    SHA1

    a88fe1182074a402a28862c66d0ac404116e8a4a

    SHA256

    d46d25a70976db5f373fb7a2e93adaf9b3ace962dc95d3c45f4f58f5de033f60

    SHA512

    6f5cae9adaed2d7e982276a075bb69aa6206cec918f74f6f6c207e1066dbb0882ed1368ca2b5f63601f7a3ba786ec9ee31bf471a9eff30ac2a30c5ab2ff11869

    Download Submit

  • \Users\Admin\AppData\Local\Temp\jjimhzdgo.exe
    Filesize

    327KB

    MD5

    a4cc2d055427ab48e6323360250433e8

    SHA1

    a88fe1182074a402a28862c66d0ac404116e8a4a

    SHA256

    d46d25a70976db5f373fb7a2e93adaf9b3ace962dc95d3c45f4f58f5de033f60

    SHA512

    6f5cae9adaed2d7e982276a075bb69aa6206cec918f74f6f6c207e1066dbb0882ed1368ca2b5f63601f7a3ba786ec9ee31bf471a9eff30ac2a30c5ab2ff11869

    Download Submit

  • \Users\Admin\AppData\Local\Temp\jjimhzdgo.exe
    Filesize

    327KB

    MD5

    a4cc2d055427ab48e6323360250433e8

    SHA1

    a88fe1182074a402a28862c66d0ac404116e8a4a

    SHA256

    d46d25a70976db5f373fb7a2e93adaf9b3ace962dc95d3c45f4f58f5de033f60

    SHA512

    6f5cae9adaed2d7e982276a075bb69aa6206cec918f74f6f6c207e1066dbb0882ed1368ca2b5f63601f7a3ba786ec9ee31bf471a9eff30ac2a30c5ab2ff11869

    Download Submit

  • \Users\Admin\AppData\Local\Temp\jjimhzdgo.exe
    Filesize

    327KB

    MD5

    a4cc2d055427ab48e6323360250433e8

    SHA1

    a88fe1182074a402a28862c66d0ac404116e8a4a

    SHA256

    d46d25a70976db5f373fb7a2e93adaf9b3ace962dc95d3c45f4f58f5de033f60

    SHA512

    6f5cae9adaed2d7e982276a075bb69aa6206cec918f74f6f6c207e1066dbb0882ed1368ca2b5f63601f7a3ba786ec9ee31bf471a9eff30ac2a30c5ab2ff11869

    Download Submit

  • memory/952-67-0x0000000000BB0000-0x0000000000C34000-memory.dmp

    Filesize

    528KB

    Download

  • memory/952-68-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

    Download

  • memory/952-69-0x00000000001B0000-0x00000000001F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1112-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

    Filesize

    8KB

    Download