Overview

overview

10

Static

static

9269aa26ad...88.exe

windows7-x64

10

9269aa26ad...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9269aa26ade2e9c4bff249a124c2f6c5a4ee0995045e01a15df8e60fcbbe3188.exe

  • Size

    770KB

  • MD5

    56dcde922cfb9bc2a36cb22feadf8194

  • SHA1

    443b8324de94cb2ae9976e3fbaf3676738e25697

  • SHA256

    9269aa26ade2e9c4bff249a124c2f6c5a4ee0995045e01a15df8e60fcbbe3188

  • SHA512

    aca07f602fd0af30938839be8e603691d6b080533becb5682ab005838d97b480d95ca9b6bc5efec796e40efd524b847cdfaec07049842c2529482e40a002d684

  • SSDEEP

    12288:JlOQfTlI9kETyESfxiZX43sBY1sCnY5eb3VTuRaWj1daHKy+NqU2Rpy:JlO+I3mxiZXlKnYwDp9+yKDMU2Ty

Score
10/10
massloggerspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9269aa26ade2e9c4bff249a124c2f6c5a4ee0995045e01a15df8e60fcbbe3188.exe
    "C:\Users\Admin\AppData\Local\Temp\9269aa26ade2e9c4bff249a124c2f6c5a4ee0995045e01a15df8e60fcbbe3188.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BmDmBjcGWDrHqK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC10E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:5100
    • C:\Users\Admin\AppData\Local\Temp\9269aa26ade2e9c4bff249a124c2f6c5a4ee0995045e01a15df8e60fcbbe3188.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\9269aa26ade2e9c4bff249a124c2f6c5a4ee0995045e01a15df8e60fcbbe3188.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2508

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9269aa26ade2e9c4bff249a124c2f6c5a4ee0995045e01a15df8e60fcbbe3188.exe.log
    Filesize

    1KB

    MD5

    400f1cc1a0a0ce1cdabda365ab3368ce

    SHA1

    1ecf683f14271d84f3b6063493dce00ff5f42075

    SHA256

    c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

    SHA512

    14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpC10E.tmp
    Filesize

    1KB

    MD5

    1ce4475fed758ec2a9a459121a8df40b

    SHA1

    d783502a43c51433e40214ca9e44b61dfc8e7940

    SHA256

    a295f237412a66851f620f1204a0290964b1ea042e1ea134ce76bb36eff93ca6

    SHA512

    0f4b7e67141dc6e96e444024889947b843dcddec8fb70e5c005802aa6ed7bad35335d9f8cb9e905690dd43fd452f735e8ec21ac34f0968262e797ec84bbb4035

    Download Submit

  • memory/2124-142-0x0000000005700000-0x0000000005766000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2124-140-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2508-147-0x0000000005CF0000-0x0000000005D56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2508-148-0x00000000063F0000-0x000000000640E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2508-152-0x00000000069D0000-0x00000000069F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2508-151-0x0000000007610000-0x00000000076A6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2508-150-0x0000000006900000-0x000000000691A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2508-149-0x0000000007A90000-0x000000000810A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2508-144-0x0000000004E50000-0x0000000004E86000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2508-145-0x00000000055C0000-0x0000000005BE8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2508-146-0x0000000005BF0000-0x0000000005C12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2732-134-0x0000000008290000-0x0000000008322000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2732-132-0x0000000000F50000-0x000000000101A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2732-133-0x0000000008660000-0x0000000008C04000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2732-135-0x0000000008230000-0x000000000823A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2732-136-0x000000000BA90000-0x000000000BB2C000-memory.dmp

    Filesize

    624KB

    Download