masslogger | 7555d64904a5d2c9cd8489c031afe9b095b1db27d2ac3664e23f25824018407e

Analysis

max time kernel
179s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c2e13aa2a4cd620cbdc6c7aff908100.exe
Size

1.1MB
MD5

2c2e13aa2a4cd620cbdc6c7aff908100
SHA1

4e837ccf0c4ba614989b96b95b002d516ddf4517
SHA256

7555d64904a5d2c9cd8489c031afe9b095b1db27d2ac3664e23f25824018407e
SHA512

36c26058ed94a7d737d1e53581355ddc67d9f698e88f315922e1d543593f7e7d6bf0ce126363cb8800d64c97e2fd72be33a38f0e8c3f32758635e9f60fada26a
SSDEEP

24576:RDvlsb133PqjTWnxdAHPcp1YprUlMegz:lvuBnPqjTWkHUpk46e

Score

10^/10

masslogger zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/1080-6-0x0000000000400000-0x000000000049A000-memory.dmp	family_zgrat_v1

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main payload 1 IoCs

resource	yara_rule
behavioral2/memory/1080-6-0x0000000000400000-0x000000000049A000-memory.dmp	family_masslogger

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	2c2e13aa2a4cd620cbdc6c7aff908100.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 1080	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	106

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe
4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe
4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe
4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe
4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe
4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe
4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe
4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe
2156	powershell.exe
2156	powershell.exe
2156	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe
Token: SeRestorePrivilege	1524	dw20.exe
Token: SeBackupPrivilege	1524	dw20.exe
Token: SeBackupPrivilege	1524	dw20.exe
Token: SeBackupPrivilege	1524	dw20.exe
Token: SeBackupPrivilege	1524	dw20.exe
Token: SeDebugPrivilege	2156	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 2156	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	100
PID 4028 wrote to memory of 2156	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	100
PID 4028 wrote to memory of 2156	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	100
PID 4028 wrote to memory of 1112	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	101
PID 4028 wrote to memory of 1112	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	101
PID 4028 wrote to memory of 1112	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	101
PID 4028 wrote to memory of 4012	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	103
PID 4028 wrote to memory of 4012	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	103
PID 4028 wrote to memory of 4012	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	103
PID 4028 wrote to memory of 980	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	104
PID 4028 wrote to memory of 980	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	104
PID 4028 wrote to memory of 980	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	104
PID 4028 wrote to memory of 5020	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	105
PID 4028 wrote to memory of 5020	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	105
PID 4028 wrote to memory of 5020	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	105
PID 4028 wrote to memory of 1080	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	106
PID 4028 wrote to memory of 1080	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	106
PID 4028 wrote to memory of 1080	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	106
PID 4028 wrote to memory of 1080	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	106
PID 4028 wrote to memory of 1080	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	106
PID 4028 wrote to memory of 1080	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	106
PID 4028 wrote to memory of 1080	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	106
PID 4028 wrote to memory of 1080	4028	2c2e13aa2a4cd620cbdc6c7aff908100.exe	106
PID 1080 wrote to memory of 1524	1080	2c2e13aa2a4cd620cbdc6c7aff908100.exe	107
PID 1080 wrote to memory of 1524	1080	2c2e13aa2a4cd620cbdc6c7aff908100.exe	107
PID 1080 wrote to memory of 1524	1080	2c2e13aa2a4cd620cbdc6c7aff908100.exe	107

C:\Users\Admin\AppData\Local\Temp\2c2e13aa2a4cd620cbdc6c7aff908100.exe
"C:\Users\Admin\AppData\Local\Temp\2c2e13aa2a4cd620cbdc6c7aff908100.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2c2e13aa2a4cd620cbdc6c7aff908100.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\2c2e13aa2a4cd620cbdc6c7aff908100.exe
  "C:\Users\Admin\AppData\Local\Temp\2c2e13aa2a4cd620cbdc6c7aff908100.exe"
  2⤵
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\2c2e13aa2a4cd620cbdc6c7aff908100.exe
  "C:\Users\Admin\AppData\Local\Temp\2c2e13aa2a4cd620cbdc6c7aff908100.exe"
  2⤵
  PID:4012
- C:\Users\Admin\AppData\Local\Temp\2c2e13aa2a4cd620cbdc6c7aff908100.exe
  "C:\Users\Admin\AppData\Local\Temp\2c2e13aa2a4cd620cbdc6c7aff908100.exe"
  2⤵
  PID:980
- C:\Users\Admin\AppData\Local\Temp\2c2e13aa2a4cd620cbdc6c7aff908100.exe
  "C:\Users\Admin\AppData\Local\Temp\2c2e13aa2a4cd620cbdc6c7aff908100.exe"
  2⤵
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\2c2e13aa2a4cd620cbdc6c7aff908100.exe
  "C:\Users\Admin\AppData\Local\Temp\2c2e13aa2a4cd620cbdc6c7aff908100.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 768
    3⤵
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\2c2e13aa2a4cd620cbdc6c7aff908100.exe.log

Filesize
496B

MD5
5b4789d01bb4d7483b71e1a35bce6a8b

SHA1
de083f2131c9a763c0d1810c97a38732146cffbf

SHA256
e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

SHA512
357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

Download Submit
memory/1080-6-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1080-24-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/1080-12-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/1080-10-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/1080-9-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/2156-27-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/2156-39-0x0000000006850000-0x000000000689C000-memory.dmp

Filesize
304KB

Download
memory/2156-66-0x0000000071990000-0x0000000072140000-memory.dmp

Filesize
7.7MB

Download
memory/2156-63-0x0000000007E40000-0x0000000007E48000-memory.dmp

Filesize
32KB

Download
memory/2156-62-0x0000000007E60000-0x0000000007E7A000-memory.dmp

Filesize
104KB

Download
memory/2156-61-0x0000000007D60000-0x0000000007D74000-memory.dmp

Filesize
80KB

Download
memory/2156-14-0x0000000071990000-0x0000000072140000-memory.dmp

Filesize
7.7MB

Download
memory/2156-15-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/2156-18-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/2156-13-0x0000000002E50000-0x0000000002E86000-memory.dmp

Filesize
216KB

Download
memory/2156-21-0x0000000005960000-0x0000000005F88000-memory.dmp

Filesize
6.2MB

Download
memory/2156-60-0x0000000007D50000-0x0000000007D5E000-memory.dmp

Filesize
56KB

Download
memory/2156-25-0x00000000058D0000-0x00000000058F2000-memory.dmp

Filesize
136KB

Download
memory/2156-26-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/2156-59-0x0000000007D20000-0x0000000007D31000-memory.dmp

Filesize
68KB

Download
memory/2156-37-0x0000000006310000-0x0000000006664000-memory.dmp

Filesize
3.3MB

Download
memory/2156-38-0x0000000006810000-0x000000000682E000-memory.dmp

Filesize
120KB

Download
memory/2156-58-0x0000000007DA0000-0x0000000007E36000-memory.dmp

Filesize
600KB

Download
memory/2156-40-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/2156-41-0x000000007F0E0000-0x000000007F0F0000-memory.dmp

Filesize
64KB

Download
memory/2156-53-0x0000000006DD0000-0x0000000006DEE000-memory.dmp

Filesize
120KB

Download
memory/2156-54-0x0000000007A20000-0x0000000007AC3000-memory.dmp

Filesize
652KB

Download
memory/2156-43-0x00000000726F0000-0x000000007273C000-memory.dmp

Filesize
304KB

Download
memory/2156-42-0x00000000079E0000-0x0000000007A12000-memory.dmp

Filesize
200KB

Download
memory/2156-56-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/2156-55-0x0000000008160000-0x00000000087DA000-memory.dmp

Filesize
6.5MB

Download
memory/2156-57-0x0000000007B90000-0x0000000007B9A000-memory.dmp

Filesize
40KB

Download
memory/4028-5-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download
memory/4028-0-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/4028-2-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download
memory/4028-1-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/4028-3-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/4028-11-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/4028-4-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download