masslogger | 12e063fa87cf457809c5ccc5e850c2f471bfedec9237d611903691e8ba604ee3

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-07-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wsp1Y2kaMZ5npFn.exe
Size

866KB
MD5

05e6d0fec133b11165f4db25f7256682
SHA1

609af629da07ae0ebbe39c2de2502752f5e4553f
SHA256

6030faadae8d2aa1b94b06da9c0d4ed3ce33076a1bc04218027519b1043a6a95
SHA512

fd580785c67b8934ea27005c161258dfa8316631b35670a3e208c09464bab34a3b45d246763835dd7b02a9c104c237516e5a3dfb881d465c53e29f4f88c0be18
SSDEEP

12288:P+jP6eP9b2N+P7SeThWBfeiRR/Zqa5vQLuB0pnebzv019XdctgSq3X0OywVtBycv:GjP6+3P7SG8Rh51819tN7VtB7

Score

10^/10

masslogger defense_evasion discovery spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main payload 5 IoCs

resource	yara_rule
behavioral1/memory/2316-11-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/2316-10-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/2316-19-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/2316-16-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/2316-14-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Deletes itself 1 IoCs

pid	Process
2344	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2724 set thread context of 2316	2724	Wsp1Y2kaMZ5npFn.exe	35

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wsp1Y2kaMZ5npFn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wsp1Y2kaMZ5npFn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2724	Wsp1Y2kaMZ5npFn.exe
2724	Wsp1Y2kaMZ5npFn.exe
2724	Wsp1Y2kaMZ5npFn.exe
2724	Wsp1Y2kaMZ5npFn.exe
2724	Wsp1Y2kaMZ5npFn.exe
2724	Wsp1Y2kaMZ5npFn.exe
2724	Wsp1Y2kaMZ5npFn.exe
2724	Wsp1Y2kaMZ5npFn.exe
2724	Wsp1Y2kaMZ5npFn.exe
2724	Wsp1Y2kaMZ5npFn.exe
2724	Wsp1Y2kaMZ5npFn.exe
2316	Wsp1Y2kaMZ5npFn.exe
2316	Wsp1Y2kaMZ5npFn.exe
2344	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	Wsp1Y2kaMZ5npFn.exe
Token: SeDebugPrivilege	2316	Wsp1Y2kaMZ5npFn.exe
Token: SeDebugPrivilege	2344	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2044	2724	Wsp1Y2kaMZ5npFn.exe	31
PID 2724 wrote to memory of 2044	2724	Wsp1Y2kaMZ5npFn.exe	31
PID 2724 wrote to memory of 2044	2724	Wsp1Y2kaMZ5npFn.exe	31
PID 2724 wrote to memory of 2044	2724	Wsp1Y2kaMZ5npFn.exe	31
PID 2724 wrote to memory of 2844	2724	Wsp1Y2kaMZ5npFn.exe	32
PID 2724 wrote to memory of 2844	2724	Wsp1Y2kaMZ5npFn.exe	32
PID 2724 wrote to memory of 2844	2724	Wsp1Y2kaMZ5npFn.exe	32
PID 2724 wrote to memory of 2844	2724	Wsp1Y2kaMZ5npFn.exe	32
PID 2724 wrote to memory of 2252	2724	Wsp1Y2kaMZ5npFn.exe	33
PID 2724 wrote to memory of 2252	2724	Wsp1Y2kaMZ5npFn.exe	33
PID 2724 wrote to memory of 2252	2724	Wsp1Y2kaMZ5npFn.exe	33
PID 2724 wrote to memory of 2252	2724	Wsp1Y2kaMZ5npFn.exe	33
PID 2724 wrote to memory of 2128	2724	Wsp1Y2kaMZ5npFn.exe	34
PID 2724 wrote to memory of 2128	2724	Wsp1Y2kaMZ5npFn.exe	34
PID 2724 wrote to memory of 2128	2724	Wsp1Y2kaMZ5npFn.exe	34
PID 2724 wrote to memory of 2128	2724	Wsp1Y2kaMZ5npFn.exe	34
PID 2724 wrote to memory of 2316	2724	Wsp1Y2kaMZ5npFn.exe	35
PID 2724 wrote to memory of 2316	2724	Wsp1Y2kaMZ5npFn.exe	35
PID 2724 wrote to memory of 2316	2724	Wsp1Y2kaMZ5npFn.exe	35
PID 2724 wrote to memory of 2316	2724	Wsp1Y2kaMZ5npFn.exe	35
PID 2724 wrote to memory of 2316	2724	Wsp1Y2kaMZ5npFn.exe	35
PID 2724 wrote to memory of 2316	2724	Wsp1Y2kaMZ5npFn.exe	35
PID 2724 wrote to memory of 2316	2724	Wsp1Y2kaMZ5npFn.exe	35
PID 2724 wrote to memory of 2316	2724	Wsp1Y2kaMZ5npFn.exe	35
PID 2724 wrote to memory of 2316	2724	Wsp1Y2kaMZ5npFn.exe	35
PID 2316 wrote to memory of 2344	2316	Wsp1Y2kaMZ5npFn.exe	37
PID 2316 wrote to memory of 2344	2316	Wsp1Y2kaMZ5npFn.exe	37
PID 2316 wrote to memory of 2344	2316	Wsp1Y2kaMZ5npFn.exe	37
PID 2316 wrote to memory of 2344	2316	Wsp1Y2kaMZ5npFn.exe	37

C:\Users\Admin\AppData\Local\Temp\Wsp1Y2kaMZ5npFn.exe
"C:\Users\Admin\AppData\Local\Temp\Wsp1Y2kaMZ5npFn.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Local\Temp\Wsp1Y2kaMZ5npFn.exe
  "{path}"
  2⤵
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\Wsp1Y2kaMZ5npFn.exe
  "{path}"
  2⤵
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\Wsp1Y2kaMZ5npFn.exe
  "{path}"
  2⤵
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\Wsp1Y2kaMZ5npFn.exe
  "{path}"
  2⤵
  PID:2128
- C:\Users\Admin\AppData\Local\Temp\Wsp1Y2kaMZ5npFn.exe
  "{path}"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Wsp1Y2kaMZ5npFn.exe'
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2316-21-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2316-11-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2316-7-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2316-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2316-14-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2316-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2316-9-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2316-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2316-23-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-22-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-5-0x0000000005250000-0x00000000052EC000-memory.dmp

Filesize
624KB

Download
memory/2724-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

Filesize
4KB

Download
memory/2724-20-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-2-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2724-6-0x0000000007B00000-0x0000000007B98000-memory.dmp

Filesize
608KB

Download
memory/2724-1-0x0000000000200000-0x00000000002DE000-memory.dmp

Filesize
888KB

Download
memory/2724-4-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-3-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

Filesize
4KB

Download