Analysis

  • max time kernel
    106s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2025, 17:48

General

  • Target

    ed88adb1fab6005e7c44cb02346bd417aa47a32b0e14ec5c117156dadd37bc79.exe

  • Size

    1.3MB

  • MD5

    4c3f4f6690113cb6bfe349a2013eb4da

  • SHA1

    b76c0afa2b28452a5f2dc4c223d8e708268f6959

  • SHA256

    ed88adb1fab6005e7c44cb02346bd417aa47a32b0e14ec5c117156dadd37bc79

  • SHA512

    977939874979cfb90d3d3fd1c014031d4cee24fceb52fceab0868ef773b289c1b3983c70fe9e247b4380514498cf995f763587283f13dbefb3ad5937f097c195

  • SSDEEP

    24576:O9DmJQXyb5Ad4tGgUJJ1528LMhEMSoWN2D1zF:

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main payload 1 IoCs
  • Masslogger family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 56 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed88adb1fab6005e7c44cb02346bd417aa47a32b0e14ec5c117156dadd37bc79.exe
    "C:\Users\Admin\AppData\Local\Temp\ed88adb1fab6005e7c44cb02346bd417aa47a32b0e14ec5c117156dadd37bc79.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3528
    • C:\Users\Admin\AppData\Local\Temp\ed88adb1fab6005e7c44cb02346bd417aa47a32b0e14ec5c117156dadd37bc79.exe
      "C:\Users\Admin\AppData\Local\Temp\ed88adb1fab6005e7c44cb02346bd417aa47a32b0e14ec5c117156dadd37bc79.exe"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4796
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:3604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vlc.exe.log

    Filesize

    1KB

    MD5

    7ebe314bf617dc3e48b995a6c352740c

    SHA1

    538f643b7b30f9231a3035c448607f767527a870

    SHA256

    48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

    SHA512

    0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe

    Filesize

    1.3MB

    MD5

    4c3f4f6690113cb6bfe349a2013eb4da

    SHA1

    b76c0afa2b28452a5f2dc4c223d8e708268f6959

    SHA256

    ed88adb1fab6005e7c44cb02346bd417aa47a32b0e14ec5c117156dadd37bc79

    SHA512

    977939874979cfb90d3d3fd1c014031d4cee24fceb52fceab0868ef773b289c1b3983c70fe9e247b4380514498cf995f763587283f13dbefb3ad5937f097c195

  • memory/3528-8-0x00000000061A0000-0x000000000623C000-memory.dmp

    Filesize

    624KB

  • memory/3528-10-0x0000000005490000-0x00000000054AC000-memory.dmp

    Filesize

    112KB

  • memory/3528-4-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

    Filesize

    40KB

  • memory/3528-5-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

  • memory/3528-6-0x000000007467E000-0x000000007467F000-memory.dmp

    Filesize

    4KB

  • memory/3528-7-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

  • memory/3528-17-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

  • memory/3528-3-0x0000000004F00000-0x0000000004F92000-memory.dmp

    Filesize

    584KB

  • memory/3528-2-0x00000000054B0000-0x0000000005A54000-memory.dmp

    Filesize

    5.6MB

  • memory/3528-1-0x00000000004B0000-0x000000000060E000-memory.dmp

    Filesize

    1.4MB

  • memory/3528-0-0x000000007467E000-0x000000007467F000-memory.dmp

    Filesize

    4KB

  • memory/4768-27-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

  • memory/4768-33-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

  • memory/4768-19-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

  • memory/4768-20-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

  • memory/4796-18-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

  • memory/4796-22-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

  • memory/4796-23-0x0000000006890000-0x00000000068E0000-memory.dmp

    Filesize

    320KB

  • memory/4796-24-0x0000000006980000-0x0000000006A1C000-memory.dmp

    Filesize

    624KB

  • memory/4796-25-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

  • memory/4796-26-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

  • memory/4796-21-0x0000000005F30000-0x0000000005F96000-memory.dmp

    Filesize

    408KB

  • memory/4796-28-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

  • memory/4796-14-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

  • memory/4796-11-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB