m00nd3v_logger | 329e6260889146a492fa6b82bde020f3db2101702ce4eca13974c09275158585

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO 10884-01.exe
Size

763KB
MD5

6c69ff3ad392bfc6921775dfaee888c9
SHA1

a316d28e4f9bc679c536a98b8386a8d9b828242e
SHA256

861b31169b4ee1cd46f2cf7da3483f91974c10259592253ed54aa7cf58b50b1b
SHA512

b2b6e8a527d3a483331005975d171c21097d3f0ed337f1e5d19cad35d884c0f824e026cbc0ca6c6ca6cb750b9b5d968abaa3b3238a7beadee2b5db753058b356
SSDEEP

12288:bzYlyMqL0jp2ANybNrL0UTfC7V9J+kHl4VqhzyC5wXZ1YMJXaoy6I8GrMjr1e:HMjEANybNrYUT6p9x43ZuMJXaCI8GrMF

Score

10^/10

m00nd3v_logger collection infostealer persistence spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger
M00nD3v Logger payload 1 IoCs
Detects M00nD3v Logger payload in memory.
infostealer

Processes:

resource yara_rule

behavioral2/memory/3496-77-0x00000000053E0000-0x0000000005470000-memory.dmp m00nd3v_logger
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral2/memory/1268-101-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView
behavioral2/memory/1268-104-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView

resource	yara_rule
behavioral2/memory/3496-77-0x00000000053E0000-0x0000000005470000-memory.dmp	m00nd3v_logger

resource	yara_rule
behavioral2/memory/1268-101-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/1268-104-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3832-89-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3832-96-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3832-89-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3832-96-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1268-101-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/1268-104-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

vbc.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PO 10884-01.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startupname = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\filename.exe"	PO 10884-01.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 bot.whatismyipaddress.com

flow	ioc
12	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO 10884-01.exeRegAsm.exe

description	pid	process	target process
PID 3496 set thread context of 1716	3496	PO 10884-01.exe	RegAsm.exe
PID 1716 set thread context of 3832	1716	RegAsm.exe	vbc.exe
PID 1716 set thread context of 1268	1716	RegAsm.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

PO 10884-01.exe

pid	process
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe
3496	PO 10884-01.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO 10884-01.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 3496 PO 10884-01.exe
Token: SeDebugPrivilege 1716 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

1716 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3496	PO 10884-01.exe
Token: SeDebugPrivilege	1716	RegAsm.exe

pid	process
1716	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

PO 10884-01.exeRegAsm.exe

description	pid	process	target process
PID 3496 wrote to memory of 1716	3496	PO 10884-01.exe	RegAsm.exe
PID 3496 wrote to memory of 1716	3496	PO 10884-01.exe	RegAsm.exe
PID 3496 wrote to memory of 1716	3496	PO 10884-01.exe	RegAsm.exe
PID 3496 wrote to memory of 1716	3496	PO 10884-01.exe	RegAsm.exe
PID 3496 wrote to memory of 1716	3496	PO 10884-01.exe	RegAsm.exe
PID 3496 wrote to memory of 1716	3496	PO 10884-01.exe	RegAsm.exe
PID 3496 wrote to memory of 1716	3496	PO 10884-01.exe	RegAsm.exe
PID 3496 wrote to memory of 1716	3496	PO 10884-01.exe	RegAsm.exe
PID 1716 wrote to memory of 3832	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 3832	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 3832	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 3832	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 3832	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 3832	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 3832	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 3832	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 3832	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 1268	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 1268	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 1268	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 1268	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 1268	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 1268	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 1268	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 1268	1716	RegAsm.exe	vbc.exe
PID 1716 wrote to memory of 1268	1716	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\PO 10884-01.exe
"C:\Users\Admin\AppData\Local\Temp\PO 10884-01.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9CDC.tmp"
3⤵
PID:3832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA0E4.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9CDC.tmp
Filesize
4KB

MD5
18b6368b183e546a35847ae24b4b2913

SHA1
040545f7ac2c987d2a79b5e7f1cf9ab83bd25923

SHA256
54c101b6b1241b6a0574a66e5a5b9bddc6c60a4daf7338dba6fe3f65b27382af

SHA512
68ba8734016705cd12bf9d7ce41d5c823b2ec6ce9ee1ee7e9da9efcd9c88ef1f1b18148d91ad6a271c7a88d4ca098a99198ca709fcf217f9b1fa18f74c48d698

Download Submit
memory/1268-101-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1268-104-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1716-79-0x0000000071042000-0x0000000071043000-memory.dmp

Filesize
4KB

Download
memory/1716-80-0x0000000071040000-0x00000000715F1000-memory.dmp

Filesize
5.7MB

Download
memory/1716-81-0x0000000071040000-0x00000000715F1000-memory.dmp

Filesize
5.7MB

Download
memory/1716-106-0x0000000071040000-0x00000000715F1000-memory.dmp

Filesize
5.7MB

Download
memory/1716-105-0x0000000071042000-0x0000000071043000-memory.dmp

Filesize
4KB

Download
memory/3496-52-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-42-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-5-0x0000000004FD0000-0x0000000004FF8000-memory.dmp

Filesize
160KB

Download
memory/3496-66-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-64-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-60-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-59-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-56-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-7-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-8-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-18-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-16-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-14-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-20-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-70-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-68-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-63-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-54-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-3-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/3496-50-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-48-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-46-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-44-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-4-0x0000000005320000-0x00000000053D6000-memory.dmp

Filesize
728KB

Download
memory/3496-40-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-38-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-36-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-35-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-32-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-31-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-28-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-27-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-24-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-22-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-12-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-10-0x0000000004FD0000-0x0000000004FF1000-memory.dmp

Filesize
132KB

Download
memory/3496-75-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/3496-76-0x00000000054E0000-0x000000000557C000-memory.dmp

Filesize
624KB

Download
memory/3496-77-0x00000000053E0000-0x0000000005470000-memory.dmp

Filesize
576KB

Download
memory/3496-82-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/3496-83-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/3496-84-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/3496-2-0x0000000005040000-0x000000000521E000-memory.dmp

Filesize
1.9MB

Download
memory/3496-1-0x0000000000550000-0x0000000000616000-memory.dmp

Filesize
792KB

Download
memory/3496-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/3832-89-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3832-96-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download