Analysis
-
max time kernel
139s -
max time network
156s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
16-06-2020 20:57
Static task
static1
Behavioral task
behavioral1
Sample
D22zyhdi6zFGT56.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
D22zyhdi6zFGT56.exe
Resource
win10
General
-
Target
D22zyhdi6zFGT56.exe
-
Size
859KB
-
MD5
279827a2093074fab8e309b66c6865cd
-
SHA1
f0c512393409f227309f56a023b57495892f8941
-
SHA256
4cea65512dbdf77377eb95df694165cfdfd47a190efc64c7ebf3947415a8c08b
-
SHA512
ff9033720a3ea8eaa668df569e48287e337d3199aa3a47131504a589c4d6de8410fa8d567ce84867468ae5c123677cbd8cf7f2fba0a17dce080d9aeafb04d1b6
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\C8A579F880\Log.txt
masslogger
Signatures
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
D22zyhdi6zFGT56.exepid process 652 D22zyhdi6zFGT56.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
D22zyhdi6zFGT56.exepid process 652 D22zyhdi6zFGT56.exe -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
D22zyhdi6zFGT56.exedescription pid process target process PID 1492 set thread context of 652 1492 D22zyhdi6zFGT56.exe D22zyhdi6zFGT56.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
D22zyhdi6zFGT56.exedescription pid process Token: SeDebugPrivilege 652 D22zyhdi6zFGT56.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
D22zyhdi6zFGT56.exedescription pid process target process PID 1492 wrote to memory of 1844 1492 D22zyhdi6zFGT56.exe schtasks.exe PID 1492 wrote to memory of 1844 1492 D22zyhdi6zFGT56.exe schtasks.exe PID 1492 wrote to memory of 1844 1492 D22zyhdi6zFGT56.exe schtasks.exe PID 1492 wrote to memory of 1844 1492 D22zyhdi6zFGT56.exe schtasks.exe PID 1492 wrote to memory of 652 1492 D22zyhdi6zFGT56.exe D22zyhdi6zFGT56.exe PID 1492 wrote to memory of 652 1492 D22zyhdi6zFGT56.exe D22zyhdi6zFGT56.exe PID 1492 wrote to memory of 652 1492 D22zyhdi6zFGT56.exe D22zyhdi6zFGT56.exe PID 1492 wrote to memory of 652 1492 D22zyhdi6zFGT56.exe D22zyhdi6zFGT56.exe PID 1492 wrote to memory of 652 1492 D22zyhdi6zFGT56.exe D22zyhdi6zFGT56.exe PID 1492 wrote to memory of 652 1492 D22zyhdi6zFGT56.exe D22zyhdi6zFGT56.exe PID 1492 wrote to memory of 652 1492 D22zyhdi6zFGT56.exe D22zyhdi6zFGT56.exe PID 1492 wrote to memory of 652 1492 D22zyhdi6zFGT56.exe D22zyhdi6zFGT56.exe PID 1492 wrote to memory of 652 1492 D22zyhdi6zFGT56.exe D22zyhdi6zFGT56.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
D22zyhdi6zFGT56.exepid process 652 D22zyhdi6zFGT56.exe 652 D22zyhdi6zFGT56.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\D22zyhdi6zFGT56.exe"C:\Users\Admin\AppData\Local\Temp\D22zyhdi6zFGT56.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njrdvsnEGh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF324.tmp"2⤵
- Creates scheduled task(s)
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\D22zyhdi6zFGT56.exe"{path}"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:652