Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows7_x64 -
resource
win7 -
submitted
29-06-2020 06:37
Static task
static1
Behavioral task
behavioral1
Sample
img00001.exe
Resource
win7
Behavioral task
behavioral2
Sample
img00001.exe
Resource
win10v200430
General
-
Target
img00001.exe
-
Size
1.1MB
-
MD5
0bcff00665c7d39364e53f1c2a1033d2
-
SHA1
d827d7eb28fc2077dd887aef57d0862f7c048860
-
SHA256
48cad358250f70cffecaed785f4d128f48174adc0ee5948e00ab1b6ffbef803c
-
SHA512
a7a61aa8bb9716a719699a7587ba8be1a4606cc149544de3f9f1c4881817dc3982a585bb6b101fc069e6ad01710417516c2af9fea765ba857f622ea660b23a73
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\E2C1E8F1FA\Log.txt
masslogger
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
img00001.exedescription pid process target process PID 900 wrote to memory of 1800 900 img00001.exe schtasks.exe PID 900 wrote to memory of 1800 900 img00001.exe schtasks.exe PID 900 wrote to memory of 1800 900 img00001.exe schtasks.exe PID 900 wrote to memory of 1800 900 img00001.exe schtasks.exe PID 900 wrote to memory of 1232 900 img00001.exe img00001.exe PID 900 wrote to memory of 1232 900 img00001.exe img00001.exe PID 900 wrote to memory of 1232 900 img00001.exe img00001.exe PID 900 wrote to memory of 1232 900 img00001.exe img00001.exe PID 900 wrote to memory of 1232 900 img00001.exe img00001.exe PID 900 wrote to memory of 1232 900 img00001.exe img00001.exe PID 900 wrote to memory of 1232 900 img00001.exe img00001.exe PID 900 wrote to memory of 1232 900 img00001.exe img00001.exe PID 900 wrote to memory of 1232 900 img00001.exe img00001.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
img00001.exeimg00001.exedescription pid process Token: SeDebugPrivilege 900 img00001.exe Token: SeDebugPrivilege 1232 img00001.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
img00001.exepid process 1232 img00001.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
img00001.exepid process 1232 img00001.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
img00001.exedescription pid process target process PID 900 set thread context of 1232 900 img00001.exe img00001.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
img00001.exeimg00001.exepid process 900 img00001.exe 1232 img00001.exe 1232 img00001.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file
Processes
-
C:\Users\Admin\AppData\Local\Temp\img00001.exe"C:\Users\Admin\AppData\Local\Temp\img00001.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GADJZIjhLD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp10D1.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\img00001.exe"C:\Users\Admin\AppData\Local\Temp\img00001.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp10D1.tmp
-
memory/900-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1232-4-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1232-5-0x00000000004A316E-mapping.dmp
-
memory/1232-6-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1232-7-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1800-2-0x0000000000000000-mapping.dmp