Analysis
-
max time kernel
111s -
max time network
150s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 13:45
Static task
static1
Behavioral task
behavioral1
Sample
P8ZSVUpasVMfplc.exe
Resource
win7
Behavioral task
behavioral2
Sample
P8ZSVUpasVMfplc.exe
Resource
win10v200430
General
-
Target
P8ZSVUpasVMfplc.exe
-
Size
672KB
-
MD5
fab6a3b81fdd55171bb924b49248847a
-
SHA1
9d8d59c704f972258eb00cbb96278b3e78faf936
-
SHA256
922cd763d629a47261c509be5ac635d24bcd0f16e729b3e38074fd33317de616
-
SHA512
07df6342c72b4669262eb2c25719cdeb340d0d59dd84393edc3f3b65d6e66f2fb89d6bab3b7e4209a257577df2c9fdfdfbf4c7407dedb209274e3474072ba0d8
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\E2C1E8F1FA\Log.txt
masslogger
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
P8ZSVUpasVMfplc.exedescription pid process target process PID 1512 wrote to memory of 1060 1512 P8ZSVUpasVMfplc.exe P8ZSVUpasVMfplc.exe PID 1512 wrote to memory of 1060 1512 P8ZSVUpasVMfplc.exe P8ZSVUpasVMfplc.exe PID 1512 wrote to memory of 1060 1512 P8ZSVUpasVMfplc.exe P8ZSVUpasVMfplc.exe PID 1512 wrote to memory of 1060 1512 P8ZSVUpasVMfplc.exe P8ZSVUpasVMfplc.exe PID 1512 wrote to memory of 1060 1512 P8ZSVUpasVMfplc.exe P8ZSVUpasVMfplc.exe PID 1512 wrote to memory of 1060 1512 P8ZSVUpasVMfplc.exe P8ZSVUpasVMfplc.exe PID 1512 wrote to memory of 1060 1512 P8ZSVUpasVMfplc.exe P8ZSVUpasVMfplc.exe PID 1512 wrote to memory of 1060 1512 P8ZSVUpasVMfplc.exe P8ZSVUpasVMfplc.exe PID 1512 wrote to memory of 1060 1512 P8ZSVUpasVMfplc.exe P8ZSVUpasVMfplc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
P8ZSVUpasVMfplc.exedescription pid process target process PID 1512 set thread context of 1060 1512 P8ZSVUpasVMfplc.exe P8ZSVUpasVMfplc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
P8ZSVUpasVMfplc.exedescription pid process Token: SeDebugPrivilege 1060 P8ZSVUpasVMfplc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
P8ZSVUpasVMfplc.exepid process 1060 P8ZSVUpasVMfplc.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
Processes
-
C:\Users\Admin\AppData\Local\Temp\P8ZSVUpasVMfplc.exe"C:\Users\Admin\AppData\Local\Temp\P8ZSVUpasVMfplc.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\P8ZSVUpasVMfplc.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1060-2-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1060-3-0x000000000048966E-mapping.dmp
-
memory/1060-4-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1060-5-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1512-1-0x0000000000000000-0x0000000000000000-disk.dmp