Analysis
-
max time kernel
137s -
max time network
155s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 13:06
Static task
static1
Behavioral task
behavioral1
Sample
ROLLY 3Y23RY4R2.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
ROLLY 3Y23RY4R2.exe
Resource
win10v200430
General
-
Target
ROLLY 3Y23RY4R2.exe
-
Size
836KB
-
MD5
4e1530c6b967dd7d25fed0be9112dd2f
-
SHA1
ed8902a013ffb305e901bc7cc0b1d8cbbf7cf7cf
-
SHA256
1a59f2492b5b15c0678e6134d6ec4df38c45de5555767463cf9590bfdb1fdda8
-
SHA512
4e06f5ec5f6911d8eb5948afc5598d61bf810feea4b2a17dd28ce0f9605524918a5cbc3a5baf3135955b1e0f1004a87e97fd0226753f0dd2690fade66e09e173
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\C8A579F880\Log.txt
masslogger
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ROLLY 3Y23RY4R2.exedescription pid process target process PID 1400 wrote to memory of 1788 1400 ROLLY 3Y23RY4R2.exe ROLLY 3Y23RY4R2.exe PID 1400 wrote to memory of 1788 1400 ROLLY 3Y23RY4R2.exe ROLLY 3Y23RY4R2.exe PID 1400 wrote to memory of 1788 1400 ROLLY 3Y23RY4R2.exe ROLLY 3Y23RY4R2.exe PID 1400 wrote to memory of 1788 1400 ROLLY 3Y23RY4R2.exe ROLLY 3Y23RY4R2.exe PID 1400 wrote to memory of 1788 1400 ROLLY 3Y23RY4R2.exe ROLLY 3Y23RY4R2.exe PID 1400 wrote to memory of 1788 1400 ROLLY 3Y23RY4R2.exe ROLLY 3Y23RY4R2.exe PID 1400 wrote to memory of 1788 1400 ROLLY 3Y23RY4R2.exe ROLLY 3Y23RY4R2.exe PID 1400 wrote to memory of 1788 1400 ROLLY 3Y23RY4R2.exe ROLLY 3Y23RY4R2.exe PID 1400 wrote to memory of 1788 1400 ROLLY 3Y23RY4R2.exe ROLLY 3Y23RY4R2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ROLLY 3Y23RY4R2.exedescription pid process Token: SeDebugPrivilege 1788 ROLLY 3Y23RY4R2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ROLLY 3Y23RY4R2.exepid process 1788 ROLLY 3Y23RY4R2.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
ROLLY 3Y23RY4R2.exepid process 1788 ROLLY 3Y23RY4R2.exe -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ROLLY 3Y23RY4R2.exedescription pid process target process PID 1400 set thread context of 1788 1400 ROLLY 3Y23RY4R2.exe ROLLY 3Y23RY4R2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ROLLY 3Y23RY4R2.exepid process 1788 ROLLY 3Y23RY4R2.exe 1788 ROLLY 3Y23RY4R2.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file
Processes
-
C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe"C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1400-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1788-2-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1788-3-0x00000000004A304E-mapping.dmp
-
memory/1788-4-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1788-5-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB