Analysis
-
max time kernel
54s -
max time network
152s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 09:02
Static task
static1
Behavioral task
behavioral1
Sample
Request for new order.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Request for new order.exe
Resource
win10
General
-
Target
Request for new order.exe
-
Size
875KB
-
MD5
f6e60d4e007049b18de4fb87c38927c3
-
SHA1
bba2fcd204840b1235dea163bbfeae3a59e3b763
-
SHA256
495fdf3a95e1f56f9ec94bfdcdafe87a41be371947f24853c18cc98b24a6a281
-
SHA512
a46e7a014a3dd577a5e9d7976845185c1f45c6c321bf8cd3c364576afbdccbe0fca7b0057f63e13416c81a60a0e63bce9c2e4ce5b26801cb179a4e6a6c62b5c3
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\C8A579F880\Log.txt
masslogger
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Request for new order.exedescription pid process Token: SeDebugPrivilege 272 Request for new order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Request for new order.exepid process 272 Request for new order.exe -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies the visibility of hidden or system files 1 IoCs
Processes:
Request for new order.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Request for new order.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Request for new order.exedescription pid process target process PID 272 wrote to memory of 1924 272 Request for new order.exe schtasks.exe PID 272 wrote to memory of 1924 272 Request for new order.exe schtasks.exe PID 272 wrote to memory of 1924 272 Request for new order.exe schtasks.exe PID 272 wrote to memory of 1924 272 Request for new order.exe schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Request for new order.exepid process 272 Request for new order.exe 272 Request for new order.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Request for new order.exepid process 272 Request for new order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request for new order.exe"C:\Users\Admin\AppData\Local\Temp\Request for new order.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Modifies the visibility of hidden or system files
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeeOQoeWj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF536.tmp"2⤵
- Creates scheduled task(s)