Analysis
-
max time kernel
126s -
max time network
132s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 09:45
Static task
static1
Behavioral task
behavioral1
Sample
Company Info.exe
Resource
win7
Behavioral task
behavioral2
Sample
Company Info.exe
Resource
win10v200430
General
-
Target
Company Info.exe
-
Size
869KB
-
MD5
3619d3ebb45aa02a640af44be1c1cda1
-
SHA1
b38e409b0226de9221201d2be44c08f633b4106e
-
SHA256
0c3a54b9d65c5d6aff6d565f3fd50be5db7c7a9f8a14bf760b82e65d4de24730
-
SHA512
e574e52e0cd56a7f7a5bd687123a552cb92dd9373518930bb6d4423495e8629cdbefa7bc5d8a30e20fa0a944ad1d8a6e567aeaf0054a91eac085b594635d49eb
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\E2C1E8F1FA\Log.txt
masslogger
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Dmacdavid
Signatures
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Company Info.exepid Process 1072 Company Info.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Company Info.exedescription pid Process Token: SeDebugPrivilege 1072 Company Info.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Company Info.exepid Process 1072 Company Info.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Company Info.exepid Process 1072 Company Info.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Company Info.exedescription pid Process procid_target PID 836 wrote to memory of 1616 836 Company Info.exe 24 PID 836 wrote to memory of 1616 836 Company Info.exe 24 PID 836 wrote to memory of 1616 836 Company Info.exe 24 PID 836 wrote to memory of 1616 836 Company Info.exe 24 PID 836 wrote to memory of 1072 836 Company Info.exe 26 PID 836 wrote to memory of 1072 836 Company Info.exe 26 PID 836 wrote to memory of 1072 836 Company Info.exe 26 PID 836 wrote to memory of 1072 836 Company Info.exe 26 PID 836 wrote to memory of 1072 836 Company Info.exe 26 PID 836 wrote to memory of 1072 836 Company Info.exe 26 PID 836 wrote to memory of 1072 836 Company Info.exe 26 PID 836 wrote to memory of 1072 836 Company Info.exe 26 PID 836 wrote to memory of 1072 836 Company Info.exe 26 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Company Info.exedescription pid Process procid_target PID 836 set thread context of 1072 836 Company Info.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\Company Info.exe"C:\Users\Admin\AppData\Local\Temp\Company Info.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:836 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jsuDtegzUxrJmh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5A1.tmp"2⤵
- Creates scheduled task(s)
PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\Company Info.exe"{path}"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: AddClipboardFormatListener
PID:1072
-