Analysis
-
max time kernel
118s -
max time network
145s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 09:58
Static task
static1
Behavioral task
behavioral1
Sample
doc07675720200626101857.exe
Resource
win7
Behavioral task
behavioral2
Sample
doc07675720200626101857.exe
Resource
win10v200430
General
-
Target
doc07675720200626101857.exe
-
Size
930KB
-
MD5
243a515982e6eba872d6366ec71d63b6
-
SHA1
85b71070f258dce1b5f92ea4aaa117419f6b8828
-
SHA256
420da876f8efdf70da0ec0ccd1b7aaa09547b6868d5fc655c05b50eadf20c360
-
SHA512
cfaf4f25351c10962d143de38df4758d1359224975520bc1345d284ab62254b75e6115c1283b47331b312e0e624329f8c402235cb8682d9007419ad0b89122a4
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
doc07675720200626101857.exedescription pid process Token: SeDebugPrivilege 1020 doc07675720200626101857.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
doc07675720200626101857.exepid process 1020 doc07675720200626101857.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Suspicious use of SetThreadContext 1 IoCs
Processes:
doc07675720200626101857.exedescription pid process target process PID 1496 set thread context of 1020 1496 doc07675720200626101857.exe doc07675720200626101857.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
doc07675720200626101857.exedescription pid process target process PID 1496 wrote to memory of 1020 1496 doc07675720200626101857.exe doc07675720200626101857.exe PID 1496 wrote to memory of 1020 1496 doc07675720200626101857.exe doc07675720200626101857.exe PID 1496 wrote to memory of 1020 1496 doc07675720200626101857.exe doc07675720200626101857.exe PID 1496 wrote to memory of 1020 1496 doc07675720200626101857.exe doc07675720200626101857.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
doc07675720200626101857.exepid process 1496 doc07675720200626101857.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
doc07675720200626101857.exepid process 1020 doc07675720200626101857.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/1020-0-0x0000000000400000-0x0000000000542000-memory.dmp upx behavioral1/memory/1020-2-0x0000000000400000-0x0000000000542000-memory.dmp upx behavioral1/memory/1020-3-0x0000000000400000-0x0000000000542000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
doc07675720200626101857.exedoc07675720200626101857.exepid process 1496 doc07675720200626101857.exe 1020 doc07675720200626101857.exe 1020 doc07675720200626101857.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\doc07675720200626101857.exe"C:\Users\Admin\AppData\Local\Temp\doc07675720200626101857.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\doc07675720200626101857.exe"C:\Users\Admin\AppData\Local\Temp\doc07675720200626101857.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1020