Analysis
-
max time kernel
151s -
max time network
121s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 06:51
Static task
static1
Behavioral task
behavioral1
Sample
e8680b7a890458b72e5118b62a6ab97c.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
e8680b7a890458b72e5118b62a6ab97c.exe
Resource
win10
General
-
Target
e8680b7a890458b72e5118b62a6ab97c.exe
-
Size
1.1MB
-
MD5
e8680b7a890458b72e5118b62a6ab97c
-
SHA1
6e0ea318e9c238782466f47b7b3f0ed142a4b26d
-
SHA256
4eba9f4975de4fad373ec97aace6605f55249174c4dfc78c87f5567c98557210
-
SHA512
0273c0e921580832362bac6668c8336fc95aa177f0987bfd62399c619c6c6d1b51122688293726e4bffedbffb97f4f6c45716d142875e0f30ea7f2063a1f53d1
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1360 IoCs
Processes:
e8680b7a890458b72e5118b62a6ab97c.exehjiwws.exehjiwws.exepid process 1400 e8680b7a890458b72e5118b62a6ab97c.exe 1484 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe 784 hjiwws.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.vbs notepad.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
Executes dropped EXE 3 IoCs
Processes:
hjiwws.exehjiwws.exehjiwws.exepid process 1484 hjiwws.exe 676 hjiwws.exe 784 hjiwws.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hjiwws.exedescription pid process Token: SeDebugPrivilege 676 hjiwws.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/676-7-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/676-11-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/676-13-0x0000000000400000-0x0000000000541000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
notepad.exepid process 1432 notepad.exe 1432 notepad.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hjiwws.exepid process 1484 hjiwws.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
hjiwws.exepid process 676 hjiwws.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
e8680b7a890458b72e5118b62a6ab97c.exenotepad.exehjiwws.exedescription pid process target process PID 1400 wrote to memory of 1432 1400 e8680b7a890458b72e5118b62a6ab97c.exe notepad.exe PID 1400 wrote to memory of 1432 1400 e8680b7a890458b72e5118b62a6ab97c.exe notepad.exe PID 1400 wrote to memory of 1432 1400 e8680b7a890458b72e5118b62a6ab97c.exe notepad.exe PID 1400 wrote to memory of 1432 1400 e8680b7a890458b72e5118b62a6ab97c.exe notepad.exe PID 1400 wrote to memory of 1432 1400 e8680b7a890458b72e5118b62a6ab97c.exe notepad.exe PID 1400 wrote to memory of 1432 1400 e8680b7a890458b72e5118b62a6ab97c.exe notepad.exe PID 1432 wrote to memory of 1484 1432 notepad.exe hjiwws.exe PID 1432 wrote to memory of 1484 1432 notepad.exe hjiwws.exe PID 1432 wrote to memory of 1484 1432 notepad.exe hjiwws.exe PID 1432 wrote to memory of 1484 1432 notepad.exe hjiwws.exe PID 1484 wrote to memory of 676 1484 hjiwws.exe hjiwws.exe PID 1484 wrote to memory of 676 1484 hjiwws.exe hjiwws.exe PID 1484 wrote to memory of 676 1484 hjiwws.exe hjiwws.exe PID 1484 wrote to memory of 676 1484 hjiwws.exe hjiwws.exe PID 1484 wrote to memory of 784 1484 hjiwws.exe hjiwws.exe PID 1484 wrote to memory of 784 1484 hjiwws.exe hjiwws.exe PID 1484 wrote to memory of 784 1484 hjiwws.exe hjiwws.exe PID 1484 wrote to memory of 784 1484 hjiwws.exe hjiwws.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hjiwws.exedescription pid process target process PID 1484 set thread context of 676 1484 hjiwws.exe hjiwws.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
hjiwws.exepid process 676 hjiwws.exe -
NTFS ADS 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\app\hjiwws.exe:ZoneIdentifier notepad.exe -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8680b7a890458b72e5118b62a6ab97c.exe"C:\Users\Admin\AppData\Local\Temp\e8680b7a890458b72e5118b62a6ab97c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\app\hjiwws.exe"C:\Users\Admin\AppData\Roaming\app\hjiwws.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\app\hjiwws.exe"C:\Users\Admin\AppData\Roaming\app\hjiwws.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Roaming\app\hjiwws.exe"C:\Users\Admin\AppData\Roaming\app\hjiwws.exe" 2 676 1158934⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\app\hjiwws.exe
-
C:\Users\Admin\AppData\Roaming\app\hjiwws.exe
-
C:\Users\Admin\AppData\Roaming\app\hjiwws.exe
-
C:\Users\Admin\AppData\Roaming\app\hjiwws.exe
-
\Users\Admin\AppData\Roaming\app\hjiwws.exe
-
\Users\Admin\AppData\Roaming\app\hjiwws.exe
-
memory/676-16-0x0000000000230000-0x00000000002C3000-memory.dmpFilesize
588KB
-
memory/676-14-0x0000000001F00000-0x0000000001F9A000-memory.dmpFilesize
616KB
-
memory/676-7-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/676-13-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/676-11-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/676-8-0x000000000053F7F0-mapping.dmp
-
memory/784-10-0x0000000000000000-mapping.dmp
-
memory/1432-0-0x0000000000000000-mapping.dmp
-
memory/1432-1-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1484-4-0x0000000000000000-mapping.dmp