Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 07:12
Static task
static1
Behavioral task
behavioral1
Sample
0e82916860b22b2a67db5f6c6f2be1d0.exe
Resource
win7
Behavioral task
behavioral2
Sample
0e82916860b22b2a67db5f6c6f2be1d0.exe
Resource
win10v200430
General
-
Target
0e82916860b22b2a67db5f6c6f2be1d0.exe
-
Size
930KB
-
MD5
0e82916860b22b2a67db5f6c6f2be1d0
-
SHA1
7e74b11f0b9d735fd023eb5c27f23c25471377ee
-
SHA256
45ff28eabf8854e1ce1d3bb088fc7cfa224dbeb1e8b66a4038682fd592013d54
-
SHA512
0e87afb22098056e00d3e00d9e830d1307370e8c54296927cc605803541c165c0791272bb0d76e80a23924860d15835de99aab79c1467bcd8f0701046257fc6b
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hjswwe.exedescription pid process Token: SeDebugPrivilege 1840 hjswwe.exe -
NTFS ADS 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe:ZoneIdentifier notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
notepad.exepid process 1292 notepad.exe 1292 notepad.exe -
Executes dropped EXE 3 IoCs
Processes:
hjswwe.exehjswwe.exehjswwe.exepid process 1776 hjswwe.exe 1840 hjswwe.exe 1872 hjswwe.exe -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.vbs notepad.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hjswwe.exepid process 1776 hjswwe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
hjswwe.exepid process 1840 hjswwe.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
hjswwe.exepid process 1840 hjswwe.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Suspicious behavior: EnumeratesProcesses 1370 IoCs
Processes:
0e82916860b22b2a67db5f6c6f2be1d0.exehjswwe.exehjswwe.exepid process 1516 0e82916860b22b2a67db5f6c6f2be1d0.exe 1776 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe 1872 hjswwe.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
0e82916860b22b2a67db5f6c6f2be1d0.exenotepad.exehjswwe.exedescription pid process target process PID 1516 wrote to memory of 1292 1516 0e82916860b22b2a67db5f6c6f2be1d0.exe notepad.exe PID 1516 wrote to memory of 1292 1516 0e82916860b22b2a67db5f6c6f2be1d0.exe notepad.exe PID 1516 wrote to memory of 1292 1516 0e82916860b22b2a67db5f6c6f2be1d0.exe notepad.exe PID 1516 wrote to memory of 1292 1516 0e82916860b22b2a67db5f6c6f2be1d0.exe notepad.exe PID 1516 wrote to memory of 1292 1516 0e82916860b22b2a67db5f6c6f2be1d0.exe notepad.exe PID 1516 wrote to memory of 1292 1516 0e82916860b22b2a67db5f6c6f2be1d0.exe notepad.exe PID 1292 wrote to memory of 1776 1292 notepad.exe hjswwe.exe PID 1292 wrote to memory of 1776 1292 notepad.exe hjswwe.exe PID 1292 wrote to memory of 1776 1292 notepad.exe hjswwe.exe PID 1292 wrote to memory of 1776 1292 notepad.exe hjswwe.exe PID 1776 wrote to memory of 1840 1776 hjswwe.exe hjswwe.exe PID 1776 wrote to memory of 1840 1776 hjswwe.exe hjswwe.exe PID 1776 wrote to memory of 1840 1776 hjswwe.exe hjswwe.exe PID 1776 wrote to memory of 1840 1776 hjswwe.exe hjswwe.exe PID 1776 wrote to memory of 1872 1776 hjswwe.exe hjswwe.exe PID 1776 wrote to memory of 1872 1776 hjswwe.exe hjswwe.exe PID 1776 wrote to memory of 1872 1776 hjswwe.exe hjswwe.exe PID 1776 wrote to memory of 1872 1776 hjswwe.exe hjswwe.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hjswwe.exedescription pid process target process PID 1776 set thread context of 1840 1776 hjswwe.exe hjswwe.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/1840-7-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1840-12-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1840-13-0x0000000000400000-0x0000000000541000-memory.dmp upx
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e82916860b22b2a67db5f6c6f2be1d0.exe"C:\Users\Admin\AppData\Local\Temp\0e82916860b22b2a67db5f6c6f2be1d0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- NTFS ADS
- Loads dropped DLL
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1776 -
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:1840 -
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe" 2 1840 656294⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
memory/1292-1-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1292-0-0x0000000000000000-mapping.dmp
-
memory/1776-4-0x0000000000000000-mapping.dmp
-
memory/1840-12-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/1840-8-0x000000000053F860-mapping.dmp
-
memory/1840-7-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/1840-13-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/1840-14-0x0000000001EE0000-0x0000000001F7A000-memory.dmpFilesize
616KB
-
memory/1840-15-0x0000000001ED2000-0x0000000001ED3000-memory.dmpFilesize
4KB
-
memory/1840-16-0x0000000000220000-0x00000000002B3000-memory.dmpFilesize
588KB
-
memory/1872-10-0x0000000000000000-mapping.dmp