Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 07:12
General
-
Target
0e82916860b22b2a67db5f6c6f2be1d0.exe
-
Size
930KB
-
MD5
0e82916860b22b2a67db5f6c6f2be1d0
-
SHA1
7e74b11f0b9d735fd023eb5c27f23c25471377ee
-
SHA256
45ff28eabf8854e1ce1d3bb088fc7cfa224dbeb1e8b66a4038682fd592013d54
-
SHA512
0e87afb22098056e00d3e00d9e830d1307370e8c54296927cc605803541c165c0791272bb0d76e80a23924860d15835de99aab79c1467bcd8f0701046257fc6b
Score
10/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
NTFS ADS 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Drops startup file 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Suspicious behavior: EnumeratesProcesses 1370 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e82916860b22b2a67db5f6c6f2be1d0.exe"C:\Users\Admin\AppData\Local\Temp\0e82916860b22b2a67db5f6c6f2be1d0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- NTFS ADS
- Loads dropped DLL
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe" 2 1840 656294⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
memory/1292-1-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1292-0-0x0000000000000000-mapping.dmp
-
memory/1776-4-0x0000000000000000-mapping.dmp
-
memory/1840-12-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/1840-8-0x000000000053F860-mapping.dmp
-
memory/1840-7-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/1840-13-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/1840-14-0x0000000001EE0000-0x0000000001F7A000-memory.dmpFilesize
616KB
-
memory/1840-15-0x0000000001ED2000-0x0000000001ED3000-memory.dmpFilesize
4KB
-
memory/1840-16-0x0000000000220000-0x00000000002B3000-memory.dmpFilesize
588KB
-
memory/1872-10-0x0000000000000000-mapping.dmp