Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 07:12
Static task
static1
Behavioral task
behavioral1
Sample
0e82916860b22b2a67db5f6c6f2be1d0.exe
Resource
win7
Behavioral task
behavioral2
Sample
0e82916860b22b2a67db5f6c6f2be1d0.exe
Resource
win10v200430
General
-
Target
0e82916860b22b2a67db5f6c6f2be1d0.exe
-
Size
930KB
-
MD5
0e82916860b22b2a67db5f6c6f2be1d0
-
SHA1
7e74b11f0b9d735fd023eb5c27f23c25471377ee
-
SHA256
45ff28eabf8854e1ce1d3bb088fc7cfa224dbeb1e8b66a4038682fd592013d54
-
SHA512
0e87afb22098056e00d3e00d9e830d1307370e8c54296927cc605803541c165c0791272bb0d76e80a23924860d15835de99aab79c1467bcd8f0701046257fc6b
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
hjswwe.exepid process 1000 hjswwe.exe -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.vbs notepad.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 api.ipify.org -
NTFS ADS 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe:ZoneIdentifier notepad.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hjswwe.exepid process 796 hjswwe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Executes dropped EXE 3 IoCs
Processes:
hjswwe.exehjswwe.exehjswwe.exepid process 796 hjswwe.exe 1000 hjswwe.exe 356 hjswwe.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hjswwe.exedescription pid process target process PID 796 set thread context of 1000 796 hjswwe.exe hjswwe.exe -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral2/memory/1000-4-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/1000-8-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/1000-9-0x0000000000400000-0x0000000000541000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 2630 IoCs
Processes:
0e82916860b22b2a67db5f6c6f2be1d0.exehjswwe.exehjswwe.exepid process 2916 0e82916860b22b2a67db5f6c6f2be1d0.exe 2916 0e82916860b22b2a67db5f6c6f2be1d0.exe 796 hjswwe.exe 796 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe 356 hjswwe.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
0e82916860b22b2a67db5f6c6f2be1d0.exenotepad.exehjswwe.exedescription pid process target process PID 2916 wrote to memory of 556 2916 0e82916860b22b2a67db5f6c6f2be1d0.exe notepad.exe PID 2916 wrote to memory of 556 2916 0e82916860b22b2a67db5f6c6f2be1d0.exe notepad.exe PID 2916 wrote to memory of 556 2916 0e82916860b22b2a67db5f6c6f2be1d0.exe notepad.exe PID 2916 wrote to memory of 556 2916 0e82916860b22b2a67db5f6c6f2be1d0.exe notepad.exe PID 2916 wrote to memory of 556 2916 0e82916860b22b2a67db5f6c6f2be1d0.exe notepad.exe PID 556 wrote to memory of 796 556 notepad.exe hjswwe.exe PID 556 wrote to memory of 796 556 notepad.exe hjswwe.exe PID 556 wrote to memory of 796 556 notepad.exe hjswwe.exe PID 796 wrote to memory of 1000 796 hjswwe.exe hjswwe.exe PID 796 wrote to memory of 1000 796 hjswwe.exe hjswwe.exe PID 796 wrote to memory of 1000 796 hjswwe.exe hjswwe.exe PID 796 wrote to memory of 356 796 hjswwe.exe hjswwe.exe PID 796 wrote to memory of 356 796 hjswwe.exe hjswwe.exe PID 796 wrote to memory of 356 796 hjswwe.exe hjswwe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hjswwe.exedescription pid process Token: SeDebugPrivilege 1000 hjswwe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
hjswwe.exepid process 1000 hjswwe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e82916860b22b2a67db5f6c6f2be1d0.exe"C:\Users\Admin\AppData\Local\Temp\0e82916860b22b2a67db5f6c6f2be1d0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1000 -
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe" 2 1000 956404⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:356
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
memory/356-7-0x0000000000000000-mapping.dmp
-
memory/556-0-0x0000000000000000-mapping.dmp
-
memory/796-1-0x0000000000000000-mapping.dmp
-
memory/1000-8-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/1000-5-0x000000000053F860-mapping.dmp
-
memory/1000-9-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/1000-4-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/1000-11-0x0000000002330000-0x00000000023CA000-memory.dmpFilesize
616KB
-
memory/1000-12-0x00000000023D2000-0x00000000023D3000-memory.dmpFilesize
4KB