Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 07:12
General
-
Target
0e82916860b22b2a67db5f6c6f2be1d0.exe
-
Size
930KB
-
MD5
0e82916860b22b2a67db5f6c6f2be1d0
-
SHA1
7e74b11f0b9d735fd023eb5c27f23c25471377ee
-
SHA256
45ff28eabf8854e1ce1d3bb088fc7cfa224dbeb1e8b66a4038682fd592013d54
-
SHA512
0e87afb22098056e00d3e00d9e830d1307370e8c54296927cc605803541c165c0791272bb0d76e80a23924860d15835de99aab79c1467bcd8f0701046257fc6b
Score
10/10
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Drops startup file 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
NTFS ADS 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Executes dropped EXE 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious behavior: EnumeratesProcesses 2630 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e82916860b22b2a67db5f6c6f2be1d0.exe"C:\Users\Admin\AppData\Local\Temp\0e82916860b22b2a67db5f6c6f2be1d0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe"C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe" 2 1000 956404⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hjswwe.exe
-
memory/356-7-0x0000000000000000-mapping.dmp
-
memory/556-0-0x0000000000000000-mapping.dmp
-
memory/796-1-0x0000000000000000-mapping.dmp
-
memory/1000-8-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/1000-5-0x000000000053F860-mapping.dmp
-
memory/1000-9-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/1000-4-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/1000-11-0x0000000002330000-0x00000000023CA000-memory.dmpFilesize
616KB
-
memory/1000-12-0x00000000023D2000-0x00000000023D3000-memory.dmpFilesize
4KB