Overview

overview

10

Static

static

gYMDqZk9NvACog9.exe

windows7_x64

10

gYMDqZk9NvACog9.exe

windows10_x64

3

Analysis

  • max time kernel
    138s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    14/07/2020, 13:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    gYMDqZk9NvACog9.exe

  • Size

    901KB

  • MD5

    a49788f4389f09f209c66e798acc4341

  • SHA1

    17909c880885433b7054ae36d1839b5e3cd2a0cf

  • SHA256

    92276f87f48836d141ee02c8b6f75398ded9a3e4b12b84441e3125933af6c755

  • SHA512

    51c5b561617e6f37d2863f5b17873186c9e8a69cf888c687d75a71395f3d1e42accca5172b1ad14acdcf66e99c1df3ca57f198f6d73107c9f357508d37520760

Score
10/10
stealerspywaremasslogger

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

Processes

  • C:\Users\Admin\AppData\Local\Temp\gYMDqZk9NvACog9.exe
    "C:\Users\Admin\AppData\Local\Temp\gYMDqZk9NvACog9.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    PID:1312
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BUhgWhStJLmQwe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE9D1.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1848
    • C:\Users\Admin\AppData\Local\Temp\gYMDqZk9NvACog9.exe
      "{path}"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: AddClipboardFormatListener
      PID:1780

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1780-4-0x0000000000400000-0x000000000049A000-memory.dmp

          Filesize

          616KB

          Download

        • memory/1780-6-0x0000000000400000-0x000000000049A000-memory.dmp

          Filesize

          616KB

          Download

        • memory/1780-7-0x0000000000400000-0x000000000049A000-memory.dmp

          Filesize

          616KB

          Download