Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
16-07-2020 10:42
General
-
Target
Swift.exe
-
Size
1.3MB
-
MD5
4a6cdb0a5b956461c3766686317b8f77
-
SHA1
daa8f5b4aa6330289bc802c0fe38d541bc5572bc
-
SHA256
9f9c8fddfe9fb02c88d8cdaea6efe3a1f88e56af6bb71161e30a1196a8cd8438
-
SHA512
7efcd96570d9613bf989d31f87783af201666286ecedc1d769817c57fda0056906ffe9a678f8cec76f61f3377501e86ea62195448de5d70c283b10002e8c3ca1
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\E2C1E8F1FA\Log.txt
Family
masslogger
Ransom Note
<|| v2.1.0.0 ||>
User Name: Admin
IP: 154.61.71.51
Location: United States
Windows OS: Microsoft Windows 7 Professional 64bit
Windows Serial Key: HYF8J-CVRMY-CM74G-RPHKF-PW487
CPU: Persocon Processor 2.5+
GPU: Standard VGA Graphics Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 7/16/2020 10:44:07 AM
MassLogger Started: 7/16/2020 10:44:01 AM
Interval: 2 hour
MassLogger Process: C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MassLogger Melt: false
MassLogger Exit after delivery: false
As Administrator: True
Processes:
<|| WD Exclusion ||>
Disabled
<|| Binder ||>
Disabled
<|| Downloader ||>
Disabled
<|| USB Spread ||>
Disabled
<|| Bot Killer ||>
Disabled
<|| Window Searcher ||>
Disabled
<|| Search And Upload ||>
Disabled
<|| Telegram Desktop ||>
Not Installed
<|| Pidgin ||>
Not Installed
<|| FileZilla ||>
Not Installed
<|| Discord Tokken ||>
Not Installed
<|| NordVPN ||>
Not Installed
<|| Outlook ||>
Not Installed
<|| FoxMail ||>
Not Installed
<|| Thunderbird ||>
Not Installed
<|| FireFox ||>
Not Found
<|| QQ Browser ||>
Not Installed
<|| Chromium Recovery ||>
Not Installed or Not Found
<|| Keylogger And Clipboard ||>
Disabled
Signatures
-
Loads dropped DLL 2 IoCs
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Suspicious use of WriteProcessMemory 21 IoCs
-
Executes dropped EXE 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift.exe"C:\Users\Admin\AppData\Local\Temp\Swift.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v admin /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v admin /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\.exe"3⤵
- Adds Run key to start application
-
-
-
C:\Users\Admin\Desktop\.exe"C:\Users\Admin\Desktop\.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
616KB
-
Filesize
616KB
-
Filesize
616KB