Analysis
-
max time kernel
128s -
max time network
111s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
17-07-2020 05:28
Static task
static1
Behavioral task
behavioral1
Sample
Na4hsgjtrPIobAM.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Na4hsgjtrPIobAM.exe
Resource
win10
General
-
Target
Na4hsgjtrPIobAM.exe
-
Size
1.2MB
-
MD5
11bb02cfce17265a128473afd7c40049
-
SHA1
9232267ebbbdb7599083f3340e4dc4d53fa7f96b
-
SHA256
0a699d50cee9fc3eb46b0703c5502a84fbb357757853e25474683baf8f477fe0
-
SHA512
f41eb62ccf52f71d94a9d731f84f16589207d4dd5343ca710b24bc9f3ab9585cd87f5c8eb15c14be810034341db98574c0de22a43f25ccc181201319e87e534c
Malware Config
Extracted
C:\Users\Admin\AppData\Local\C8A579F880\Log.txt
masslogger
Signatures
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Na4hsgjtrPIobAM.exedescription pid process target process PID 272 wrote to memory of 1868 272 Na4hsgjtrPIobAM.exe schtasks.exe PID 272 wrote to memory of 1868 272 Na4hsgjtrPIobAM.exe schtasks.exe PID 272 wrote to memory of 1868 272 Na4hsgjtrPIobAM.exe schtasks.exe PID 272 wrote to memory of 1868 272 Na4hsgjtrPIobAM.exe schtasks.exe PID 272 wrote to memory of 1764 272 Na4hsgjtrPIobAM.exe Na4hsgjtrPIobAM.exe PID 272 wrote to memory of 1764 272 Na4hsgjtrPIobAM.exe Na4hsgjtrPIobAM.exe PID 272 wrote to memory of 1764 272 Na4hsgjtrPIobAM.exe Na4hsgjtrPIobAM.exe PID 272 wrote to memory of 1764 272 Na4hsgjtrPIobAM.exe Na4hsgjtrPIobAM.exe PID 272 wrote to memory of 520 272 Na4hsgjtrPIobAM.exe Na4hsgjtrPIobAM.exe PID 272 wrote to memory of 520 272 Na4hsgjtrPIobAM.exe Na4hsgjtrPIobAM.exe PID 272 wrote to memory of 520 272 Na4hsgjtrPIobAM.exe Na4hsgjtrPIobAM.exe PID 272 wrote to memory of 520 272 Na4hsgjtrPIobAM.exe Na4hsgjtrPIobAM.exe PID 272 wrote to memory of 520 272 Na4hsgjtrPIobAM.exe Na4hsgjtrPIobAM.exe PID 272 wrote to memory of 520 272 Na4hsgjtrPIobAM.exe Na4hsgjtrPIobAM.exe PID 272 wrote to memory of 520 272 Na4hsgjtrPIobAM.exe Na4hsgjtrPIobAM.exe PID 272 wrote to memory of 520 272 Na4hsgjtrPIobAM.exe Na4hsgjtrPIobAM.exe PID 272 wrote to memory of 520 272 Na4hsgjtrPIobAM.exe Na4hsgjtrPIobAM.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Na4hsgjtrPIobAM.exeNa4hsgjtrPIobAM.exedescription pid process Token: SeDebugPrivilege 272 Na4hsgjtrPIobAM.exe Token: SeDebugPrivilege 520 Na4hsgjtrPIobAM.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Na4hsgjtrPIobAM.exeNa4hsgjtrPIobAM.exepid process 272 Na4hsgjtrPIobAM.exe 520 Na4hsgjtrPIobAM.exe 520 Na4hsgjtrPIobAM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Na4hsgjtrPIobAM.exepid process 520 Na4hsgjtrPIobAM.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Na4hsgjtrPIobAM.exedescription pid process target process PID 272 set thread context of 520 272 Na4hsgjtrPIobAM.exe Na4hsgjtrPIobAM.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Na4hsgjtrPIobAM.exepid process 520 Na4hsgjtrPIobAM.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Na4hsgjtrPIobAM.exe"C:\Users\Admin\AppData\Local\Temp\Na4hsgjtrPIobAM.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JjgjWaSAzPgpP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21E1.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Na4hsgjtrPIobAM.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Na4hsgjtrPIobAM.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp21E1.tmp
-
memory/272-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/520-4-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/520-5-0x0000000000493F4E-mapping.dmp
-
memory/520-6-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/520-7-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1868-2-0x0000000000000000-mapping.dmp