Analysis
-
max time kernel
73s -
max time network
116s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 12:13
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
gunzipped.exe
Resource
win10
General
-
Target
gunzipped.exe
-
Size
936KB
-
MD5
bbb0b33663055f506d0dc4fa382b6ef6
-
SHA1
c97788c492ebd0f959f069ab5b6d341fb2fbcaa1
-
SHA256
6077a9d47232d6bb6425891c5c71096e21e4f961fa4b882004c4574a23321ab9
-
SHA512
d4adf010dd558fb0f6a70b09c675c636dbe70be04e1495dfd7b113b0975141e0e891c1723837c1bae114a327cc056718934196b6ea9843839c23f16f78a144b6
Malware Config
Extracted
C:\Users\Admin\AppData\Local\42EF15E83D\Log.txt
masslogger
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
gunzipped.exedescription pid process target process PID 336 set thread context of 1940 336 gunzipped.exe gunzipped.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
gunzipped.exepid process 1940 gunzipped.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
gunzipped.exegunzipped.exedescription pid process Token: SeDebugPrivilege 336 gunzipped.exe Token: SeDebugPrivilege 1940 gunzipped.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
gunzipped.exedescription pid process target process PID 336 wrote to memory of 1940 336 gunzipped.exe gunzipped.exe PID 336 wrote to memory of 1940 336 gunzipped.exe gunzipped.exe PID 336 wrote to memory of 1940 336 gunzipped.exe gunzipped.exe PID 336 wrote to memory of 1940 336 gunzipped.exe gunzipped.exe PID 336 wrote to memory of 1940 336 gunzipped.exe gunzipped.exe PID 336 wrote to memory of 1940 336 gunzipped.exe gunzipped.exe PID 336 wrote to memory of 1940 336 gunzipped.exe gunzipped.exe PID 336 wrote to memory of 1940 336 gunzipped.exe gunzipped.exe PID 336 wrote to memory of 1940 336 gunzipped.exe gunzipped.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
gunzipped.exepid process 1940 gunzipped.exe -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
gunzipped.exegunzipped.exepid process 336 gunzipped.exe 336 gunzipped.exe 1940 gunzipped.exe 1940 gunzipped.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"{path}"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/336-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1940-2-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1940-3-0x00000000004B2DEE-mapping.dmp
-
memory/1940-4-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1940-5-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB