Analysis
-
max time kernel
151s -
max time network
123s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 08:31
Static task
static1
Behavioral task
behavioral1
Sample
75fa1950d036dddf87bddfa1e0f19387.exe
Resource
win7
Behavioral task
behavioral2
Sample
75fa1950d036dddf87bddfa1e0f19387.exe
Resource
win10
General
-
Target
75fa1950d036dddf87bddfa1e0f19387.exe
-
Size
918KB
-
MD5
75fa1950d036dddf87bddfa1e0f19387
-
SHA1
1d7de541391fb805c6b4e3899d547e93845c273d
-
SHA256
5bd96a0d70ece4a045c040b8d98ae78979da156e27138aa4a8b718cfff978cbf
-
SHA512
d067a7a49d800052aba052a44c37b78dd01eb9793a14ded33ea7ed9f52884059f7c06358f6f5d2352bf1f4b6755d5e1fd3368f173e4e18966afb97c79e77aa62
Malware Config
Extracted
C:\Users\Admin\AppData\Local\E2C1E8F1FA\Log.txt
masslogger
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 1371 IoCs
Processes:
75fa1950d036dddf87bddfa1e0f19387.exehdjfksfj.exehdjfksfj.exepid process 1496 75fa1950d036dddf87bddfa1e0f19387.exe 884 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe 308 hdjfksfj.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
hdjfksfj.exepid process 280 hdjfksfj.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hdjfksfj.exedescription pid process Token: SeDebugPrivilege 280 hdjfksfj.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Processes:
resource yara_rule behavioral1/memory/280-7-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/280-7-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/280-11-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/280-11-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/280-13-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/280-13-0x0000000000400000-0x0000000000541000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs notepad.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Loads dropped DLL 2 IoCs
Processes:
notepad.exepid process 1560 notepad.exe 1560 notepad.exe -
Executes dropped EXE 3 IoCs
Processes:
hdjfksfj.exehdjfksfj.exehdjfksfj.exepid process 884 hdjfksfj.exe 280 hdjfksfj.exe 308 hdjfksfj.exe -
NTFS ADS 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe:ZoneIdentifier notepad.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
75fa1950d036dddf87bddfa1e0f19387.exenotepad.exehdjfksfj.exedescription pid process target process PID 1496 wrote to memory of 1560 1496 75fa1950d036dddf87bddfa1e0f19387.exe notepad.exe PID 1496 wrote to memory of 1560 1496 75fa1950d036dddf87bddfa1e0f19387.exe notepad.exe PID 1496 wrote to memory of 1560 1496 75fa1950d036dddf87bddfa1e0f19387.exe notepad.exe PID 1496 wrote to memory of 1560 1496 75fa1950d036dddf87bddfa1e0f19387.exe notepad.exe PID 1496 wrote to memory of 1560 1496 75fa1950d036dddf87bddfa1e0f19387.exe notepad.exe PID 1496 wrote to memory of 1560 1496 75fa1950d036dddf87bddfa1e0f19387.exe notepad.exe PID 1560 wrote to memory of 884 1560 notepad.exe hdjfksfj.exe PID 1560 wrote to memory of 884 1560 notepad.exe hdjfksfj.exe PID 1560 wrote to memory of 884 1560 notepad.exe hdjfksfj.exe PID 1560 wrote to memory of 884 1560 notepad.exe hdjfksfj.exe PID 884 wrote to memory of 280 884 hdjfksfj.exe hdjfksfj.exe PID 884 wrote to memory of 280 884 hdjfksfj.exe hdjfksfj.exe PID 884 wrote to memory of 280 884 hdjfksfj.exe hdjfksfj.exe PID 884 wrote to memory of 280 884 hdjfksfj.exe hdjfksfj.exe PID 884 wrote to memory of 308 884 hdjfksfj.exe hdjfksfj.exe PID 884 wrote to memory of 308 884 hdjfksfj.exe hdjfksfj.exe PID 884 wrote to memory of 308 884 hdjfksfj.exe hdjfksfj.exe PID 884 wrote to memory of 308 884 hdjfksfj.exe hdjfksfj.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
hdjfksfj.exepid process 280 hdjfksfj.exe -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hdjfksfj.exepid process 884 hdjfksfj.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hdjfksfj.exedescription pid process target process PID 884 set thread context of 280 884 hdjfksfj.exe hdjfksfj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75fa1950d036dddf87bddfa1e0f19387.exe"C:\Users\Admin\AppData\Local\Temp\75fa1950d036dddf87bddfa1e0f19387.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe"C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe"C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe"C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe" 2 280 619014⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe
-
\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe
-
\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe
-
memory/280-8-0x000000000053F860-mapping.dmp
-
memory/280-7-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/280-11-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/280-13-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/280-14-0x0000000001F90000-0x000000000202A000-memory.dmpFilesize
616KB
-
memory/280-15-0x00000000002B2000-0x00000000002B3000-memory.dmpFilesize
4KB
-
memory/280-16-0x0000000000550000-0x00000000005E3000-memory.dmpFilesize
588KB
-
memory/308-10-0x0000000000000000-mapping.dmp
-
memory/884-4-0x0000000000000000-mapping.dmp
-
memory/1560-0-0x0000000000000000-mapping.dmp
-
memory/1560-1-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB