Analysis
-
max time kernel
151s -
max time network
122s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-07-2020 12:01
Static task
static1
Behavioral task
behavioral1
Sample
2885d39472461249eea2d56856ea913a.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
2885d39472461249eea2d56856ea913a.exe
Resource
win10v200722
General
-
Target
2885d39472461249eea2d56856ea913a.exe
-
Size
928KB
-
MD5
2885d39472461249eea2d56856ea913a
-
SHA1
be776462df8db7324fd77a134935e6ed17ba6d0a
-
SHA256
311380e373e370131734bd5c65fe3b8a8b2862fc7049692e92ac12703487edc7
-
SHA512
2e85f2bfab8a6aab56ec4fd490b09f139d749536020681807c1bc5b0bc0425a5415678182cbf9834f5f67e0fedf21e18259ecf5b2c40f88f271fce93550d7a49
Malware Config
Extracted
C:\Users\Admin\AppData\Local\94A4C56A47\Log.txt
masslogger
Signatures
-
NTFS ADS 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe:ZoneIdentifier notepad.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ghjkzxijdk.exepid process 512 ghjkzxijdk.exe -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Processes:
resource yara_rule behavioral2/memory/800-4-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/800-4-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/800-8-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/800-8-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/800-10-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/800-10-0x0000000000400000-0x0000000000541000-memory.dmp upx -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ghjkzxijdk.exedescription pid process Token: SeDebugPrivilege 800 ghjkzxijdk.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
ghjkzxijdk.exepid process 800 ghjkzxijdk.exe -
Executes dropped EXE 3 IoCs
Processes:
ghjkzxijdk.exeghjkzxijdk.exeghjkzxijdk.exepid process 512 ghjkzxijdk.exe 800 ghjkzxijdk.exe 892 ghjkzxijdk.exe -
Suspicious behavior: EnumeratesProcesses 2632 IoCs
Processes:
2885d39472461249eea2d56856ea913a.exeghjkzxijdk.exeghjkzxijdk.exepid process 3056 2885d39472461249eea2d56856ea913a.exe 3056 2885d39472461249eea2d56856ea913a.exe 512 ghjkzxijdk.exe 512 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe 892 ghjkzxijdk.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
2885d39472461249eea2d56856ea913a.exenotepad.exeghjkzxijdk.exedescription pid process target process PID 3056 wrote to memory of 2764 3056 2885d39472461249eea2d56856ea913a.exe notepad.exe PID 3056 wrote to memory of 2764 3056 2885d39472461249eea2d56856ea913a.exe notepad.exe PID 3056 wrote to memory of 2764 3056 2885d39472461249eea2d56856ea913a.exe notepad.exe PID 3056 wrote to memory of 2764 3056 2885d39472461249eea2d56856ea913a.exe notepad.exe PID 3056 wrote to memory of 2764 3056 2885d39472461249eea2d56856ea913a.exe notepad.exe PID 2764 wrote to memory of 512 2764 notepad.exe ghjkzxijdk.exe PID 2764 wrote to memory of 512 2764 notepad.exe ghjkzxijdk.exe PID 2764 wrote to memory of 512 2764 notepad.exe ghjkzxijdk.exe PID 512 wrote to memory of 800 512 ghjkzxijdk.exe ghjkzxijdk.exe PID 512 wrote to memory of 800 512 ghjkzxijdk.exe ghjkzxijdk.exe PID 512 wrote to memory of 800 512 ghjkzxijdk.exe ghjkzxijdk.exe PID 512 wrote to memory of 892 512 ghjkzxijdk.exe ghjkzxijdk.exe PID 512 wrote to memory of 892 512 ghjkzxijdk.exe ghjkzxijdk.exe PID 512 wrote to memory of 892 512 ghjkzxijdk.exe ghjkzxijdk.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 api.ipify.org -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ghjkzxijdk.exedescription pid process target process PID 512 set thread context of 800 512 ghjkzxijdk.exe ghjkzxijdk.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ghjkzxijdk.exepid process 800 ghjkzxijdk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2885d39472461249eea2d56856ea913a.exe"C:\Users\Admin\AppData\Local\Temp\2885d39472461249eea2d56856ea913a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe"C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe"C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: AddClipboardFormatListener
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe"C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe" 2 800 976564⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe
-
C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe
-
C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe
-
C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe
-
memory/512-1-0x0000000000000000-mapping.dmp
-
memory/800-4-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/800-5-0x000000000053FBC0-mapping.dmp
-
memory/800-8-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/800-10-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/800-11-0x0000000002310000-0x00000000023AA000-memory.dmpFilesize
616KB
-
memory/800-12-0x00000000023E2000-0x00000000023E3000-memory.dmpFilesize
4KB
-
memory/892-7-0x0000000000000000-mapping.dmp
-
memory/2764-0-0x0000000000000000-mapping.dmp