Analysis
-
max time kernel
132s -
max time network
139s -
platform
windows7_x64 -
resource
win7 -
submitted
28-08-2020 06:10
General
-
Target
order9321t.exe
-
Size
940KB
-
MD5
397c5bbcc75db8567548322417aa05fd
-
SHA1
d65b345c5863550cb7c454eedf2de0e16fbd391e
-
SHA256
72ceeee6538d869e032d33c4cac0b1e51f34b9e32bf1e17f475b5609ddfe0bf8
-
SHA512
85d71264d951cc6d921b3ae29e716d3e21566daca5bd315d46a9778313573677e5e1feb6339e92c41c2b3256544ec6dc66e49ec7f0ecf9f245500599b74b233b
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 4 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\order9321t.exe"C:\Users\Admin\AppData\Local\Temp\order9321t.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YdvIruZxoLuL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\order9321t.exe"{path}"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\order9321t.exe"{path}"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
764KB
-
Filesize
700KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
6.9MB