Analysis
-
max time kernel
75s -
max time network
70s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
30-08-2020 05:57
Static task
static1
Behavioral task
behavioral1
Sample
Order Inquiry List.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
Order Inquiry List.exe
Resource
win10v200722
General
-
Target
Order Inquiry List.exe
-
Size
1.1MB
-
MD5
5a82e2c1d04b28f1d1c7861b231ccfce
-
SHA1
39adba5bb7a9585d50993a6264f05aecafcd0a92
-
SHA256
77edc9558f41f26d6b1586ca2fea51861a67de17a50f9494090070285e1f0c43
-
SHA512
b32280588cbb9e128ba84c800252edca5736c714ff90d9f710ab684537621c99e63c2e4fe41f36c3313098f20d710661b483bdfbd5e35dbc4410d4bcc339f1ba
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2948-11-0x0000000000400000-0x00000000004B8000-memory.dmp family_masslogger behavioral2/memory/2948-12-0x00000000004B34AE-mapping.dmp family_masslogger -
Deletes itself 1 IoCs
Processes:
powershell.exepid Process 3592 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order Inquiry List.exedescription pid Process procid_target PID 728 set thread context of 2948 728 Order Inquiry List.exe 76 -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc Process Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = bd013da7a37ed601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Order Inquiry List.exepowershell.exepid Process 2948 Order Inquiry List.exe 2948 Order Inquiry List.exe 3592 powershell.exe 3592 powershell.exe 3592 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
svchost.exeOrder Inquiry List.exepowershell.exedescription pid Process Token: SeShutdownPrivilege 364 svchost.exe Token: SeCreatePagefilePrivilege 364 svchost.exe Token: SeDebugPrivilege 2948 Order Inquiry List.exe Token: SeDebugPrivilege 3592 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Order Inquiry List.exeOrder Inquiry List.execmd.exedescription pid Process procid_target PID 728 wrote to memory of 2948 728 Order Inquiry List.exe 76 PID 728 wrote to memory of 2948 728 Order Inquiry List.exe 76 PID 728 wrote to memory of 2948 728 Order Inquiry List.exe 76 PID 728 wrote to memory of 2948 728 Order Inquiry List.exe 76 PID 728 wrote to memory of 2948 728 Order Inquiry List.exe 76 PID 728 wrote to memory of 2948 728 Order Inquiry List.exe 76 PID 728 wrote to memory of 2948 728 Order Inquiry List.exe 76 PID 728 wrote to memory of 2948 728 Order Inquiry List.exe 76 PID 2948 wrote to memory of 208 2948 Order Inquiry List.exe 78 PID 2948 wrote to memory of 208 2948 Order Inquiry List.exe 78 PID 2948 wrote to memory of 208 2948 Order Inquiry List.exe 78 PID 208 wrote to memory of 3592 208 cmd.exe 80 PID 208 wrote to memory of 3592 208 cmd.exe 80 PID 208 wrote to memory of 3592 208 cmd.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe'4⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:364
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
90acfd72f14a512712b1a7380c0faf60
SHA140ba4accb8faa75887e84fb8e38d598dc8cf0f12
SHA25620806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86
SHA51229dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9