Overview

overview

10

Static

static

60091743pdf.exe

windows7_x64

10

60091743pdf.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    30-08-2020 06:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60091743pdf.exe

  • Size

    1.1MB

  • MD5

    c9b3ce0f3c3350621b6df632369a58f8

  • SHA1

    ac29d51d75264cad92760259a8b2a4c358516975

  • SHA256

    9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4

  • SHA512

    96a329657409994e8485ded30d9dce953ee19489ab6242df62a2cade14ea107b328043c7ec7c024c3151370c41a16e12fa3ef3bc5371796d436c723b8a3da690

Score
10/10
stealerspywaremasslogger

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 2 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60091743pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\60091743pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nwwFxKnJy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD586.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1800
    • C:\Users\Admin\AppData\Local\Temp\60091743pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\60091743pdf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\60091743pdf.exe'
        3⤵
        • Deletes itself
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3708
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:3752

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2088-21-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2088-16-0x0000000073980000-0x000000007406E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2088-13-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2920-8-0x0000000005A50000-0x0000000005A5B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2920-9-0x0000000006A20000-0x0000000006ADE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/2920-10-0x0000000006B20000-0x0000000006BB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2920-0-0x0000000073980000-0x000000007406E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2920-7-0x00000000057D0000-0x00000000057D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2920-6-0x0000000005570000-0x0000000005571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2920-5-0x0000000005610000-0x0000000005611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2920-4-0x0000000005A70000-0x0000000005A71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2920-3-0x00000000054D0000-0x00000000054D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2920-1-0x0000000000B90000-0x0000000000B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3708-23-0x0000000073A00000-0x00000000740EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3708-30-0x0000000007820000-0x0000000007821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3708-24-0x0000000004590000-0x0000000004591000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3708-25-0x00000000071B0000-0x00000000071B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3708-26-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3708-27-0x0000000007090000-0x0000000007091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3708-29-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3708-31-0x0000000007E10000-0x0000000007E11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3708-32-0x00000000080E0000-0x00000000080E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3708-33-0x0000000009800000-0x0000000009801000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3708-34-0x0000000008D80000-0x0000000008D81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3708-35-0x0000000009180000-0x0000000009181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3708-36-0x0000000006C40000-0x0000000006C41000-memory.dmp

    Filesize

    4KB

    Download