Analysis
-
max time kernel
66s -
max time network
113s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
17-09-2020 05:09
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT DETAILS CONFIRMATION.exe
Resource
win7
Behavioral task
behavioral2
Sample
PAYMENT DETAILS CONFIRMATION.exe
Resource
win10v200722
General
-
Target
PAYMENT DETAILS CONFIRMATION.exe
-
Size
992KB
-
MD5
73c81dd67773b2efa5261e20adf74a5b
-
SHA1
fde0db688d6abb4aad0bb646db9f1c192d980b5a
-
SHA256
ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42
-
SHA512
8b2483b0dedf9d6b9329202d40544291b55601518c3b14f5df764e277114ee6538bdf6d08efcb8c3dad99ac7368471354acb1bf1ecd3f7da2c072f8c5a8e24d9
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 2 IoCs
resource yara_rule behavioral2/memory/3080-13-0x0000000000400000-0x00000000004B8000-memory.dmp family_masslogger behavioral2/memory/3080-14-0x00000000004B31FE-mapping.dmp family_masslogger -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PAYMENT DETAILS CONFIRMATION.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PAYMENT DETAILS CONFIRMATION.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PAYMENT DETAILS CONFIRMATION.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 PAYMENT DETAILS CONFIRMATION.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3288 set thread context of 3080 3288 PAYMENT DETAILS CONFIRMATION.exe 77 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3288 PAYMENT DETAILS CONFIRMATION.exe 3288 PAYMENT DETAILS CONFIRMATION.exe 3080 PAYMENT DETAILS CONFIRMATION.exe 3080 PAYMENT DETAILS CONFIRMATION.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3288 PAYMENT DETAILS CONFIRMATION.exe Token: SeDebugPrivilege 3080 PAYMENT DETAILS CONFIRMATION.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3288 wrote to memory of 1944 3288 PAYMENT DETAILS CONFIRMATION.exe 76 PID 3288 wrote to memory of 1944 3288 PAYMENT DETAILS CONFIRMATION.exe 76 PID 3288 wrote to memory of 1944 3288 PAYMENT DETAILS CONFIRMATION.exe 76 PID 3288 wrote to memory of 3080 3288 PAYMENT DETAILS CONFIRMATION.exe 77 PID 3288 wrote to memory of 3080 3288 PAYMENT DETAILS CONFIRMATION.exe 77 PID 3288 wrote to memory of 3080 3288 PAYMENT DETAILS CONFIRMATION.exe 77 PID 3288 wrote to memory of 3080 3288 PAYMENT DETAILS CONFIRMATION.exe 77 PID 3288 wrote to memory of 3080 3288 PAYMENT DETAILS CONFIRMATION.exe 77 PID 3288 wrote to memory of 3080 3288 PAYMENT DETAILS CONFIRMATION.exe 77 PID 3288 wrote to memory of 3080 3288 PAYMENT DETAILS CONFIRMATION.exe 77 PID 3288 wrote to memory of 3080 3288 PAYMENT DETAILS CONFIRMATION.exe 77 PID 3080 wrote to memory of 3916 3080 PAYMENT DETAILS CONFIRMATION.exe 78 PID 3080 wrote to memory of 3916 3080 PAYMENT DETAILS CONFIRMATION.exe 78 PID 3080 wrote to memory of 3916 3080 PAYMENT DETAILS CONFIRMATION.exe 78 PID 3916 wrote to memory of 192 3916 cmd.exe 80 PID 3916 wrote to memory of 192 3916 cmd.exe 80 PID 3916 wrote to memory of 192 3916 cmd.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"2⤵PID:1944
-
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe'4⤵PID:192
-
-
-