Overview

overview

10

Static

static

PAYMENT DE...ON.exe

windows7_x64

9

PAYMENT DE...ON.exe

windows10_x64

10

Analysis

  • max time kernel
    66s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    17-09-2020 05:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENT DETAILS CONFIRMATION.exe

  • Size

    992KB

  • MD5

    73c81dd67773b2efa5261e20adf74a5b

  • SHA1

    fde0db688d6abb4aad0bb646db9f1c192d980b5a

  • SHA256

    ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42

  • SHA512

    8b2483b0dedf9d6b9329202d40544291b55601518c3b14f5df764e277114ee6538bdf6d08efcb8c3dad99ac7368471354acb1bf1ecd3f7da2c072f8c5a8e24d9

Score
10/10
evasionstealerspywaremasslogger

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 2 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe
    "C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe
      "C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"
      2⤵
        PID:1944
      • C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe
        "C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3080
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe' & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3916
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe'
            4⤵
              PID:192

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Discovery

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      2
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT DETAILS CONFIRMATION.exe.log
        MD5

        5ce36f0c4d9568839c224ffaa10d5441

        SHA1

        69c0cdded0b415091641c3fbf64b7fbd7e285e47

        SHA256

        c93c5a9fdaa44aeb7f25c89abed40a1ca6432bf3ea840e2820388bef68cd116a

        SHA512

        a6ef350d4f36f35b42ce0b8a4df83f17fb0a4f66dcfa32617b22e642168291bede3b612969e0eec293d7ca1ba0aef7a05c31823bd41821e0880b609f280b0b83

        Download Submit
      • memory/192-26-0x0000000000000000-mapping.dmp
        Download
      • memory/192-25-0x0000000000000000-mapping.dmp
        Download
      • memory/3080-13-0x0000000000400000-0x00000000004B8000-memory.dmp
        Filesize

        736KB

        Download
      • memory/3080-21-0x00000000056D0000-0x0000000005741000-memory.dmp
        Filesize

        452KB

        Download
      • memory/3080-16-0x0000000073950000-0x000000007403E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3080-14-0x00000000004B31FE-mapping.dmp
        Download
      • memory/3288-6-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3288-9-0x0000000005980000-0x0000000005A43000-memory.dmp
        Filesize

        780KB

        Download
      • memory/3288-10-0x0000000004FB0000-0x0000000004FB2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3288-11-0x0000000005AD0000-0x0000000005B87000-memory.dmp
        Filesize

        732KB

        Download
      • memory/3288-12-0x0000000005D00000-0x0000000005D01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3288-8-0x0000000004B10000-0x0000000004B20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3288-7-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3288-0-0x0000000073950000-0x000000007403E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3288-5-0x0000000004B90000-0x0000000004B91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3288-4-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3288-3-0x0000000004A50000-0x0000000004A51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3288-1-0x0000000000010000-0x0000000000011000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3916-24-0x0000000000000000-mapping.dmp
        Download