Overview

overview

10

Static

static

SKM_C25820...20.exe

windows7_x64

10

SKM_C25820...20.exe

windows10_x64

10

Analysis

  • max time kernel
    17s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    21-11-2020 07:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SKM_C25820112116120.exe

  • Size

    1.2MB

  • MD5

    2559a4a701f88d7793082cea77f7a73c

  • SHA1

    5548a12e53461128020f9feaefdeac7f797e2830

  • SHA256

    5f53adb34adbcb6eeec29d48e9d80a401d1476eff2e826cb2c7ac02d8d7e2785

  • SHA512

    a929420bb0bb9fc22262dbec8145a3c451e241a096c18eb3bd3e78c7766e5b021fcc9462477ea58866f4b329d65a2f2e3ec738fbf64d4dadd201cb3eab428ca2

Score
10/10
massloggerspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 4 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SKM_C25820112116120.exe
    "C:\Users\Admin\AppData\Local\Temp\SKM_C25820112116120.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"
        3⤵
        • Creates scheduled task(s)
        PID:1512
    • C:\Users\Admin\AppData\Local\Temp\SKM_C25820112116120.exe
      "C:\Users\Admin\AppData\Local\Temp\SKM_C25820112116120.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\SKM_C25820112116120.exe'
        3⤵
        • Deletes itself
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml
    MD5

    aa2f6636e997aaa0b01fbc78b1dabe52

    SHA1

    fd462100fc91975dcbea8e361cf1eb8a70f6ad54

    SHA256

    d710b6eda22285684579d8b547e5be2f48883c4bf8db39993b00df30f9dc8723

    SHA512

    6540a3bbdbd3ab51679d5b32380e6c288bf6eba2777d067d40bfe65642ccafecd18028b102dfa46ac189d84282da2b6cb202a4f307587c5639f86834788f5104

    Download Submit
  • memory/1172-14-0x0000000073450000-0x0000000073B3E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1172-20-0x0000000007560000-0x0000000007561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-13-0x0000000000000000-mapping.dmp
    Download
  • memory/1172-26-0x0000000008D20000-0x0000000008D21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-24-0x00000000093A0000-0x00000000093A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-23-0x0000000007C80000-0x0000000007C81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-22-0x00000000079B0000-0x00000000079B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-21-0x0000000006DE0000-0x0000000006DE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-18-0x0000000007480000-0x0000000007481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-15-0x0000000001020000-0x0000000001021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-27-0x0000000001340000-0x0000000001341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-25-0x0000000008940000-0x0000000008941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-17-0x0000000006B90000-0x0000000006B91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-16-0x0000000006E50000-0x0000000006E51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1512-6-0x0000000000000000-mapping.dmp
    Download
  • memory/3060-0-0x0000000000000000-mapping.dmp
    Download
  • memory/3796-12-0x00000000057B0000-0x00000000057B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3796-11-0x0000000005CB0000-0x0000000005CB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3796-2-0x000000000040188B-mapping.dmp
    Download
  • memory/3796-10-0x0000000005710000-0x0000000005711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3796-8-0x00000000050A0000-0x0000000005121000-memory.dmp
    Filesize

    516KB

    Download
  • memory/3796-1-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/3796-5-0x0000000073230000-0x000000007391E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3796-3-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download