Analysis
-
max time kernel
123s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28/11/2020, 11:59
Static task
static1
Behavioral task
behavioral1
Sample
Document,PDF.com.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Document,PDF.com.exe
Resource
win10v20201028
General
-
Target
Document,PDF.com.exe
-
Size
762KB
-
MD5
b9ffffd93501391a2910e75c2ee0abe0
-
SHA1
23a0b7c463d3682fa9a567b1f60b3943d44d3ef3
-
SHA256
f4c976f3587362c6138a4dd309aabf2ec5c31f0ebe98b4618a2f52f145ce4a77
-
SHA512
830cdf1c15cd19d66899a630d1bec09a5933ee76b0bb17a8025a48d0a650e2c1a23c4b14a47e757814d0474b05a75c4756ff9abbae52b1d15786432cf5cdb597
Malware Config
Extracted
C:\Users\Admin\AppData\Local\5FADD7138A\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
yara_rule masslogger_log_file -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation Document,PDF.com.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" Document,PDF.com.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 800 set thread context of 1628 800 Document,PDF.com.exe 29 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1628 Document,PDF.com.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1628 Document,PDF.com.exe 1628 Document,PDF.com.exe 1628 Document,PDF.com.exe 1628 Document,PDF.com.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 800 Document,PDF.com.exe Token: SeDebugPrivilege 1628 Document,PDF.com.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1628 Document,PDF.com.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 800 wrote to memory of 1628 800 Document,PDF.com.exe 29 PID 800 wrote to memory of 1628 800 Document,PDF.com.exe 29 PID 800 wrote to memory of 1628 800 Document,PDF.com.exe 29 PID 800 wrote to memory of 1628 800 Document,PDF.com.exe 29 PID 800 wrote to memory of 1628 800 Document,PDF.com.exe 29 PID 800 wrote to memory of 1628 800 Document,PDF.com.exe 29 PID 800 wrote to memory of 1628 800 Document,PDF.com.exe 29 PID 800 wrote to memory of 1628 800 Document,PDF.com.exe 29 PID 800 wrote to memory of 1628 800 Document,PDF.com.exe 29 PID 800 wrote to memory of 1628 800 Document,PDF.com.exe 29 PID 800 wrote to memory of 1628 800 Document,PDF.com.exe 29 PID 800 wrote to memory of 1628 800 Document,PDF.com.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document,PDF.com.exe"C:\Users\Admin\AppData\Local\Temp\Document,PDF.com.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Local\Temp\Document,PDF.com.exe"C:\Users\Admin\AppData\Local\Temp\Document,PDF.com.exe"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1628
-