Analysis
-
max time kernel
71s -
max time network
116s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30/11/2020, 15:41
Static task
static1
Behavioral task
behavioral1
Sample
PO_92847.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO_92847.doc
Resource
win10v20201028
General
-
Target
PO_92847.doc
-
Size
1.5MB
-
MD5
973992ab7ffd7202b6f3d40f1828625c
-
SHA1
4181c8d062508316f6727e73337c7617f6dc2ce8
-
SHA256
cc3b971f25d0ad410dbe3b7d1d6235041eb36632d0ea6e8d34a6a94e41d79df3
-
SHA512
03b40a71d59c7dd756a117c68abc3d950240dd8f7f450dff851db5601ba80c2a23b816e2f6a8ea7b229405c394d6520c0c62c1277669ef1de85e059c1a62a810
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 4 IoCs
resource yara_rule behavioral1/memory/1836-14-0x00000000004821CE-mapping.dmp family_masslogger behavioral1/memory/1836-13-0x0000000000400000-0x00000000004B4000-memory.dmp family_masslogger behavioral1/memory/1836-16-0x0000000000400000-0x00000000004B4000-memory.dmp family_masslogger behavioral1/memory/1836-17-0x0000000000400000-0x00000000004B4000-memory.dmp family_masslogger -
Blacklisted process makes network request 1 IoCs
flow pid Process 6 1424 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
pid Process 1568 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe 1836 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe -
Loads dropped DLL 1 IoCs
pid Process 1424 EQNEDT32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1568 set thread context of 1836 1568 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe 36 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 1424 EQNEDT32.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 752 WINWORD.EXE 1836 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1836 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe 1836 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe 1836 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe 1836 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1568 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe Token: SeDebugPrivilege 1836 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 752 WINWORD.EXE 752 WINWORD.EXE 1836 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1424 wrote to memory of 1568 1424 EQNEDT32.EXE 32 PID 1424 wrote to memory of 1568 1424 EQNEDT32.EXE 32 PID 1424 wrote to memory of 1568 1424 EQNEDT32.EXE 32 PID 1424 wrote to memory of 1568 1424 EQNEDT32.EXE 32 PID 1568 wrote to memory of 1836 1568 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe 36 PID 1568 wrote to memory of 1836 1568 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe 36 PID 1568 wrote to memory of 1836 1568 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe 36 PID 1568 wrote to memory of 1836 1568 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe 36 PID 1568 wrote to memory of 1836 1568 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe 36 PID 1568 wrote to memory of 1836 1568 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe 36 PID 1568 wrote to memory of 1836 1568 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe 36 PID 1568 wrote to memory of 1836 1568 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe 36 PID 1568 wrote to memory of 1836 1568 ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe 36
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO_92847.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:752
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Roaming\ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe"C:\Users\Admin\AppData\Roaming\ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Roaming\ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe"C:\Users\Admin\AppData\Roaming\ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1836
-
-