Analysis

  • max time kernel
    71s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    30/11/2020, 15:41

General

  • Target

    PO_92847.doc

  • Size

    1.5MB

  • MD5

    973992ab7ffd7202b6f3d40f1828625c

  • SHA1

    4181c8d062508316f6727e73337c7617f6dc2ce8

  • SHA256

    cc3b971f25d0ad410dbe3b7d1d6235041eb36632d0ea6e8d34a6a94e41d79df3

  • SHA512

    03b40a71d59c7dd756a117c68abc3d950240dd8f7f450dff851db5601ba80c2a23b816e2f6a8ea7b229405c394d6520c0c62c1277669ef1de85e059c1a62a810

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 4 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO_92847.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:752
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blacklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Users\Admin\AppData\Roaming\ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe
      "C:\Users\Admin\AppData\Roaming\ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Users\Admin\AppData\Roaming\ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe
        "C:\Users\Admin\AppData\Roaming\ueriopdrfuitr8geywtuidgouhsijc;oriuhfwej.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1836

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/752-2-0x0000000003F90000-0x0000000003F94000-memory.dmp

    Filesize

    16KB

  • memory/1568-11-0x0000000005D10000-0x0000000005DB4000-memory.dmp

    Filesize

    656KB

  • memory/1568-8-0x000000006B2D0000-0x000000006B9BE000-memory.dmp

    Filesize

    6.9MB

  • memory/1568-9-0x0000000000810000-0x0000000000811000-memory.dmp

    Filesize

    4KB

  • memory/1568-12-0x00000000004D0000-0x00000000004E6000-memory.dmp

    Filesize

    88KB

  • memory/1836-13-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

  • memory/1836-16-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

  • memory/1836-17-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

  • memory/1836-18-0x000000006B2D0000-0x000000006B9BE000-memory.dmp

    Filesize

    6.9MB

  • memory/1940-3-0x000007FEF7500000-0x000007FEF777A000-memory.dmp

    Filesize

    2.5MB