Analysis

  • max time kernel
    75s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    30/11/2020, 14:25

General

  • Target

    PAYMENT REMIT COPY 673578.pif.exe

  • Size

    611KB

  • MD5

    7a2383c694b62f4e180ce68ca761407a

  • SHA1

    4bb84adc5fa25b720776947e1d677a01e4e38fb5

  • SHA256

    53683da1f2e21ec38952bbde9fd4e04330333cbda4185d1562f99ab31af17ea5

  • SHA512

    a0732860c30f05470db2fc7d25cb3d8c8261729d7a2cbbd1d0f079a8bd72df7ae87a62d73c12ff29a4cf5540972b0abd17daeaa78537dc3e8b7a9a15e55dbd75

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
    "C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
      "C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/640-9-0x00000000052C0000-0x00000000052D6000-memory.dmp

    Filesize

    88KB

  • memory/640-5-0x0000000005300000-0x0000000005301000-memory.dmp

    Filesize

    4KB

  • memory/640-6-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

    Filesize

    4KB

  • memory/640-7-0x0000000004E70000-0x0000000004E71000-memory.dmp

    Filesize

    4KB

  • memory/640-8-0x0000000006B70000-0x0000000006C08000-memory.dmp

    Filesize

    608KB

  • memory/640-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

    Filesize

    6.9MB

  • memory/640-3-0x00000000005A0000-0x00000000005A1000-memory.dmp

    Filesize

    4KB

  • memory/3008-10-0x0000000000400000-0x0000000000488000-memory.dmp

    Filesize

    544KB

  • memory/3008-13-0x0000000073E00000-0x00000000744EE000-memory.dmp

    Filesize

    6.9MB

  • memory/3008-18-0x00000000063D0000-0x00000000063D1000-memory.dmp

    Filesize

    4KB

  • memory/3008-20-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

    Filesize

    4KB

  • memory/3008-21-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

    Filesize

    4KB