Analysis
-
max time kernel
122s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01/12/2020, 11:59
Static task
static1
Behavioral task
behavioral1
Sample
CHIKWA..exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
CHIKWA..exe
Resource
win10v20201028
General
-
Target
CHIKWA..exe
-
Size
20KB
-
MD5
a2efd1ac34c151a0099342619d5d046f
-
SHA1
d3c39ff8b425565983aa0277c348e7acb49c0007
-
SHA256
36a4c21f4c6cc8b615bea7141b510fdd5bbae68ee02b262f8215f88f64cf51f6
-
SHA512
b6a445a1d43cf529d054dc05a42c01337eb1fc3bfc5d00599ed75266ac3407652e73740a49cd0da77768be6e3caa9d98ce1fec636579ef60a8757f5901a70332
Malware Config
Extracted
Protocol: smtp- Host:
mail.banoto.com - Port:
587 - Username:
[email protected] - Password:
ban127001
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 4 IoCs
resource yara_rule behavioral1/memory/1756-8-0x0000000000400000-0x0000000000498000-memory.dmp family_masslogger behavioral1/memory/1756-9-0x000000000049307E-mapping.dmp family_masslogger behavioral1/memory/1756-10-0x0000000000400000-0x0000000000498000-memory.dmp family_masslogger behavioral1/memory/1756-11-0x0000000000400000-0x0000000000498000-memory.dmp family_masslogger -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CHIKWA..exe\"" CHIKWA..exe -
Executes dropped EXE 1 IoCs
pid Process 1648 Dqzimr_btc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation CHIKWA..exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHIKWA..exe CHIKWA..exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHIKWA..exe CHIKWA..exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.lnk Dqzimr_btc.exe -
Loads dropped DLL 2 IoCs
pid Process 1540 powershell.exe 1648 Dqzimr_btc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHIKWA..exe" CHIKWA..exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\CHIKWA..exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHIKWA..exe" CHIKWA..exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1080 set thread context of 1756 1080 CHIKWA..exe 33 -
Delays execution with timeout.exe 1 IoCs
pid Process 1964 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1756 CHIKWA..exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1080 CHIKWA..exe 1080 CHIKWA..exe 1756 CHIKWA..exe 1756 CHIKWA..exe 1756 CHIKWA..exe 1756 CHIKWA..exe 1504 powershell.exe 1540 powershell.exe 1504 powershell.exe 1540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1080 CHIKWA..exe Token: SeDebugPrivilege 1756 CHIKWA..exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1756 CHIKWA..exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1080 wrote to memory of 1324 1080 CHIKWA..exe 26 PID 1080 wrote to memory of 1324 1080 CHIKWA..exe 26 PID 1080 wrote to memory of 1324 1080 CHIKWA..exe 26 PID 1080 wrote to memory of 1324 1080 CHIKWA..exe 26 PID 1324 wrote to memory of 1964 1324 cmd.exe 28 PID 1324 wrote to memory of 1964 1324 cmd.exe 28 PID 1324 wrote to memory of 1964 1324 cmd.exe 28 PID 1324 wrote to memory of 1964 1324 cmd.exe 28 PID 1080 wrote to memory of 396 1080 CHIKWA..exe 32 PID 1080 wrote to memory of 396 1080 CHIKWA..exe 32 PID 1080 wrote to memory of 396 1080 CHIKWA..exe 32 PID 1080 wrote to memory of 396 1080 CHIKWA..exe 32 PID 1080 wrote to memory of 1756 1080 CHIKWA..exe 33 PID 1080 wrote to memory of 1756 1080 CHIKWA..exe 33 PID 1080 wrote to memory of 1756 1080 CHIKWA..exe 33 PID 1080 wrote to memory of 1756 1080 CHIKWA..exe 33 PID 1080 wrote to memory of 1756 1080 CHIKWA..exe 33 PID 1080 wrote to memory of 1756 1080 CHIKWA..exe 33 PID 1080 wrote to memory of 1756 1080 CHIKWA..exe 33 PID 1080 wrote to memory of 1756 1080 CHIKWA..exe 33 PID 1080 wrote to memory of 1756 1080 CHIKWA..exe 33 PID 1756 wrote to memory of 1504 1756 CHIKWA..exe 35 PID 1756 wrote to memory of 1504 1756 CHIKWA..exe 35 PID 1756 wrote to memory of 1504 1756 CHIKWA..exe 35 PID 1756 wrote to memory of 1504 1756 CHIKWA..exe 35 PID 1756 wrote to memory of 1540 1756 CHIKWA..exe 37 PID 1756 wrote to memory of 1540 1756 CHIKWA..exe 37 PID 1756 wrote to memory of 1540 1756 CHIKWA..exe 37 PID 1756 wrote to memory of 1540 1756 CHIKWA..exe 37 PID 1540 wrote to memory of 1648 1540 powershell.exe 39 PID 1540 wrote to memory of 1648 1540 powershell.exe 39 PID 1540 wrote to memory of 1648 1540 powershell.exe 39 PID 1540 wrote to memory of 1648 1540 powershell.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe"C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 4.8282⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\timeout.exetimeout 4.8283⤵
- Delays execution with timeout.exe
PID:1964
-
-
-
C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe"C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe"2⤵PID:396
-
-
C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe"C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\Dqzimr_btc.exe'3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\Dqzimr_btc.exe"C:\Users\Admin\AppData\Local\Temp\Dqzimr_btc.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
PID:1648
-
-
-