Analysis

  • max time kernel
    44s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01/12/2020, 11:59

General

  • Target

    CHIKWA..exe

  • Size

    20KB

  • MD5

    a2efd1ac34c151a0099342619d5d046f

  • SHA1

    d3c39ff8b425565983aa0277c348e7acb49c0007

  • SHA256

    36a4c21f4c6cc8b615bea7141b510fdd5bbae68ee02b262f8215f88f64cf51f6

  • SHA512

    b6a445a1d43cf529d054dc05a42c01337eb1fc3bfc5d00599ed75266ac3407652e73740a49cd0da77768be6e3caa9d98ce1fec636579ef60a8757f5901a70332

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe
    "C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 4.828
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:728
      • C:\Windows\SysWOW64\timeout.exe
        timeout 4.828
        3⤵
        • Delays execution with timeout.exe
        PID:2828
    • C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe
      "C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3132
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe'
        3⤵
        • Deletes itself
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3896

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2432-3-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

    Filesize

    4KB

  • memory/2432-5-0x00000000057F0000-0x00000000057F1000-memory.dmp

    Filesize

    4KB

  • memory/2432-8-0x000000000BBE0000-0x000000000BD41000-memory.dmp

    Filesize

    1.4MB

  • memory/2432-9-0x000000000C250000-0x000000000C251000-memory.dmp

    Filesize

    4KB

  • memory/2432-2-0x0000000073970000-0x000000007405E000-memory.dmp

    Filesize

    6.9MB

  • memory/3132-18-0x0000000005B00000-0x0000000005B01000-memory.dmp

    Filesize

    4KB

  • memory/3132-13-0x0000000073980000-0x000000007406E000-memory.dmp

    Filesize

    6.9MB

  • memory/3132-16-0x0000000005760000-0x0000000005761000-memory.dmp

    Filesize

    4KB

  • memory/3132-10-0x0000000000400000-0x0000000000498000-memory.dmp

    Filesize

    608KB

  • memory/3896-23-0x0000000007010000-0x0000000007011000-memory.dmp

    Filesize

    4KB

  • memory/3896-27-0x0000000007860000-0x0000000007861000-memory.dmp

    Filesize

    4KB

  • memory/3896-21-0x0000000004590000-0x0000000004591000-memory.dmp

    Filesize

    4KB

  • memory/3896-22-0x0000000007170000-0x0000000007171000-memory.dmp

    Filesize

    4KB

  • memory/3896-24-0x00000000070B0000-0x00000000070B1000-memory.dmp

    Filesize

    4KB

  • memory/3896-26-0x0000000007A60000-0x0000000007A61000-memory.dmp

    Filesize

    4KB

  • memory/3896-20-0x00000000739F0000-0x00000000740DE000-memory.dmp

    Filesize

    6.9MB

  • memory/3896-28-0x00000000082F0000-0x00000000082F1000-memory.dmp

    Filesize

    4KB

  • memory/3896-29-0x00000000080A0000-0x00000000080A1000-memory.dmp

    Filesize

    4KB

  • memory/3896-30-0x0000000009820000-0x0000000009821000-memory.dmp

    Filesize

    4KB

  • memory/3896-31-0x0000000008DA0000-0x0000000008DA1000-memory.dmp

    Filesize

    4KB

  • memory/3896-32-0x00000000091A0000-0x00000000091A1000-memory.dmp

    Filesize

    4KB

  • memory/3896-33-0x0000000006C40000-0x0000000006C41000-memory.dmp

    Filesize

    4KB