Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02/12/2020, 09:20
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment Advice.exe
Resource
win10v20201028
General
-
Target
Payment Advice.exe
-
Size
21KB
-
MD5
361662a43b699d9ec3cdfd282ae7d223
-
SHA1
1ed81bf68e94e16d1e56a78dc71c9fcd993e0973
-
SHA256
e39ed8bfee05ab6d964885748f4800bf955b47b59002213e34e5b9d331882b98
-
SHA512
0d1898d0b7204e2154d5d3b6a38d6b1d69e27d7368d6f214cc10e0d711e42293876ed18e5d228e18f4dcaaea6de02dd672a20820513e724fce917960b83a2f42
Malware Config
Extracted
Protocol: smtp- Host:
mail.porathacorp.com - Port:
587 - Username:
[email protected] - Password:
susila@22
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 4 IoCs
resource yara_rule behavioral1/memory/1268-8-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1268-9-0x000000000048184E-mapping.dmp family_masslogger behavioral1/memory/1268-10-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1268-11-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Payment Advice.exe\"" Payment Advice.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation Payment Advice.exe -
Deletes itself 1 IoCs
pid Process 1636 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Advice.exe Payment Advice.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Advice.exe Payment Advice.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payment Advice.exe" Payment Advice.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Payment Advice.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payment Advice.exe" Payment Advice.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 548 set thread context of 1268 548 Payment Advice.exe 32 -
Delays execution with timeout.exe 1 IoCs
pid Process 2016 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1268 Payment Advice.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1268 Payment Advice.exe 1268 Payment Advice.exe 1268 Payment Advice.exe 1268 Payment Advice.exe 600 powershell.exe 600 powershell.exe 1636 powershell.exe 1636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 548 Payment Advice.exe Token: SeDebugPrivilege 1268 Payment Advice.exe Token: SeDebugPrivilege 600 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1268 Payment Advice.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 548 wrote to memory of 1392 548 Payment Advice.exe 26 PID 548 wrote to memory of 1392 548 Payment Advice.exe 26 PID 548 wrote to memory of 1392 548 Payment Advice.exe 26 PID 548 wrote to memory of 1392 548 Payment Advice.exe 26 PID 1392 wrote to memory of 2016 1392 cmd.exe 28 PID 1392 wrote to memory of 2016 1392 cmd.exe 28 PID 1392 wrote to memory of 2016 1392 cmd.exe 28 PID 1392 wrote to memory of 2016 1392 cmd.exe 28 PID 548 wrote to memory of 1268 548 Payment Advice.exe 32 PID 548 wrote to memory of 1268 548 Payment Advice.exe 32 PID 548 wrote to memory of 1268 548 Payment Advice.exe 32 PID 548 wrote to memory of 1268 548 Payment Advice.exe 32 PID 548 wrote to memory of 1268 548 Payment Advice.exe 32 PID 548 wrote to memory of 1268 548 Payment Advice.exe 32 PID 548 wrote to memory of 1268 548 Payment Advice.exe 32 PID 548 wrote to memory of 1268 548 Payment Advice.exe 32 PID 548 wrote to memory of 1268 548 Payment Advice.exe 32 PID 1268 wrote to memory of 600 1268 Payment Advice.exe 34 PID 1268 wrote to memory of 600 1268 Payment Advice.exe 34 PID 1268 wrote to memory of 600 1268 Payment Advice.exe 34 PID 1268 wrote to memory of 600 1268 Payment Advice.exe 34 PID 1268 wrote to memory of 1636 1268 Payment Advice.exe 36 PID 1268 wrote to memory of 1636 1268 Payment Advice.exe 36 PID 1268 wrote to memory of 1636 1268 Payment Advice.exe 36 PID 1268 wrote to memory of 1636 1268 Payment Advice.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 4.8912⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\timeout.exetimeout 4.8913⤵
- Delays execution with timeout.exe
PID:2016
-
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe'3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-