Analysis
-
max time kernel
58s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02/12/2020, 15:30
Static task
static1
Behavioral task
behavioral1
Sample
52b1565bb8a50701d219f361929ea870.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
52b1565bb8a50701d219f361929ea870.exe
Resource
win10v20201028
General
-
Target
52b1565bb8a50701d219f361929ea870.exe
-
Size
650KB
-
MD5
52b1565bb8a50701d219f361929ea870
-
SHA1
aa6e4ce4342cb755a2fe894288534a04bc23f367
-
SHA256
9b1d91114fdc8c143afbedc2475e69a539c81d19eeee4ba9301da81b794efaf7
-
SHA512
6a9028a90574cb6f6431395697b4a23b7b67cb69738a2d3b29359b7c91a7e93c0c10d8c120699da51bbf9b216d9da75361341749a381ab2ed6036e25237c1106
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 2 IoCs
resource yara_rule behavioral2/memory/4072-12-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral2/memory/4072-13-0x0000000000481ABE-mapping.dmp family_masslogger -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 52b1565bb8a50701d219f361929ea870.exe -
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
resource yara_rule behavioral2/memory/2768-10-0x0000000005460000-0x00000000054EA000-memory.dmp beds_protector -
Executes dropped EXE 2 IoCs
pid Process 2768 52b1565bb8a50701d219f361929ea870.exe 4072 52b1565bb8a50701d219f361929ea870.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation 52b1565bb8a50701d219f361929ea870.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel.exe 52b1565bb8a50701d219f361929ea870.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2768 set thread context of 4072 2768 52b1565bb8a50701d219f361929ea870.exe 76 -
Drops file in Program Files directory 56 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOF5E2~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Google\Temp\GUMED0D.tmp\GOFB2B~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Google\Update\Install\{B130F~1\CR_2BD8F.tmp\setup.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GO664E~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~3.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~4.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~2.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOBD5D~1.EXE 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 52b1565bb8a50701d219f361929ea870.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 52b1565bb8a50701d219f361929ea870.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 52b1565bb8a50701d219f361929ea870.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 52b1565bb8a50701d219f361929ea870.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4072 52b1565bb8a50701d219f361929ea870.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 2768 52b1565bb8a50701d219f361929ea870.exe 4072 52b1565bb8a50701d219f361929ea870.exe 4072 52b1565bb8a50701d219f361929ea870.exe 4072 52b1565bb8a50701d219f361929ea870.exe 4072 52b1565bb8a50701d219f361929ea870.exe 1612 powershell.exe 1612 powershell.exe 1612 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2768 52b1565bb8a50701d219f361929ea870.exe Token: SeDebugPrivilege 4072 52b1565bb8a50701d219f361929ea870.exe Token: SeDebugPrivilege 1612 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4072 52b1565bb8a50701d219f361929ea870.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3084 wrote to memory of 2768 3084 52b1565bb8a50701d219f361929ea870.exe 75 PID 3084 wrote to memory of 2768 3084 52b1565bb8a50701d219f361929ea870.exe 75 PID 3084 wrote to memory of 2768 3084 52b1565bb8a50701d219f361929ea870.exe 75 PID 2768 wrote to memory of 4072 2768 52b1565bb8a50701d219f361929ea870.exe 76 PID 2768 wrote to memory of 4072 2768 52b1565bb8a50701d219f361929ea870.exe 76 PID 2768 wrote to memory of 4072 2768 52b1565bb8a50701d219f361929ea870.exe 76 PID 2768 wrote to memory of 4072 2768 52b1565bb8a50701d219f361929ea870.exe 76 PID 2768 wrote to memory of 4072 2768 52b1565bb8a50701d219f361929ea870.exe 76 PID 2768 wrote to memory of 4072 2768 52b1565bb8a50701d219f361929ea870.exe 76 PID 2768 wrote to memory of 4072 2768 52b1565bb8a50701d219f361929ea870.exe 76 PID 2768 wrote to memory of 4072 2768 52b1565bb8a50701d219f361929ea870.exe 76 PID 4072 wrote to memory of 1612 4072 52b1565bb8a50701d219f361929ea870.exe 81 PID 4072 wrote to memory of 1612 4072 52b1565bb8a50701d219f361929ea870.exe 81 PID 4072 wrote to memory of 1612 4072 52b1565bb8a50701d219f361929ea870.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe"C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
-