Analysis
-
max time kernel
70s -
max time network
127s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-12-2020 08:33
Static task
static1
Behavioral task
behavioral1
Sample
ddxWKELkDxNZ6z6.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ddxWKELkDxNZ6z6.exe
Resource
win10v20201028
General
-
Target
ddxWKELkDxNZ6z6.exe
-
Size
955KB
-
MD5
a58d52e7b0722d3c21e62675bb7120cf
-
SHA1
783efe192de87a84c45dccbb7a4777fbff821f5c
-
SHA256
d3fd794e64ae0f414de9949be22024ba7edf5341805901af486ff2aa934a6ea4
-
SHA512
0562c5e6d6008ff6eb80c76eba56bd9d4a11080845efc395bfa442bcae7de1e928716f710e521c3d11034fb45c5eea069a87b636a29b4b465abff2bb436b477b
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1320-13-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1320-14-0x000000000048146E-mapping.dmp family_masslogger behavioral1/memory/1320-15-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1320-16-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ddxWKELkDxNZ6z6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation ddxWKELkDxNZ6z6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ddxWKELkDxNZ6z6.exedescription pid process target process PID 1916 set thread context of 1320 1916 ddxWKELkDxNZ6z6.exe ddxWKELkDxNZ6z6.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
ddxWKELkDxNZ6z6.exepid process 1320 ddxWKELkDxNZ6z6.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
ddxWKELkDxNZ6z6.exeddxWKELkDxNZ6z6.exepid process 1916 ddxWKELkDxNZ6z6.exe 1916 ddxWKELkDxNZ6z6.exe 1916 ddxWKELkDxNZ6z6.exe 1320 ddxWKELkDxNZ6z6.exe 1320 ddxWKELkDxNZ6z6.exe 1320 ddxWKELkDxNZ6z6.exe 1320 ddxWKELkDxNZ6z6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ddxWKELkDxNZ6z6.exeddxWKELkDxNZ6z6.exedescription pid process Token: SeDebugPrivilege 1916 ddxWKELkDxNZ6z6.exe Token: SeDebugPrivilege 1320 ddxWKELkDxNZ6z6.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ddxWKELkDxNZ6z6.exepid process 1320 ddxWKELkDxNZ6z6.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ddxWKELkDxNZ6z6.exedescription pid process target process PID 1916 wrote to memory of 412 1916 ddxWKELkDxNZ6z6.exe schtasks.exe PID 1916 wrote to memory of 412 1916 ddxWKELkDxNZ6z6.exe schtasks.exe PID 1916 wrote to memory of 412 1916 ddxWKELkDxNZ6z6.exe schtasks.exe PID 1916 wrote to memory of 412 1916 ddxWKELkDxNZ6z6.exe schtasks.exe PID 1916 wrote to memory of 1320 1916 ddxWKELkDxNZ6z6.exe ddxWKELkDxNZ6z6.exe PID 1916 wrote to memory of 1320 1916 ddxWKELkDxNZ6z6.exe ddxWKELkDxNZ6z6.exe PID 1916 wrote to memory of 1320 1916 ddxWKELkDxNZ6z6.exe ddxWKELkDxNZ6z6.exe PID 1916 wrote to memory of 1320 1916 ddxWKELkDxNZ6z6.exe ddxWKELkDxNZ6z6.exe PID 1916 wrote to memory of 1320 1916 ddxWKELkDxNZ6z6.exe ddxWKELkDxNZ6z6.exe PID 1916 wrote to memory of 1320 1916 ddxWKELkDxNZ6z6.exe ddxWKELkDxNZ6z6.exe PID 1916 wrote to memory of 1320 1916 ddxWKELkDxNZ6z6.exe ddxWKELkDxNZ6z6.exe PID 1916 wrote to memory of 1320 1916 ddxWKELkDxNZ6z6.exe ddxWKELkDxNZ6z6.exe PID 1916 wrote to memory of 1320 1916 ddxWKELkDxNZ6z6.exe ddxWKELkDxNZ6z6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe"C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PIqcvnnXKVfCp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE550.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe"{path}"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE550.tmpMD5
f3b5b92387e30660b965f4e4579d3654
SHA165cde49ec3150de1536377268f0c7ca7213fd954
SHA256a03faf826ecf2f1cc49c047dbca98907e5c3c712fdacbb50324a25d4ef8147b7
SHA5126cd46dc2af0b6c6b17018b0ef9a678109833e70ae960752fbd5404608d3447a98627989d1483368d5e8210c43bca763c73192c83c0e7418bd12b512137b6259d
-
memory/412-11-0x0000000000000000-mapping.dmp
-
memory/1320-17-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/1320-14-0x000000000048146E-mapping.dmp
-
memory/1320-24-0x0000000006130000-0x00000000061BD000-memory.dmpFilesize
564KB
-
memory/1320-23-0x00000000010B0000-0x00000000010E9000-memory.dmpFilesize
228KB
-
memory/1320-16-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1320-15-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1320-13-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1916-5-0x0000000006ED0000-0x0000000006FAD000-memory.dmpFilesize
884KB
-
memory/1916-3-0x0000000001310000-0x0000000001311000-memory.dmpFilesize
4KB
-
memory/1916-6-0x0000000000410000-0x0000000000421000-memory.dmpFilesize
68KB
-
memory/1916-2-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/1916-18-0x0000000000480000-0x00000000004B0000-memory.dmpFilesize
192KB
-
memory/1916-9-0x0000000004B50000-0x0000000004C0C000-memory.dmpFilesize
752KB
-
memory/1916-8-0x00000000002A0000-0x00000000002AE000-memory.dmpFilesize
56KB