Analysis
-
max time kernel
70s -
max time network
127s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-12-2020 08:33
General
-
Target
ddxWKELkDxNZ6z6.exe
-
Size
955KB
-
MD5
a58d52e7b0722d3c21e62675bb7120cf
-
SHA1
783efe192de87a84c45dccbb7a4777fbff821f5c
-
SHA256
d3fd794e64ae0f414de9949be22024ba7edf5341805901af486ff2aa934a6ea4
-
SHA512
0562c5e6d6008ff6eb80c76eba56bd9d4a11080845efc395bfa442bcae7de1e928716f710e521c3d11034fb45c5eea069a87b636a29b4b465abff2bb436b477b
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe"C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PIqcvnnXKVfCp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE550.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe"{path}"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE550.tmpMD5
f3b5b92387e30660b965f4e4579d3654
SHA165cde49ec3150de1536377268f0c7ca7213fd954
SHA256a03faf826ecf2f1cc49c047dbca98907e5c3c712fdacbb50324a25d4ef8147b7
SHA5126cd46dc2af0b6c6b17018b0ef9a678109833e70ae960752fbd5404608d3447a98627989d1483368d5e8210c43bca763c73192c83c0e7418bd12b512137b6259d
-
memory/412-11-0x0000000000000000-mapping.dmp
-
memory/1320-17-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/1320-14-0x000000000048146E-mapping.dmp
-
memory/1320-24-0x0000000006130000-0x00000000061BD000-memory.dmpFilesize
564KB
-
memory/1320-23-0x00000000010B0000-0x00000000010E9000-memory.dmpFilesize
228KB
-
memory/1320-16-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1320-15-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1320-13-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1916-5-0x0000000006ED0000-0x0000000006FAD000-memory.dmpFilesize
884KB
-
memory/1916-3-0x0000000001310000-0x0000000001311000-memory.dmpFilesize
4KB
-
memory/1916-6-0x0000000000410000-0x0000000000421000-memory.dmpFilesize
68KB
-
memory/1916-2-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/1916-18-0x0000000000480000-0x00000000004B0000-memory.dmpFilesize
192KB
-
memory/1916-9-0x0000000004B50000-0x0000000004C0C000-memory.dmpFilesize
752KB
-
memory/1916-8-0x00000000002A0000-0x00000000002AE000-memory.dmpFilesize
56KB