Overview

overview

10

Static

static

ddxWKELkDxNZ6z6.exe

windows7_x64

10

ddxWKELkDxNZ6z6.exe

windows10_x64

10

Analysis

  • max time kernel
    66s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-12-2020 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddxWKELkDxNZ6z6.exe

  • Size

    955KB

  • MD5

    a58d52e7b0722d3c21e62675bb7120cf

  • SHA1

    783efe192de87a84c45dccbb7a4777fbff821f5c

  • SHA256

    d3fd794e64ae0f414de9949be22024ba7edf5341805901af486ff2aa934a6ea4

  • SHA512

    0562c5e6d6008ff6eb80c76eba56bd9d4a11080845efc395bfa442bcae7de1e928716f710e521c3d11034fb45c5eea069a87b636a29b4b465abff2bb436b477b

Score
10/10
massloggerspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe
    "C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PIqcvnnXKVfCp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp42C6.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:832
    • C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ddxWKELkDxNZ6z6.exe.log
    MD5

    5673cf2af5615403885e4175a3fd0f0f

    SHA1

    89ea32eab4fcc61b8738859fc2175f18d2bb2c4e

    SHA256

    ab86113916e6b256585f9eecd39a3d4bcd118bed7a635afd2ad3190676fd08f2

    SHA512

    60388b060afc61940109875b7d3a0bc96a2ef98543d54df603f267d8abd99c7b1a5a8bf9a2f7475a4e5af094e6a8c7d54e2242d25b28f771e515bb219a4b2d6b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp42C6.tmp
    MD5

    4a10a6b6394c40e2182ec2e15649f26f

    SHA1

    5bffe3e122684e93ced3e582ec4cb64a28ce8c46

    SHA256

    153cd211509462604bf8d291003d1d1c031a5e88468fd0f2bce30b74b89ddfcf

    SHA512

    16b18d66f827b2d585d9465d83baea1d918c7e6c2c1b5892bfcd63cbbb7c4d9b67df4d3cd42f94c32dc985a669d1564df44c4d836f9ae0977265c92a8fa92eab

    Download Submit
  • memory/832-13-0x0000000000000000-mapping.dmp
    Download
  • memory/888-18-0x0000000073150000-0x000000007383E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/888-23-0x0000000006B30000-0x0000000006B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/888-28-0x00000000080E0000-0x000000000816D000-memory.dmp
    Filesize

    564KB

    Download
  • memory/888-27-0x00000000074E0000-0x0000000007519000-memory.dmp
    Filesize

    228KB

    Download
  • memory/888-24-0x0000000007450000-0x0000000007451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/888-16-0x000000000048146E-mapping.dmp
    Download
  • memory/888-15-0x0000000000400000-0x0000000000486000-memory.dmp
    Filesize

    536KB

    Download
  • memory/4760-6-0x000000000ABF0000-0x000000000ABF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4760-5-0x0000000007310000-0x00000000073ED000-memory.dmp
    Filesize

    884KB

    Download
  • memory/4760-12-0x0000000004F90000-0x000000000504C000-memory.dmp
    Filesize

    752KB

    Download
  • memory/4760-11-0x000000000ABE0000-0x000000000ABEE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4760-3-0x00000000005E0000-0x00000000005E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4760-2-0x0000000073150000-0x000000007383E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4760-7-0x000000000A7D0000-0x000000000A7D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4760-10-0x000000000B620000-0x000000000B621000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4760-9-0x000000000AA10000-0x000000000AA11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4760-8-0x000000000A7B0000-0x000000000A7B1000-memory.dmp
    Filesize

    4KB

    Download