Analysis
-
max time kernel
25s -
max time network
117s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-12-2020 17:12
Static task
static1
Behavioral task
behavioral1
Sample
nwamamassloga.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
nwamamassloga.scr
Resource
win10v20201028
General
-
Target
nwamamassloga.scr
-
Size
5.7MB
-
MD5
fc822a19f7929313a6515de8f2570149
-
SHA1
b85459795c58be097e3cb6cbf8d7763c9bece136
-
SHA256
cf25b0ff9d683b638d718b02dcd5cce5bf0f42a121d9794c4048cacf38602940
-
SHA512
769c47ae9c3684f1bbcbc0e4cd4e1d6766f6c6efcbff14277a81b4854e58e4b5df4b001eac5ec6f4b2104ef77f65b206961af9b3d10476f25f09fc10c38f6e1a
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1220-7-0x0000000000481F6E-mapping.dmp family_masslogger behavioral1/memory/1220-8-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1220-6-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1220-9-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nwamamassloga.scrdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation nwamamassloga.scr -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nwamamassloga.scrdescription pid process target process PID 1580 set thread context of 1220 1580 nwamamassloga.scr nwamamassloga.scr -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
nwamamassloga.scrpid process 1220 nwamamassloga.scr -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
nwamamassloga.scrpowershell.exepid process 1220 nwamamassloga.scr 1220 nwamamassloga.scr 1220 nwamamassloga.scr 1220 nwamamassloga.scr 528 powershell.exe 528 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
nwamamassloga.scrpowershell.exedescription pid process Token: SeDebugPrivilege 1220 nwamamassloga.scr Token: SeDebugPrivilege 528 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
nwamamassloga.scrpid process 1220 nwamamassloga.scr -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
nwamamassloga.scrnwamamassloga.scrdescription pid process target process PID 1580 wrote to memory of 1220 1580 nwamamassloga.scr nwamamassloga.scr PID 1580 wrote to memory of 1220 1580 nwamamassloga.scr nwamamassloga.scr PID 1580 wrote to memory of 1220 1580 nwamamassloga.scr nwamamassloga.scr PID 1580 wrote to memory of 1220 1580 nwamamassloga.scr nwamamassloga.scr PID 1580 wrote to memory of 1220 1580 nwamamassloga.scr nwamamassloga.scr PID 1580 wrote to memory of 1220 1580 nwamamassloga.scr nwamamassloga.scr PID 1580 wrote to memory of 1220 1580 nwamamassloga.scr nwamamassloga.scr PID 1580 wrote to memory of 1220 1580 nwamamassloga.scr nwamamassloga.scr PID 1580 wrote to memory of 1220 1580 nwamamassloga.scr nwamamassloga.scr PID 1220 wrote to memory of 528 1220 nwamamassloga.scr powershell.exe PID 1220 wrote to memory of 528 1220 nwamamassloga.scr powershell.exe PID 1220 wrote to memory of 528 1220 nwamamassloga.scr powershell.exe PID 1220 wrote to memory of 528 1220 nwamamassloga.scr powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr"C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr"C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/528-26-0x0000000006080000-0x0000000006081000-memory.dmpFilesize
4KB
-
memory/528-18-0x0000000002810000-0x0000000002811000-memory.dmpFilesize
4KB
-
memory/528-15-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/528-17-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/528-16-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/528-50-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/528-49-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/528-35-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/528-13-0x0000000000000000-mapping.dmp
-
memory/528-14-0x0000000073790000-0x0000000073E7E000-memory.dmpFilesize
6.9MB
-
memory/528-34-0x00000000061B0000-0x00000000061B1000-memory.dmpFilesize
4KB
-
memory/528-27-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/528-21-0x0000000005FE0000-0x0000000005FE1000-memory.dmpFilesize
4KB
-
memory/1220-9-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1220-7-0x0000000000481F6E-mapping.dmp
-
memory/1220-8-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1220-10-0x0000000073790000-0x0000000073E7E000-memory.dmpFilesize
6.9MB
-
memory/1220-6-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1580-2-0x00000000744C0000-0x0000000074BAE000-memory.dmpFilesize
6.9MB
-
memory/1580-5-0x0000000000C10000-0x0000000000C9D000-memory.dmpFilesize
564KB
-
memory/1580-3-0x00000000010B0000-0x00000000010B1000-memory.dmpFilesize
4KB