Overview

overview

10

Static

static

TIRNAK.exe

windows7_x64

10

TIRNAK.exe

windows10_x64

10

Analysis

  • max time kernel
    19s
  • max time network
    105s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-12-2020 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TIRNAK.exe

  • Size

    29KB

  • MD5

    2cb0cf48d5eafbd16bbf8cdda749d628

  • SHA1

    1b71449f295eae0994f4d62de838b1af168c0a09

  • SHA256

    e9575adae2fa6afb6b8d8fb098feec9d4acbadabda4beeca90433b578cd6afa1

  • SHA512

    1f6e0be8e3c66aa8a1ac7e41b26b0b29bf055039c3bd8116cb33aa5874077c1325fcbfc0a934e2fdd6da89acea34b1cf2875147f0470346afeca7e9193d79927

Score
10/10
massloggerpersistencespywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TIRNAK.exe
    "C:\Users\Admin\AppData\Local\Temp\TIRNAK.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 4.903
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Windows\SysWOW64\timeout.exe
        timeout 4.903
        3⤵
        • Delays execution with timeout.exe
        PID:2076
    • C:\Users\Admin\AppData\Local\Temp\TIRNAK.exe
      "C:\Users\Admin\AppData\Local\Temp\TIRNAK.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3764
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\TIRNAK.exe'
        3⤵
        • Deletes itself
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TIRNAK.exe.log
    MD5

    d567f19f34a4bb9387d89a16e0c18b6a

    SHA1

    cfd95ea4d78455ea99aca178e3220a80af8a5abf

    SHA256

    3ea54c0511a9b9ebd3c5242ac121fa76643e5492043987c8dc633cb47ee33f72

    SHA512

    861e78011452f94120d9ee2f6c46845f1ff56c6b7a863a0ec17123c463364824677e0374ca259a456e2971542ba533943d0bc50979fcbe5160a52c404f3f5c27

    Download Submit
  • memory/652-11-0x0000000007270000-0x0000000007271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-3-0x0000000000550000-0x0000000000551000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-5-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-6-0x0000000005490000-0x0000000005491000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-2-0x0000000073FF0000-0x00000000746DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/652-9-0x0000000004820000-0x00000000048B4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/652-10-0x00000000072A0000-0x00000000072A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1388-21-0x0000000000000000-mapping.dmp
    Download
  • memory/1388-29-0x0000000007950000-0x0000000007951000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1388-35-0x0000000007440000-0x0000000007441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1388-34-0x0000000009960000-0x0000000009961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1388-33-0x0000000009560000-0x0000000009561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1388-32-0x0000000009FE0000-0x0000000009FE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1388-31-0x0000000008930000-0x0000000008931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1388-22-0x0000000074070000-0x000000007475E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1388-23-0x0000000004D90000-0x0000000004D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1388-24-0x0000000007970000-0x0000000007971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1388-25-0x00000000077E0000-0x00000000077E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1388-26-0x0000000007880000-0x0000000007881000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1388-28-0x00000000082F0000-0x00000000082F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1388-30-0x0000000008640000-0x0000000008641000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2076-8-0x0000000000000000-mapping.dmp
    Download
  • memory/3480-7-0x0000000000000000-mapping.dmp
    Download
  • memory/3764-12-0x0000000000400000-0x0000000000486000-memory.dmp
    Filesize

    536KB

    Download
  • memory/3764-20-0x0000000005950000-0x0000000005951000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3764-15-0x0000000073FF0000-0x00000000746DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3764-13-0x000000000048184E-mapping.dmp
    Download