Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-12-2020 12:42
Static task
static1
Behavioral task
behavioral1
Sample
nwamamassloga.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
nwamamassloga.scr
Resource
win10v20201028
General
-
Target
nwamamassloga.scr
-
Size
5.5MB
-
MD5
22eda4f532ebc0f5994060c2d6cd2002
-
SHA1
10beb6ab238582776f0450a2c43502307f766ebd
-
SHA256
d0d99283b85e0d8c899857c8e9f37a51c6af357f915124078a367a0687607a29
-
SHA512
f66ebd885c3ae086e295782c748b18e8fa5df1bf69597a21f684d3558d5b3e5b738d0af1df39240c297efe950798341ceb463e8a81869ad66f4dcb2bc1ac2e5a
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/916-7-0x0000000000481F6E-mapping.dmp family_masslogger behavioral1/memory/916-6-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/916-8-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/916-9-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nwamamassloga.scrdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation nwamamassloga.scr -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nwamamassloga.scrdescription pid process target process PID 800 set thread context of 916 800 nwamamassloga.scr nwamamassloga.scr -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
nwamamassloga.scrpid process 916 nwamamassloga.scr -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
nwamamassloga.scrpowershell.exepid process 916 nwamamassloga.scr 916 nwamamassloga.scr 916 nwamamassloga.scr 916 nwamamassloga.scr 1624 powershell.exe 1624 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
nwamamassloga.scrpowershell.exedescription pid process Token: SeDebugPrivilege 916 nwamamassloga.scr Token: SeDebugPrivilege 1624 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
nwamamassloga.scrpid process 916 nwamamassloga.scr -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
nwamamassloga.scrnwamamassloga.scrdescription pid process target process PID 800 wrote to memory of 916 800 nwamamassloga.scr nwamamassloga.scr PID 800 wrote to memory of 916 800 nwamamassloga.scr nwamamassloga.scr PID 800 wrote to memory of 916 800 nwamamassloga.scr nwamamassloga.scr PID 800 wrote to memory of 916 800 nwamamassloga.scr nwamamassloga.scr PID 800 wrote to memory of 916 800 nwamamassloga.scr nwamamassloga.scr PID 800 wrote to memory of 916 800 nwamamassloga.scr nwamamassloga.scr PID 800 wrote to memory of 916 800 nwamamassloga.scr nwamamassloga.scr PID 800 wrote to memory of 916 800 nwamamassloga.scr nwamamassloga.scr PID 800 wrote to memory of 916 800 nwamamassloga.scr nwamamassloga.scr PID 916 wrote to memory of 1624 916 nwamamassloga.scr powershell.exe PID 916 wrote to memory of 1624 916 nwamamassloga.scr powershell.exe PID 916 wrote to memory of 1624 916 nwamamassloga.scr powershell.exe PID 916 wrote to memory of 1624 916 nwamamassloga.scr powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr"C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr"C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/800-2-0x00000000746D0000-0x0000000074DBE000-memory.dmpFilesize
6.9MB
-
memory/800-3-0x0000000001030000-0x0000000001031000-memory.dmpFilesize
4KB
-
memory/800-5-0x0000000000F10000-0x0000000000F98000-memory.dmpFilesize
544KB
-
memory/916-7-0x0000000000481F6E-mapping.dmp
-
memory/916-6-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/916-8-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/916-9-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/916-10-0x00000000739B0000-0x000000007409E000-memory.dmpFilesize
6.9MB
-
memory/1624-13-0x0000000000000000-mapping.dmp
-
memory/1624-14-0x00000000739B0000-0x000000007409E000-memory.dmpFilesize
6.9MB
-
memory/1624-15-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/1624-16-0x0000000004810000-0x0000000004811000-memory.dmpFilesize
4KB
-
memory/1624-17-0x0000000002580000-0x0000000002581000-memory.dmpFilesize
4KB
-
memory/1624-18-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1624-21-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/1624-26-0x0000000006050000-0x0000000006051000-memory.dmpFilesize
4KB
-
memory/1624-27-0x0000000006150000-0x0000000006151000-memory.dmpFilesize
4KB
-
memory/1624-34-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/1624-35-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/1624-49-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/1624-50-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB