Analysis
-
max time kernel
70s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
30-12-2020 09:15
Static task
static1
Behavioral task
behavioral1
Sample
DHL_20201230,pdf.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DHL_20201230,pdf.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
DHL_20201230,pdf.exe
-
Size
1.1MB
-
MD5
14fe2d5d95ec2fe9d8610f5e16c88428
-
SHA1
97d20decb09787cbf557207a49b309b31429244c
-
SHA256
a9a4bd2de434ba7cb210b0e8bc7374db4c6df7e0e94dac78c67f3dc97ddadc4f
-
SHA512
50096d3b5c84cade3b070e649557313692bd4f89af08aba07582c2ecfb54d0f2da35b98f4ad3ca2c8c072a0cffde8c2ac991bad42e73422327946f617e2ee07b
Score
10/10
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/2412-5-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral2/memory/2412-6-0x0000000000481D6E-mapping.dmp family_masslogger behavioral2/memory/2412-11-0x0000000000481D6E-mapping.dmp family_masslogger behavioral2/memory/2412-10-0x0000000000481D6E-mapping.dmp family_masslogger behavioral2/memory/2412-12-0x0000000000481D6E-mapping.dmp family_masslogger behavioral2/memory/2412-13-0x0000000000481D6E-mapping.dmp family_masslogger behavioral2/memory/2412-14-0x0000000000481D6E-mapping.dmp family_masslogger -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL_20201230,pdf.exedescription pid process target process PID 4020 set thread context of 2412 4020 DHL_20201230,pdf.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dw20.exepid process 3584 dw20.exe 3584 dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 3584 dw20.exe Token: SeBackupPrivilege 3584 dw20.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
DHL_20201230,pdf.exeMSBuild.exedescription pid process target process PID 4020 wrote to memory of 2412 4020 DHL_20201230,pdf.exe MSBuild.exe PID 4020 wrote to memory of 2412 4020 DHL_20201230,pdf.exe MSBuild.exe PID 4020 wrote to memory of 2412 4020 DHL_20201230,pdf.exe MSBuild.exe PID 4020 wrote to memory of 2412 4020 DHL_20201230,pdf.exe MSBuild.exe PID 4020 wrote to memory of 2412 4020 DHL_20201230,pdf.exe MSBuild.exe PID 4020 wrote to memory of 2412 4020 DHL_20201230,pdf.exe MSBuild.exe PID 4020 wrote to memory of 2412 4020 DHL_20201230,pdf.exe MSBuild.exe PID 4020 wrote to memory of 2412 4020 DHL_20201230,pdf.exe MSBuild.exe PID 2412 wrote to memory of 3584 2412 MSBuild.exe dw20.exe PID 2412 wrote to memory of 3584 2412 MSBuild.exe dw20.exe PID 2412 wrote to memory of 3584 2412 MSBuild.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_20201230,pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL_20201230,pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6803⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2412-5-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/2412-6-0x0000000000481D6E-mapping.dmp
-
memory/2412-11-0x0000000000481D6E-mapping.dmp
-
memory/2412-10-0x0000000000481D6E-mapping.dmp
-
memory/2412-12-0x0000000000481D6E-mapping.dmp
-
memory/2412-13-0x0000000000481D6E-mapping.dmp
-
memory/2412-14-0x0000000000481D6E-mapping.dmp
-
memory/3584-7-0x0000000000000000-mapping.dmp
-
memory/3584-8-0x00000000025F0000-0x00000000025F1000-memory.dmpFilesize
4KB
-
memory/3584-9-0x0000000002960000-0x0000000002961000-memory.dmpFilesize
4KB