Analysis
-
max time kernel
137s -
max time network
113s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 12:38
Static task
static1
Behavioral task
behavioral1
Sample
Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe
Resource
win10v20201028
General
-
Target
Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe
-
Size
718KB
-
MD5
44d0f64678ae63a17b6c535d60f7dd47
-
SHA1
ea9e2a939d111c57b1a1da10805433e46c86e485
-
SHA256
08a9b841c509bb0171f6899c3357e6b2cc47ce64e352315c4a8aaa4961ad0673
-
SHA512
93ef6d531f676cfb6072618c21760af48b9722b3e571eaa580270dd54e5a65c7bc120d04dd3e2f90543e7d8acf7aa2061930275d9f73d13633c968819f0250ad
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1944-8-0x0000000000481E9E-mapping.dmp family_masslogger behavioral1/memory/1944-7-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1944-9-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1944-10-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exedescription pid process target process PID 1576 set thread context of 1944 1576 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
POWERPNT.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" POWERPNT.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" POWERPNT.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exePOWERPNT.EXEvlc.exeEXCEL.EXEpid process 1944 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe 1984 POWERPNT.EXE 1888 vlc.exe 1644 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exepid process 1944 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe 1944 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe 1944 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe 1944 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 1888 vlc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exedescription pid process Token: SeDebugPrivilege 1944 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
vlc.exepid process 1888 vlc.exe 1888 vlc.exe 1888 vlc.exe 1888 vlc.exe 1888 vlc.exe 1888 vlc.exe 1888 vlc.exe 1888 vlc.exe 1888 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
vlc.exepid process 1888 vlc.exe 1888 vlc.exe 1888 vlc.exe 1888 vlc.exe 1888 vlc.exe 1888 vlc.exe 1888 vlc.exe 1888 vlc.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exePOWERPNT.EXEvlc.exeEXCEL.EXEpid process 1944 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe 1984 POWERPNT.EXE 1888 vlc.exe 1644 EXCEL.EXE 1644 EXCEL.EXE 1644 EXCEL.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exePOWERPNT.EXEdescription pid process target process PID 1576 wrote to memory of 1944 1576 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe PID 1576 wrote to memory of 1944 1576 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe PID 1576 wrote to memory of 1944 1576 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe PID 1576 wrote to memory of 1944 1576 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe PID 1576 wrote to memory of 1944 1576 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe PID 1576 wrote to memory of 1944 1576 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe PID 1576 wrote to memory of 1944 1576 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe PID 1576 wrote to memory of 1944 1576 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe PID 1576 wrote to memory of 1944 1576 Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe PID 1984 wrote to memory of 1436 1984 POWERPNT.EXE splwow64.exe PID 1984 wrote to memory of 1436 1984 POWERPNT.EXE splwow64.exe PID 1984 wrote to memory of 1436 1984 POWERPNT.EXE splwow64.exe PID 1984 wrote to memory of 1436 1984 POWERPNT.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe"C:\Users\Admin\AppData\Local\Temp\Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe"C:\Users\Admin\AppData\Local\Temp\Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\UnregisterInstall.pptx"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\BlockConfirm.TS"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1296-14-0x000007FEF7A50000-0x000007FEF7CCA000-memory.dmpFilesize
2.5MB
-
memory/1436-15-0x0000000000000000-mapping.dmp
-
memory/1576-2-0x00000000744C0000-0x0000000074BAE000-memory.dmpFilesize
6.9MB
-
memory/1576-3-0x00000000013C0000-0x00000000013C1000-memory.dmpFilesize
4KB
-
memory/1576-5-0x0000000004980000-0x0000000004A2E000-memory.dmpFilesize
696KB
-
memory/1576-6-0x00000000003E0000-0x00000000003EF000-memory.dmpFilesize
60KB
-
memory/1644-16-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/1944-8-0x0000000000481E9E-mapping.dmp
-
memory/1944-7-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1944-9-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1944-10-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1944-11-0x00000000744C0000-0x0000000074BAE000-memory.dmpFilesize
6.9MB