Overview

overview

10

Static

static

Our New Or...DF.exe

windows7_x64

10

Our New Or...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    113s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe

  • Size

    718KB

  • MD5

    44d0f64678ae63a17b6c535d60f7dd47

  • SHA1

    ea9e2a939d111c57b1a1da10805433e46c86e485

  • SHA256

    08a9b841c509bb0171f6899c3357e6b2cc47ce64e352315c4a8aaa4961ad0673

  • SHA512

    93ef6d531f676cfb6072618c21760af48b9722b3e571eaa580270dd54e5a65c7bc120d04dd3e2f90543e7d8acf7aa2061930275d9f73d13633c968819f0250ad

Score
10/10
massloggerspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Local\Temp\Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\Our New Order Jan 11 2020 at 2.30_PVV440_PDF.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1944
  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\UnregisterInstall.pptx"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1436
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\BlockConfirm.TS"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1888
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1644

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1296-14-0x000007FEF7A50000-0x000007FEF7CCA000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1436-15-0x0000000000000000-mapping.dmp
      Download
    • memory/1576-2-0x00000000744C0000-0x0000000074BAE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1576-3-0x00000000013C0000-0x00000000013C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1576-5-0x0000000004980000-0x0000000004A2E000-memory.dmp
      Filesize

      696KB

      Download
    • memory/1576-6-0x00000000003E0000-0x00000000003EF000-memory.dmp
      Filesize

      60KB

      Download
    • memory/1644-16-0x0000000000510000-0x0000000000511000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1944-8-0x0000000000481E9E-mapping.dmp
      Download
    • memory/1944-7-0x0000000000400000-0x0000000000486000-memory.dmp
      Filesize

      536KB

      Download
    • memory/1944-9-0x0000000000400000-0x0000000000486000-memory.dmp
      Filesize

      536KB

      Download
    • memory/1944-10-0x0000000000400000-0x0000000000486000-memory.dmp
      Filesize

      536KB

      Download
    • memory/1944-11-0x00000000744C0000-0x0000000074BAE000-memory.dmp
      Filesize

      6.9MB

      Download