Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 07:27
Static task
static1
Behavioral task
behavioral1
Sample
DHL_Jan 2021 at 1.M_9B78290_PDF.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
DHL_Jan 2021 at 1.M_9B78290_PDF.exe
Resource
win10v20201028
General
-
Target
DHL_Jan 2021 at 1.M_9B78290_PDF.exe
-
Size
715KB
-
MD5
22884fe2b584826518d07d2a0e63cdaa
-
SHA1
2f37ac54c148847671b40ea7153835b7fb8215d4
-
SHA256
5873eeecc609bbf368ed09b3a3d7374c3a3c5611deb407edf0758f1d9017d54d
-
SHA512
d8afbb7b862505fe82aba93ebe25f78dcf3a8618eb5c142cedba11856423b2ab4a9a6496d6bf1e1c7dd67120a2070785c959496ccb98b7e2b50e1df46f8f5c0a
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3716-10-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral2/memory/3716-11-0x0000000000481E9E-mapping.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DHL_Jan 2021 at 1.M_9B78290_PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation DHL_Jan 2021 at 1.M_9B78290_PDF.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL_Jan 2021 at 1.M_9B78290_PDF.exedescription pid process target process PID 4760 set thread context of 3716 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe DHL_Jan 2021 at 1.M_9B78290_PDF.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DHL_Jan 2021 at 1.M_9B78290_PDF.exepid process 3716 DHL_Jan 2021 at 1.M_9B78290_PDF.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
DHL_Jan 2021 at 1.M_9B78290_PDF.exeDHL_Jan 2021 at 1.M_9B78290_PDF.exepid process 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe 3716 DHL_Jan 2021 at 1.M_9B78290_PDF.exe 3716 DHL_Jan 2021 at 1.M_9B78290_PDF.exe 3716 DHL_Jan 2021 at 1.M_9B78290_PDF.exe 3716 DHL_Jan 2021 at 1.M_9B78290_PDF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL_Jan 2021 at 1.M_9B78290_PDF.exeDHL_Jan 2021 at 1.M_9B78290_PDF.exedescription pid process Token: SeDebugPrivilege 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe Token: SeDebugPrivilege 3716 DHL_Jan 2021 at 1.M_9B78290_PDF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DHL_Jan 2021 at 1.M_9B78290_PDF.exepid process 3716 DHL_Jan 2021 at 1.M_9B78290_PDF.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
DHL_Jan 2021 at 1.M_9B78290_PDF.exedescription pid process target process PID 4760 wrote to memory of 3640 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe DHL_Jan 2021 at 1.M_9B78290_PDF.exe PID 4760 wrote to memory of 3640 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe DHL_Jan 2021 at 1.M_9B78290_PDF.exe PID 4760 wrote to memory of 3640 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe DHL_Jan 2021 at 1.M_9B78290_PDF.exe PID 4760 wrote to memory of 3716 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe DHL_Jan 2021 at 1.M_9B78290_PDF.exe PID 4760 wrote to memory of 3716 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe DHL_Jan 2021 at 1.M_9B78290_PDF.exe PID 4760 wrote to memory of 3716 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe DHL_Jan 2021 at 1.M_9B78290_PDF.exe PID 4760 wrote to memory of 3716 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe DHL_Jan 2021 at 1.M_9B78290_PDF.exe PID 4760 wrote to memory of 3716 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe DHL_Jan 2021 at 1.M_9B78290_PDF.exe PID 4760 wrote to memory of 3716 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe DHL_Jan 2021 at 1.M_9B78290_PDF.exe PID 4760 wrote to memory of 3716 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe DHL_Jan 2021 at 1.M_9B78290_PDF.exe PID 4760 wrote to memory of 3716 4760 DHL_Jan 2021 at 1.M_9B78290_PDF.exe DHL_Jan 2021 at 1.M_9B78290_PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_Jan 2021 at 1.M_9B78290_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL_Jan 2021 at 1.M_9B78290_PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL_Jan 2021 at 1.M_9B78290_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL_Jan 2021 at 1.M_9B78290_PDF.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL_Jan 2021 at 1.M_9B78290_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL_Jan 2021 at 1.M_9B78290_PDF.exe"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3716-10-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/3716-20-0x0000000006AF0000-0x0000000006AF1000-memory.dmpFilesize
4KB
-
memory/3716-19-0x0000000006B40000-0x0000000006B41000-memory.dmpFilesize
4KB
-
memory/3716-18-0x0000000006320000-0x0000000006321000-memory.dmpFilesize
4KB
-
memory/3716-13-0x0000000073150000-0x000000007383E000-memory.dmpFilesize
6.9MB
-
memory/3716-11-0x0000000000481E9E-mapping.dmp
-
memory/4760-9-0x0000000005800000-0x000000000580F000-memory.dmpFilesize
60KB
-
memory/4760-2-0x0000000073150000-0x000000007383E000-memory.dmpFilesize
6.9MB
-
memory/4760-8-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/4760-12-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/4760-7-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/4760-6-0x0000000004EA0000-0x0000000004F4E000-memory.dmpFilesize
696KB
-
memory/4760-5-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/4760-3-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB