Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 20:08
Static task
static1
Behavioral task
behavioral1
Sample
DHL_January 2021 at 28M_9B7290_PDF.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
DHL_January 2021 at 28M_9B7290_PDF.exe
Resource
win10v20201028
General
-
Target
DHL_January 2021 at 28M_9B7290_PDF.exe
-
Size
727KB
-
MD5
c13081675ef4f1fea467c18c31bf2492
-
SHA1
6683c8d513c50cbe2a5999a4a5c31c4a90aeb01d
-
SHA256
2d9b9f417d914d2b6f3bc2eefbe9b82ec3eacd8077f2ad4a1a05f393f8584bc8
-
SHA512
76da00c45c88387f03eb727ad5ff948b39029a1c19d2f13070f08de94b9ec6084dea683b6345a2116c9a3b201f8d7ccd826c4343dcf5f04268ebc889981847a7
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/524-14-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/524-15-0x0000000000481E9E-mapping.dmp family_masslogger behavioral1/memory/524-16-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/524-17-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DHL_January 2021 at 28M_9B7290_PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation DHL_January 2021 at 28M_9B7290_PDF.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL_January 2021 at 28M_9B7290_PDF.exedescription pid process target process PID 1080 set thread context of 524 1080 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DHL_January 2021 at 28M_9B7290_PDF.exepid process 524 DHL_January 2021 at 28M_9B7290_PDF.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
DHL_January 2021 at 28M_9B7290_PDF.exeDHL_January 2021 at 28M_9B7290_PDF.exepid process 1080 DHL_January 2021 at 28M_9B7290_PDF.exe 1080 DHL_January 2021 at 28M_9B7290_PDF.exe 524 DHL_January 2021 at 28M_9B7290_PDF.exe 524 DHL_January 2021 at 28M_9B7290_PDF.exe 524 DHL_January 2021 at 28M_9B7290_PDF.exe 524 DHL_January 2021 at 28M_9B7290_PDF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL_January 2021 at 28M_9B7290_PDF.exeDHL_January 2021 at 28M_9B7290_PDF.exedescription pid process Token: SeDebugPrivilege 1080 DHL_January 2021 at 28M_9B7290_PDF.exe Token: SeDebugPrivilege 524 DHL_January 2021 at 28M_9B7290_PDF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DHL_January 2021 at 28M_9B7290_PDF.exepid process 524 DHL_January 2021 at 28M_9B7290_PDF.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
DHL_January 2021 at 28M_9B7290_PDF.exedescription pid process target process PID 1080 wrote to memory of 1100 1080 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1080 wrote to memory of 1100 1080 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1080 wrote to memory of 1100 1080 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1080 wrote to memory of 1100 1080 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1080 wrote to memory of 268 1080 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1080 wrote to memory of 268 1080 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1080 wrote to memory of 268 1080 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1080 wrote to memory of 268 1080 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1080 wrote to memory of 1176 1080 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1080 wrote to memory of 1176 1080 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1080 wrote to memory of 1176 1080 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1080 wrote to memory of 1176 1080 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1080 wrote to memory of 1132 1080 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1080 wrote to memory of 1132 1080 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1080 wrote to memory of 1132 1080 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1080 wrote to memory of 1132 1080 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1080 wrote to memory of 524 1080 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1080 wrote to memory of 524 1080 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1080 wrote to memory of 524 1080 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1080 wrote to memory of 524 1080 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1080 wrote to memory of 524 1080 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1080 wrote to memory of 524 1080 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1080 wrote to memory of 524 1080 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1080 wrote to memory of 524 1080 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1080 wrote to memory of 524 1080 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log2⤵
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log2⤵
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log2⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\UserRights.cfgMD5
d353be64a3ac409d9531ec6311a55140
SHA18d0d07175aa4560ff251ab2d7994d5442233bc17
SHA256487b44f8208125557ce533248c164f54112816af448902bc217785eaa958c84d
SHA5124f65c265df334d7a0e8e434bd012c41409fff9858b1a4a6cd56c8d1fca50ad3f221baef74c07d6d76145fb1fb2deeb8b9011025b7b7ffa4960d7ff98c5ab0e4b
-
C:\Users\Admin\AppData\Local\Temp\UserRights.cfgMD5
dfd012ea179d6ffc84c07b5f3c19f7fd
SHA1b5e4e2430f451f009f5391e6eac79b4bd5780934
SHA256152f7b1f3be110b828bf30d46d8951bd54c169b7e4115b0bde2d3afb48dcc7bf
SHA512746fbae6a07ce43aba5cd0afb8b0c577aec12fdfc35db477a805f1ddcfa3d67716d30f368d8b6cecdc8263878cc19a4a86e27c94c635234b0a2f45b83327a24f
-
C:\Users\Admin\AppData\Local\Temp\UserRights.logMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\UserRights.logMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/268-6-0x0000000000000000-mapping.dmp
-
memory/524-14-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/524-15-0x0000000000481E9E-mapping.dmp
-
memory/524-16-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/524-17-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/524-18-0x0000000074CF0000-0x00000000753DE000-memory.dmpFilesize
6.9MB
-
memory/1080-12-0x0000000008090000-0x000000000813E000-memory.dmpFilesize
696KB
-
memory/1080-2-0x0000000074CF0000-0x00000000753DE000-memory.dmpFilesize
6.9MB
-
memory/1080-13-0x0000000002130000-0x000000000213F000-memory.dmpFilesize
60KB
-
memory/1080-3-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/1100-5-0x0000000000000000-mapping.dmp
-
memory/1176-9-0x0000000000000000-mapping.dmp