Analysis
-
max time kernel
127s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 20:08
Static task
static1
Behavioral task
behavioral1
Sample
DHL_January 2021 at 28M_9B7290_PDF.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
DHL_January 2021 at 28M_9B7290_PDF.exe
Resource
win10v20201028
General
-
Target
DHL_January 2021 at 28M_9B7290_PDF.exe
-
Size
727KB
-
MD5
c13081675ef4f1fea467c18c31bf2492
-
SHA1
6683c8d513c50cbe2a5999a4a5c31c4a90aeb01d
-
SHA256
2d9b9f417d914d2b6f3bc2eefbe9b82ec3eacd8077f2ad4a1a05f393f8584bc8
-
SHA512
76da00c45c88387f03eb727ad5ff948b39029a1c19d2f13070f08de94b9ec6084dea683b6345a2116c9a3b201f8d7ccd826c4343dcf5f04268ebc889981847a7
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/500-21-0x0000000000481E9E-mapping.dmp family_masslogger behavioral2/memory/500-20-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DHL_January 2021 at 28M_9B7290_PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation DHL_January 2021 at 28M_9B7290_PDF.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL_January 2021 at 28M_9B7290_PDF.exedescription pid process target process PID 1316 set thread context of 500 1316 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DHL_January 2021 at 28M_9B7290_PDF.exepid process 500 DHL_January 2021 at 28M_9B7290_PDF.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
DHL_January 2021 at 28M_9B7290_PDF.exeDHL_January 2021 at 28M_9B7290_PDF.exepid process 1316 DHL_January 2021 at 28M_9B7290_PDF.exe 1316 DHL_January 2021 at 28M_9B7290_PDF.exe 500 DHL_January 2021 at 28M_9B7290_PDF.exe 500 DHL_January 2021 at 28M_9B7290_PDF.exe 500 DHL_January 2021 at 28M_9B7290_PDF.exe 500 DHL_January 2021 at 28M_9B7290_PDF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL_January 2021 at 28M_9B7290_PDF.exeDHL_January 2021 at 28M_9B7290_PDF.exedescription pid process Token: SeDebugPrivilege 1316 DHL_January 2021 at 28M_9B7290_PDF.exe Token: SeDebugPrivilege 500 DHL_January 2021 at 28M_9B7290_PDF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DHL_January 2021 at 28M_9B7290_PDF.exepid process 500 DHL_January 2021 at 28M_9B7290_PDF.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
DHL_January 2021 at 28M_9B7290_PDF.exedescription pid process target process PID 1316 wrote to memory of 1984 1316 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1316 wrote to memory of 1984 1316 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1316 wrote to memory of 1984 1316 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1316 wrote to memory of 3884 1316 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1316 wrote to memory of 3884 1316 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1316 wrote to memory of 3884 1316 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1316 wrote to memory of 2464 1316 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1316 wrote to memory of 2464 1316 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1316 wrote to memory of 2464 1316 DHL_January 2021 at 28M_9B7290_PDF.exe SecEdit.exe PID 1316 wrote to memory of 976 1316 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1316 wrote to memory of 976 1316 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1316 wrote to memory of 976 1316 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1316 wrote to memory of 500 1316 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1316 wrote to memory of 500 1316 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1316 wrote to memory of 500 1316 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1316 wrote to memory of 500 1316 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1316 wrote to memory of 500 1316 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1316 wrote to memory of 500 1316 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1316 wrote to memory of 500 1316 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe PID 1316 wrote to memory of 500 1316 DHL_January 2021 at 28M_9B7290_PDF.exe DHL_January 2021 at 28M_9B7290_PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log2⤵
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log2⤵
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log2⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\UserRights.cfgMD5
456fce3c9c70a5522b9ccb8e7805fafd
SHA15988836ad195d430687177e74544596b0bcc0324
SHA25694e0a2f7c5813e0ffc3522c5cda4da66e218050c3a2f471a361d898722d7d991
SHA512b0ae155778bb726ef2f07256a09fc3c062e086d4cae13346f02141642fce0c49a3a239e813f4e69133e06ce3ba564056b3b903fce211dedbe2cf62ade1dfd6d9
-
C:\Users\Admin\AppData\Local\Temp\UserRights.cfgMD5
49690b04039df7c36d6c0672e1fb32cd
SHA18f9c6ff079e52b4fb87e7475fcea2631fee28edf
SHA2564b3dcc7dd63590a61b0b9a0075e08b004d609db0158927401ee6e72242d6e873
SHA5123ee00bf6e43cfcdd2003e74bb83d4988b2b0ef22efa9869ec0a7bd3f93c0bcff549289e99619f026a6fea64be7c974331443bea10448c90b0d9d20781f445717
-
C:\Users\Admin\AppData\Local\Temp\UserRights.logMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\UserRights.logMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/500-28-0x0000000006D10000-0x0000000006D11000-memory.dmpFilesize
4KB
-
memory/500-22-0x0000000073C50000-0x000000007433E000-memory.dmpFilesize
6.9MB
-
memory/500-20-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/500-21-0x0000000000481E9E-mapping.dmp
-
memory/1316-8-0x0000000007490000-0x0000000007491000-memory.dmpFilesize
4KB
-
memory/1316-2-0x0000000073C50000-0x000000007433E000-memory.dmpFilesize
6.9MB
-
memory/1316-16-0x0000000009730000-0x00000000097DE000-memory.dmpFilesize
696KB
-
memory/1316-17-0x00000000097E0000-0x00000000097E1000-memory.dmpFilesize
4KB
-
memory/1316-18-0x0000000009C20000-0x0000000009C21000-memory.dmpFilesize
4KB
-
memory/1316-19-0x0000000009B80000-0x0000000009B8F000-memory.dmpFilesize
60KB
-
memory/1316-7-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/1316-6-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/1316-5-0x0000000005D20000-0x0000000005D21000-memory.dmpFilesize
4KB
-
memory/1316-3-0x0000000000D80000-0x0000000000D81000-memory.dmpFilesize
4KB
-
memory/1984-9-0x0000000000000000-mapping.dmp
-
memory/2464-12-0x0000000000000000-mapping.dmp
-
memory/3884-10-0x0000000000000000-mapping.dmp