Analysis
-
max time kernel
21s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 20:24
Static task
static1
Behavioral task
behavioral1
Sample
DHL_January 2020 at 14M_9B7290_PDF.vbs
Resource
win7v20201028
Behavioral task
behavioral2
Sample
DHL_January 2020 at 14M_9B7290_PDF.vbs
Resource
win10v20201028
General
-
Target
DHL_January 2020 at 14M_9B7290_PDF.vbs
-
Size
1.0MB
-
MD5
06bf59ecf4abab410b7f771d88e0888a
-
SHA1
17bc62c87ac1af2a943df16fe18aa939ae1459cd
-
SHA256
5c9f19d624fe41a825e77a1e2b3e0dd3a424d0372fbecf3867f84e9160bc23d3
-
SHA512
1960dc19f9310d69e49e51ff5318e41d10d0e28debbc4248d9beba1319c7e2a38f11f273d77b365ac73ad582af492acb8f3cd9e8219ecc5bf886288bff308627
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2388-8-0x0000000000400000-0x0000000000496000-memory.dmp family_masslogger behavioral2/memory/2388-9-0x000000000040188B-mapping.dmp family_masslogger behavioral2/memory/1320-11-0x000000001BED0000-0x000000001BF66000-memory.dmp family_masslogger behavioral2/memory/2388-12-0x0000000000400000-0x0000000000496000-memory.dmp family_masslogger behavioral2/memory/2388-14-0x00000000051F0000-0x0000000005271000-memory.dmp family_masslogger -
Executes dropped EXE 4 IoCs
Processes:
bkkkl.exebkkkl.exebkkkl.exebkkkl.exepid process 4040 bkkkl.exe 208 bkkkl.exe 1320 bkkkl.exe 2388 bkkkl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bkkkl.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation bkkkl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bkkkl.exedescription pid process target process PID 1320 set thread context of 2388 1320 bkkkl.exe bkkkl.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
bkkkl.exepid process 2388 bkkkl.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
bkkkl.exepid process 2388 bkkkl.exe 2388 bkkkl.exe 2388 bkkkl.exe 2388 bkkkl.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
bkkkl.exebkkkl.exepid process 4040 bkkkl.exe 1320 bkkkl.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bkkkl.exedescription pid process Token: SeDebugPrivilege 2388 bkkkl.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
bkkkl.exepid process 2388 bkkkl.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
WScript.exebkkkl.exebkkkl.exedescription pid process target process PID 580 wrote to memory of 4040 580 WScript.exe bkkkl.exe PID 580 wrote to memory of 4040 580 WScript.exe bkkkl.exe PID 580 wrote to memory of 4040 580 WScript.exe bkkkl.exe PID 4040 wrote to memory of 208 4040 bkkkl.exe bkkkl.exe PID 4040 wrote to memory of 208 4040 bkkkl.exe bkkkl.exe PID 4040 wrote to memory of 208 4040 bkkkl.exe bkkkl.exe PID 4040 wrote to memory of 1320 4040 bkkkl.exe bkkkl.exe PID 4040 wrote to memory of 1320 4040 bkkkl.exe bkkkl.exe PID 4040 wrote to memory of 1320 4040 bkkkl.exe bkkkl.exe PID 1320 wrote to memory of 2388 1320 bkkkl.exe bkkkl.exe PID 1320 wrote to memory of 2388 1320 bkkkl.exe bkkkl.exe PID 1320 wrote to memory of 2388 1320 bkkkl.exe bkkkl.exe PID 1320 wrote to memory of 2388 1320 bkkkl.exe bkkkl.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL_January 2020 at 14M_9B7290_PDF.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bkkkl.exe"C:\Users\Admin\AppData\Local\Temp\bkkkl.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bkkkl.exe"C:\Users\Admin\AppData\Local\Temp\bkkkl.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bkkkl.exe"C:\Users\Admin\AppData\Local\Temp\bkkkl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bkkkl.exe"C:\Users\Admin\AppData\Local\Temp\bkkkl.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bkkkl.exeMD5
311512292f477d868ce30955b002dba9
SHA1ce39b753799b652f8cb49b56562d483e6dff5ecd
SHA2566a7658618a2814dea0bb2a95b4923ce7800266b1968394b1bcffb9c1d123c73c
SHA512846548227e4193f1ea74271a5dbf2b2ad4d4afc0e678696d2663cf422d6f030fbc7b1df53fd6ab6cf889ccc0cd8a6269d7123bf9b21689122778af2a3ca017da
-
C:\Users\Admin\AppData\Local\Temp\bkkkl.exeMD5
311512292f477d868ce30955b002dba9
SHA1ce39b753799b652f8cb49b56562d483e6dff5ecd
SHA2566a7658618a2814dea0bb2a95b4923ce7800266b1968394b1bcffb9c1d123c73c
SHA512846548227e4193f1ea74271a5dbf2b2ad4d4afc0e678696d2663cf422d6f030fbc7b1df53fd6ab6cf889ccc0cd8a6269d7123bf9b21689122778af2a3ca017da
-
C:\Users\Admin\AppData\Local\Temp\bkkkl.exeMD5
311512292f477d868ce30955b002dba9
SHA1ce39b753799b652f8cb49b56562d483e6dff5ecd
SHA2566a7658618a2814dea0bb2a95b4923ce7800266b1968394b1bcffb9c1d123c73c
SHA512846548227e4193f1ea74271a5dbf2b2ad4d4afc0e678696d2663cf422d6f030fbc7b1df53fd6ab6cf889ccc0cd8a6269d7123bf9b21689122778af2a3ca017da
-
C:\Users\Admin\AppData\Local\Temp\bkkkl.exeMD5
311512292f477d868ce30955b002dba9
SHA1ce39b753799b652f8cb49b56562d483e6dff5ecd
SHA2566a7658618a2814dea0bb2a95b4923ce7800266b1968394b1bcffb9c1d123c73c
SHA512846548227e4193f1ea74271a5dbf2b2ad4d4afc0e678696d2663cf422d6f030fbc7b1df53fd6ab6cf889ccc0cd8a6269d7123bf9b21689122778af2a3ca017da
-
C:\Users\Admin\AppData\Local\Temp\bkkkl.exeMD5
311512292f477d868ce30955b002dba9
SHA1ce39b753799b652f8cb49b56562d483e6dff5ecd
SHA2566a7658618a2814dea0bb2a95b4923ce7800266b1968394b1bcffb9c1d123c73c
SHA512846548227e4193f1ea74271a5dbf2b2ad4d4afc0e678696d2663cf422d6f030fbc7b1df53fd6ab6cf889ccc0cd8a6269d7123bf9b21689122778af2a3ca017da
-
memory/1320-6-0x0000000000000000-mapping.dmp
-
memory/1320-11-0x000000001BED0000-0x000000001BF66000-memory.dmpFilesize
600KB
-
memory/2388-14-0x00000000051F0000-0x0000000005271000-memory.dmpFilesize
516KB
-
memory/2388-9-0x000000000040188B-mapping.dmp
-
memory/2388-12-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2388-13-0x0000000073610000-0x0000000073CFE000-memory.dmpFilesize
6.9MB
-
memory/2388-8-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2388-16-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/2388-17-0x0000000005C70000-0x0000000005C71000-memory.dmpFilesize
4KB
-
memory/2388-18-0x00000000064E0000-0x00000000064E1000-memory.dmpFilesize
4KB
-
memory/2388-19-0x0000000006CD0000-0x0000000006CD1000-memory.dmpFilesize
4KB
-
memory/2388-20-0x0000000006D20000-0x0000000006D21000-memory.dmpFilesize
4KB
-
memory/2388-21-0x0000000006EE0000-0x0000000006EE1000-memory.dmpFilesize
4KB
-
memory/4040-2-0x0000000000000000-mapping.dmp