Analysis
-
max time kernel
119s -
max time network
182s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
01-07-2021 04:36
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Purchase Order.bin.exe
Resource
win10v20210408
General
-
Target
Purchase Order.bin.exe
-
Size
796KB
-
MD5
a055b63f32102d1b5ba0d7064d75526b
-
SHA1
6032e66d65cf7992162047780ccadbee38751dea
-
SHA256
6ad5aee17e0fa5baa1a5ba9b0375faa8e98ff72dd4a79e5fb8209237167e119d
-
SHA512
45b6b104f848a993cea0854ee65fc9a88b5cac379db492f7c850dfa787efa9c8d82a403c7d868683303b6e7e5e4068a1eea830330359e633a9f3e7c2e1b37024
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\5089EDCC92\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1556-67-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger behavioral1/memory/1556-68-0x00000000004A2B2E-mapping.dmp family_masslogger behavioral1/memory/1556-69-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1732-64-0x00000000007E0000-0x0000000000889000-memory.dmp rezer0 -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Purchase Order.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Purchase Order.bin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Purchase Order.bin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Purchase Order.bin.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation Purchase Order.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Purchase Order.bin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Purchase Order.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Purchase Order.bin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order.bin.exedescription pid process target process PID 1732 set thread context of 1556 1732 Purchase Order.bin.exe Purchase Order.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Purchase Order.bin.exepid process 1556 Purchase Order.bin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Purchase Order.bin.exePurchase Order.bin.exepid process 1732 Purchase Order.bin.exe 1732 Purchase Order.bin.exe 1556 Purchase Order.bin.exe 1556 Purchase Order.bin.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Purchase Order.bin.exePurchase Order.bin.exedescription pid process Token: SeDebugPrivilege 1732 Purchase Order.bin.exe Token: SeDebugPrivilege 1556 Purchase Order.bin.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Purchase Order.bin.exepid process 1556 Purchase Order.bin.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Purchase Order.bin.exedescription pid process target process PID 1732 wrote to memory of 1480 1732 Purchase Order.bin.exe schtasks.exe PID 1732 wrote to memory of 1480 1732 Purchase Order.bin.exe schtasks.exe PID 1732 wrote to memory of 1480 1732 Purchase Order.bin.exe schtasks.exe PID 1732 wrote to memory of 1480 1732 Purchase Order.bin.exe schtasks.exe PID 1732 wrote to memory of 1556 1732 Purchase Order.bin.exe Purchase Order.bin.exe PID 1732 wrote to memory of 1556 1732 Purchase Order.bin.exe Purchase Order.bin.exe PID 1732 wrote to memory of 1556 1732 Purchase Order.bin.exe Purchase Order.bin.exe PID 1732 wrote to memory of 1556 1732 Purchase Order.bin.exe Purchase Order.bin.exe PID 1732 wrote to memory of 1556 1732 Purchase Order.bin.exe Purchase Order.bin.exe PID 1732 wrote to memory of 1556 1732 Purchase Order.bin.exe Purchase Order.bin.exe PID 1732 wrote to memory of 1556 1732 Purchase Order.bin.exe Purchase Order.bin.exe PID 1732 wrote to memory of 1556 1732 Purchase Order.bin.exe Purchase Order.bin.exe PID 1732 wrote to memory of 1556 1732 Purchase Order.bin.exe Purchase Order.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.bin.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.bin.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxGCOrqT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp676.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.bin.exe"{path}"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp676.tmpMD5
0592b7de66311f0c8757b189c3909882
SHA19fde8074dec59b0bd2fa743222263b5e48fca270
SHA2561e03631b904b995291c67d2f6b951b7e784adbe748410bc7a19ed24f78db7e90
SHA512e722329de53a29d679e08a178fe81499fb5c8a7c90843336c0ffb7fa5c6a9d182e92e034637426487a7814bb93c48b9b57703c12994227a5c6e599999557990e
-
memory/1480-65-0x0000000000000000-mapping.dmp
-
memory/1556-71-0x00000000001E0000-0x000000000021E000-memory.dmpFilesize
248KB
-
memory/1556-67-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1556-68-0x00000000004A2B2E-mapping.dmp
-
memory/1556-69-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1556-72-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/1556-73-0x0000000004E25000-0x0000000004E36000-memory.dmpFilesize
68KB
-
memory/1556-74-0x0000000004E36000-0x0000000004E37000-memory.dmpFilesize
4KB
-
memory/1732-64-0x00000000007E0000-0x0000000000889000-memory.dmpFilesize
676KB
-
memory/1732-63-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/1732-62-0x0000000000200000-0x0000000000202000-memory.dmpFilesize
8KB
-
memory/1732-60-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB