Analysis
-
max time kernel
56s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
01-07-2021 04:36
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Purchase Order.bin.exe
Resource
win10v20210408
General
-
Target
Purchase Order.bin.exe
-
Size
796KB
-
MD5
a055b63f32102d1b5ba0d7064d75526b
-
SHA1
6032e66d65cf7992162047780ccadbee38751dea
-
SHA256
6ad5aee17e0fa5baa1a5ba9b0375faa8e98ff72dd4a79e5fb8209237167e119d
-
SHA512
45b6b104f848a993cea0854ee65fc9a88b5cac379db492f7c850dfa787efa9c8d82a403c7d868683303b6e7e5e4068a1eea830330359e633a9f3e7c2e1b37024
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\1A60FBA9DF\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/508-125-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger behavioral2/memory/508-126-0x00000000004A2B2E-mapping.dmp family_masslogger -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral2/memory/992-120-0x0000000006800000-0x00000000068A9000-memory.dmp rezer0 -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Purchase Order.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Purchase Order.bin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Purchase Order.bin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Purchase Order.bin.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation Purchase Order.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Purchase Order.bin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Purchase Order.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Purchase Order.bin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order.bin.exedescription pid process target process PID 992 set thread context of 508 992 Purchase Order.bin.exe Purchase Order.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Purchase Order.bin.exepid process 508 Purchase Order.bin.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Purchase Order.bin.exePurchase Order.bin.exepid process 992 Purchase Order.bin.exe 992 Purchase Order.bin.exe 992 Purchase Order.bin.exe 508 Purchase Order.bin.exe 508 Purchase Order.bin.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Purchase Order.bin.exePurchase Order.bin.exedescription pid process Token: SeDebugPrivilege 992 Purchase Order.bin.exe Token: SeDebugPrivilege 508 Purchase Order.bin.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Purchase Order.bin.exepid process 508 Purchase Order.bin.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Purchase Order.bin.exedescription pid process target process PID 992 wrote to memory of 3232 992 Purchase Order.bin.exe schtasks.exe PID 992 wrote to memory of 3232 992 Purchase Order.bin.exe schtasks.exe PID 992 wrote to memory of 3232 992 Purchase Order.bin.exe schtasks.exe PID 992 wrote to memory of 508 992 Purchase Order.bin.exe Purchase Order.bin.exe PID 992 wrote to memory of 508 992 Purchase Order.bin.exe Purchase Order.bin.exe PID 992 wrote to memory of 508 992 Purchase Order.bin.exe Purchase Order.bin.exe PID 992 wrote to memory of 508 992 Purchase Order.bin.exe Purchase Order.bin.exe PID 992 wrote to memory of 508 992 Purchase Order.bin.exe Purchase Order.bin.exe PID 992 wrote to memory of 508 992 Purchase Order.bin.exe Purchase Order.bin.exe PID 992 wrote to memory of 508 992 Purchase Order.bin.exe Purchase Order.bin.exe PID 992 wrote to memory of 508 992 Purchase Order.bin.exe Purchase Order.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.bin.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.bin.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxGCOrqT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF1B8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.bin.exe"{path}"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.bin.exe.logMD5
36946c53599e09d856dccb964b642e38
SHA1e39fefd5af1512b30e17df1856742b73dd07fdae
SHA2563f696abfa1fe4f80aa4c525fb471836038bef2ac60f2b2f0b7dd6023cfabe105
SHA51257703125cf5b485a39f9316a9a9ec36a0bc8ada069c23fa6b4f4dd576b2806a3a770557d73643bed22b2026e186b6fddb98287105c61a69253c9eb2ee5346535
-
C:\Users\Admin\AppData\Local\Temp\tmpF1B8.tmpMD5
1aceb2edbf4da9f7f5954b8e07f49cd7
SHA12624dc2c1e0375839b8c5adfba553457ba056972
SHA2566118a6133a8d991fa5527a641799324b12b725bfd3da704f617cbf53b672b0d9
SHA5124a76ff37e5f39a24f82b77d9c3356930cda6c5e35db459b7e4d7871392b3c25549f9fe963d358af4a1212869ccc714bc5c1a9fb2d7698f3e2dbcd4e0605b3117
-
memory/508-138-0x00000000083B0000-0x00000000083B1000-memory.dmpFilesize
4KB
-
memory/508-137-0x0000000006F50000-0x0000000006F51000-memory.dmpFilesize
4KB
-
memory/508-136-0x0000000005263000-0x0000000005265000-memory.dmpFilesize
8KB
-
memory/508-133-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/508-132-0x0000000005210000-0x000000000524E000-memory.dmpFilesize
248KB
-
memory/508-126-0x00000000004A2B2E-mapping.dmp
-
memory/508-125-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/992-119-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/992-122-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/992-121-0x0000000006DB0000-0x0000000006DB1000-memory.dmpFilesize
4KB
-
memory/992-120-0x0000000006800000-0x00000000068A9000-memory.dmpFilesize
676KB
-
memory/992-114-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/992-118-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/992-117-0x0000000002480000-0x0000000002482000-memory.dmpFilesize
8KB
-
memory/992-116-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/3232-123-0x0000000000000000-mapping.dmp