Overview

overview

10

Static

static

LPO 190298...sx.exe

windows7_x64

10

LPO 190298...sx.exe

windows10_x64

10

Analysis

  • max time kernel
    67s
  • max time network
    69s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-08-2021 02:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LPO 19029877_2021082267673554635,xlsx.exe

  • Size

    1.2MB

  • MD5

    9fbfa26e891d310cf1c766834b76b1e3

  • SHA1

    619af6bf696d00d8a5f50f320486e28a28736933

  • SHA256

    c4f72c811a7b6f83b8cde40cbc757b3ed51eaea7c55edcc6f659389d011687fe

  • SHA512

    6cd9e3ab966f1e86a715fbc53c9a4b1f950c9261643d56a92f00c88b665d653d25370c75332e9cd3271d903f0de6ae2f9b8753e8245de7fb606d6303bd4dfe22

Score
10/10
a310loggerspywarestealer

Malware Config

Signatures

  • A310logger

    A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarea310logger
  • A310logger Executable 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LPO 19029877_2021082267673554635,xlsx.exe
    "C:\Users\Admin\AppData\Local\Temp\LPO 19029877_2021082267673554635,xlsx.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZnirYwzu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA19.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:656
    • C:\Users\Admin\AppData\Local\Temp\LPO 19029877_2021082267673554635,xlsx.exe
      "C:\Users\Admin\AppData\Local\Temp\LPO 19029877_2021082267673554635,xlsx.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:568
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
        3⤵
        • Executes dropped EXE
        PID:384

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/384-80-0x000000001B190000-0x000000001B192000-memory.dmp

    Filesize

    8KB

    Download

  • memory/384-78-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/568-72-0x0000000076E11000-0x0000000076E13000-memory.dmp

    Filesize

    8KB

    Download

  • memory/568-73-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/568-68-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1104-60-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1104-65-0x0000000005310000-0x000000000537F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/1104-64-0x0000000005890000-0x000000000596C000-memory.dmp

    Filesize

    880KB

    Download

  • memory/1104-63-0x00000000003E0000-0x00000000003F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1104-62-0x0000000000640000-0x0000000000641000-memory.dmp

    Filesize

    4KB

    Download