Overview

overview

10

Static

static

LPO 190298...sx.exe

windows7_x64

10

LPO 190298...sx.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    83s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    22-08-2021 02:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LPO 19029877_2021082267673554635,xlsx.exe

  • Size

    1.2MB

  • MD5

    9fbfa26e891d310cf1c766834b76b1e3

  • SHA1

    619af6bf696d00d8a5f50f320486e28a28736933

  • SHA256

    c4f72c811a7b6f83b8cde40cbc757b3ed51eaea7c55edcc6f659389d011687fe

  • SHA512

    6cd9e3ab966f1e86a715fbc53c9a4b1f950c9261643d56a92f00c88b665d653d25370c75332e9cd3271d903f0de6ae2f9b8753e8245de7fb606d6303bd4dfe22

Score
10/10
a310loggerspywarestealer

Malware Config

Signatures

  • A310logger

    A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarea310logger
  • A310logger Executable 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LPO 19029877_2021082267673554635,xlsx.exe
    "C:\Users\Admin\AppData\Local\Temp\LPO 19029877_2021082267673554635,xlsx.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZnirYwzu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27CC.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4016
    • C:\Users\Admin\AppData\Local\Temp\LPO 19029877_2021082267673554635,xlsx.exe
      "C:\Users\Admin\AppData\Local\Temp\LPO 19029877_2021082267673554635,xlsx.exe"
      2⤵
        PID:1412
      • C:\Users\Admin\AppData\Local\Temp\LPO 19029877_2021082267673554635,xlsx.exe
        "C:\Users\Admin\AppData\Local\Temp\LPO 19029877_2021082267673554635,xlsx.exe"
        2⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2124
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
          3⤵
          • Executes dropped EXE
          PID:3880
        • C:\Program Files (x86)\Windows Mail\WinMail.exe
          "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3792
          • C:\Program Files\Windows Mail\WinMail.exe
            "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
            4⤵
              PID:4060

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/652-120-0x0000000004E70000-0x0000000004E71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-118-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-121-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-122-0x00000000050A0000-0x00000000050B1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/652-123-0x00000000074B0000-0x000000000758C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/652-124-0x0000000009B90000-0x0000000009BFF000-memory.dmp

        Filesize

        444KB

        Download

      • memory/652-116-0x0000000004D10000-0x0000000004D11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-119-0x0000000004EA0000-0x000000000539E000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/652-117-0x00000000053A0000-0x00000000053A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-114-0x00000000003D0000-0x00000000003D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2124-127-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

        Download

      • memory/3880-134-0x0000000000B40000-0x0000000000B41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3880-136-0x000000001B700000-0x000000001B702000-memory.dmp

        Filesize

        8KB

        Download