Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
26-03-2022 23:07
Static task
static1
Behavioral task
behavioral1
Sample
aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
Resource
win10v2004-en-20220113
General
-
Target
aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
-
Size
1.0MB
-
MD5
02cadb9489d5db4e68b01febcf6bc2da
-
SHA1
dbd38f77e72b4db0f7cb9d068773bbffc3a0d37e
-
SHA256
aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126
-
SHA512
9a7374c05ed28106096655f0beb6100372a5dd6760df6119d95dfb06180b0d78ad57a66753e52059bbd66ca2357f912e54ced01593ab97ca75ce7bdc395b37d9
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
resource yara_rule behavioral2/memory/2064-140-0x0000000000400000-0x000000000048C000-memory.dmp family_masslogger -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1268 set thread context of 2064 1268 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1936 2064 WerFault.exe 92 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1692 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1268 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1268 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1268 wrote to memory of 1692 1268 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 90 PID 1268 wrote to memory of 1692 1268 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 90 PID 1268 wrote to memory of 1692 1268 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 90 PID 1268 wrote to memory of 2064 1268 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 92 PID 1268 wrote to memory of 2064 1268 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 92 PID 1268 wrote to memory of 2064 1268 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 92 PID 1268 wrote to memory of 2064 1268 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 92 PID 1268 wrote to memory of 2064 1268 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 92 PID 1268 wrote to memory of 2064 1268 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 92 PID 1268 wrote to memory of 2064 1268 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 92 PID 1268 wrote to memory of 2064 1268 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OxshqXOJkj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3EC7.tmp"2⤵
- Creates scheduled task(s)
PID:1692
-
-
C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"2⤵PID:2064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 9683⤵
- Program crash
PID:1936
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2064 -ip 20641⤵PID:224
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe.log
Filesize1KB
MD55200da2e50f24d5d543c3f10674acdcb
SHA1b574a3336839882d799c0a7f635ea238efb934ee
SHA256d2d81c1c9d35bc66149beaa77029bee68664d8512fc1efe373180bab77d61026
SHA51224722a7de3250a6027a411c8b79d0720554c4efd59553f54b94ab77dc21efbf3191e0912901db475f08a6e9c1855d9e9594504d80d27300097418f4384a9d9cb
-
Filesize
1KB
MD590f76e769f38b843104419d176b47d7b
SHA1b0f5eb1a9eec6c791cfdc4b821d166526a94e529
SHA2561bf098f42898c81cd70ccc6f9ac80cb4e64dc241401a5342d6d7d9408435646e
SHA512b9a2cd333811b5435c47cbfa31410904e4e0892dd349bf2020ad409a6b97736d8a9af9b58ed4c7d55c75438b1366422f58bde1301c9a2eb1a35b79d06c5c0519