Overview

overview

10

Static

static

UPS Shipment ,PDF.exe

windows7_x64

10

UPS Shipment ,PDF.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UPS Shipment ,PDF.exe

  • Size

    881KB

  • MD5

    35a1514e8d69cd7de31c9fdb3bf18fa8

  • SHA1

    28494ffaf4aa6b7d8bdfe7cf18f38722a0bb6ca0

  • SHA256

    ad399d55df47232575d67ad96a37f72d6cb5dc34a338942c578c1ddf6bf5f9cd

  • SHA512

    8f7c5c679f723bc0c534e06daa31983e7d7e4a0a2cebd0760fd51cb65131dc43c45552d64823eda6981a6b5327f187d3840f3c7b87981845fae70ed3c202e69a

Score
10/10
massloggerspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UPS Shipment ,PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\UPS Shipment ,PDF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:220
    • C:\Users\Admin\AppData\Local\Temp\UPS Shipment ,PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\UPS Shipment ,PDF.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4796
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1288
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4812
      • C:\Users\Admin\AppData\Local\Temp\UPS Shipment ,PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\UPS Shipment ,PDF.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3088
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2356
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3504
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:672
        • C:\Users\Admin\AppData\Local\Temp\UPS Shipment ,PDF.exe
          "C:\Users\Admin\AppData\Local\Temp\UPS Shipment ,PDF.exe"
          4⤵
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4144
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3716
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1928
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4668
          • C:\Users\Admin\AppData\Local\Temp\UPS Shipment ,PDF.exe
            "C:\Users\Admin\AppData\Local\Temp\UPS Shipment ,PDF.exe"
            5⤵
              PID:2784

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
      Filesize

      994B

      MD5

      334ac3d2e55f80a9b69e02d1dbc44947

      SHA1

      dea2b26b13eca80ad781cfeeaf7082e0d0dc4f2e

      SHA256

      cfc8439b36fdd0455772cdb646d04b93858f9bc44fc94473bf73b253c2e4f25d

      SHA512

      83b5111afd7b24bf4bc193b01587ce590655d25ae9d0f333f6dbd1ddd2d93c2b22b48f5a52aa3c7d7d5833d774fcc729a7f6f9d1faf7277d1fc8deec16efd649

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      25604a2821749d30ca35877a7669dff9

      SHA1

      49c624275363c7b6768452db6868f8100aa967be

      SHA256

      7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

      SHA512

      206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      d8d0dfa59681536b8713eadd4ce6ef47

      SHA1

      7e782f15a9dae6275c3dfd1072fec36d79ede261

      SHA256

      36051e4d8023bf0c5f2bce78c931e93e50ddc886eb324ac6ee65b67768228432

      SHA512

      8444344eafdf02ef50e292d6d15eea80d11d7f652c30beb28e379cb9e4cdc5b61e56c9571b43b2166aa6182f19cf48fb18815196351c512a66e75df56b20265d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      0cbef61a5bd816ff163f452c5824b6da

      SHA1

      f2c51216d5888f71f683809374ec15c74d222f1f

      SHA256

      c7ca45a39d5a1d401965b08e7f4410a0f8ae736de1e7adee1771ca1946fe23f7

      SHA512

      7379b7c5c11bb3a8193f50984e08e739249e0aec2e1deec798eaf3fbc2692d7b76186181ceec8b7160bd22ae9954c9f3f63c6f5d855885b6a69c118f13595fe5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      a58dbfd91ba56b6a1e2f58cd57e4739e

      SHA1

      0de91e4ac00758e7003b76d8dd641fb7d1ab8bd7

      SHA256

      5db004306123f8bed4300c4fb89430da1a96161a77c2c2474d62c8c489c5baeb

      SHA512

      03c8275858b309dc558434428f8ed2baefb56f634808a307bac70ff0763d8ee9522b6d2627deefc9205a6003791717434ba5d1e91b97f5d0e468f63741fd0de0

      Download Submit

    • memory/220-145-0x00000000063A0000-0x00000000063BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/220-150-0x0000000007740000-0x00000000077D6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/220-151-0x0000000006A70000-0x0000000006A92000-memory.dmp

      Filesize

      136KB

      Download

    • memory/220-147-0x00000000069B0000-0x00000000069CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/220-146-0x0000000007D20000-0x000000000839A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/220-140-0x0000000000000000-mapping.dmp

      Download

    • memory/220-141-0x0000000002B20000-0x0000000002B56000-memory.dmp

      Filesize

      216KB

      Download

    • memory/220-142-0x0000000005810000-0x0000000005E38000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/220-143-0x0000000005480000-0x00000000054A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/220-144-0x0000000005720000-0x0000000005786000-memory.dmp

      Filesize

      408KB

      Download

    • memory/672-160-0x0000000000000000-mapping.dmp

      Download

    • memory/1288-153-0x0000000000000000-mapping.dmp

      Download

    • memory/1304-139-0x0000000000000000-mapping.dmp

      Download

    • memory/1376-130-0x00000000009B0000-0x0000000000A92000-memory.dmp

      Filesize

      904KB

      Download

    • memory/1376-132-0x0000000005870000-0x0000000005873000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1664-136-0x00000000052B0000-0x0000000005316000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1664-138-0x00000000055C0000-0x0000000005652000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1664-135-0x00000000050D0000-0x000000000516C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1664-134-0x0000000005770000-0x0000000005D14000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1664-133-0x0000000000400000-0x00000000004B8000-memory.dmp

      Filesize

      736KB

      Download

    • memory/1664-131-0x0000000000000000-mapping.dmp

      Download

    • memory/1928-164-0x0000000000000000-mapping.dmp

      Download

    • memory/2356-157-0x0000000000000000-mapping.dmp

      Download

    • memory/2784-163-0x0000000000000000-mapping.dmp

      Download

    • memory/3088-152-0x0000000000000000-mapping.dmp

      Download

    • memory/3504-159-0x0000000000000000-mapping.dmp

      Download

    • memory/3716-162-0x0000000000000000-mapping.dmp

      Download

    • memory/4144-158-0x0000000000000000-mapping.dmp

      Download

    • memory/4560-137-0x0000000000000000-mapping.dmp

      Download

    • memory/4668-165-0x0000000000000000-mapping.dmp

      Download

    • memory/4796-148-0x0000000000000000-mapping.dmp

      Download

    • memory/4812-154-0x0000000000000000-mapping.dmp

      Download