Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 14:24
Static task
static1
Behavioral task
behavioral1
Sample
QUOTE PRICES IN USD.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
QUOTE PRICES IN USD.exe
Resource
win10v2004-20220414-en
General
-
Target
QUOTE PRICES IN USD.exe
-
Size
864KB
-
MD5
1120a77cf247c7280324fbe983c116b9
-
SHA1
b983296cee73f1cbb8280ba019f4970d2bf23e02
-
SHA256
02fcb6cdd4b61cbf7f40448784a36d0067e618cac935aebf6fd6f482af076ba3
-
SHA512
fce768723f21ba1334b4867c260a8f7c49fb3879d586eca3747aa2ef76aaa7607a2ed7ff630318056e1f0378caaa255135eb114569963e4ebad4a7fa0d9e0544
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1668-135-0x0000000000400000-0x00000000004B8000-memory.dmp family_masslogger -
Suspicious use of SetThreadContext 1 IoCs
Processes:
QUOTE PRICES IN USD.exedescription pid process target process PID 2156 set thread context of 1668 2156 QUOTE PRICES IN USD.exe QUOTE PRICES IN USD.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
QUOTE PRICES IN USD.exeQUOTE PRICES IN USD.exepowershell.exepid process 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 2156 QUOTE PRICES IN USD.exe 1668 QUOTE PRICES IN USD.exe 1668 QUOTE PRICES IN USD.exe 2428 powershell.exe 2428 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
QUOTE PRICES IN USD.exeQUOTE PRICES IN USD.exepowershell.exedescription pid process Token: SeDebugPrivilege 2156 QUOTE PRICES IN USD.exe Token: SeDebugPrivilege 1668 QUOTE PRICES IN USD.exe Token: SeDebugPrivilege 2428 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
QUOTE PRICES IN USD.exeQUOTE PRICES IN USD.execmd.exedescription pid process target process PID 2156 wrote to memory of 1668 2156 QUOTE PRICES IN USD.exe QUOTE PRICES IN USD.exe PID 2156 wrote to memory of 1668 2156 QUOTE PRICES IN USD.exe QUOTE PRICES IN USD.exe PID 2156 wrote to memory of 1668 2156 QUOTE PRICES IN USD.exe QUOTE PRICES IN USD.exe PID 2156 wrote to memory of 1668 2156 QUOTE PRICES IN USD.exe QUOTE PRICES IN USD.exe PID 2156 wrote to memory of 1668 2156 QUOTE PRICES IN USD.exe QUOTE PRICES IN USD.exe PID 2156 wrote to memory of 1668 2156 QUOTE PRICES IN USD.exe QUOTE PRICES IN USD.exe PID 2156 wrote to memory of 1668 2156 QUOTE PRICES IN USD.exe QUOTE PRICES IN USD.exe PID 2156 wrote to memory of 1668 2156 QUOTE PRICES IN USD.exe QUOTE PRICES IN USD.exe PID 1668 wrote to memory of 2088 1668 QUOTE PRICES IN USD.exe cmd.exe PID 1668 wrote to memory of 2088 1668 QUOTE PRICES IN USD.exe cmd.exe PID 1668 wrote to memory of 2088 1668 QUOTE PRICES IN USD.exe cmd.exe PID 2088 wrote to memory of 2428 2088 cmd.exe powershell.exe PID 2088 wrote to memory of 2428 2088 cmd.exe powershell.exe PID 2088 wrote to memory of 2428 2088 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1668-134-0x0000000000000000-mapping.dmp
-
memory/1668-135-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1668-136-0x00000000053B0000-0x0000000005416000-memory.dmpFilesize
408KB
-
memory/2088-137-0x0000000000000000-mapping.dmp
-
memory/2156-130-0x0000000000180000-0x000000000025E000-memory.dmpFilesize
888KB
-
memory/2156-131-0x0000000005290000-0x0000000005834000-memory.dmpFilesize
5.6MB
-
memory/2156-132-0x0000000004C00000-0x0000000004C92000-memory.dmpFilesize
584KB
-
memory/2156-133-0x0000000004F00000-0x0000000004F9C000-memory.dmpFilesize
624KB
-
memory/2428-138-0x0000000000000000-mapping.dmp
-
memory/2428-139-0x0000000002930000-0x0000000002966000-memory.dmpFilesize
216KB
-
memory/2428-140-0x00000000053B0000-0x00000000059D8000-memory.dmpFilesize
6.2MB
-
memory/2428-141-0x0000000005170000-0x0000000005192000-memory.dmpFilesize
136KB
-
memory/2428-142-0x0000000005310000-0x0000000005376000-memory.dmpFilesize
408KB
-
memory/2428-143-0x0000000006220000-0x000000000623E000-memory.dmpFilesize
120KB
-
memory/2428-144-0x0000000007920000-0x0000000007F9A000-memory.dmpFilesize
6.5MB
-
memory/2428-145-0x00000000067C0000-0x00000000067DA000-memory.dmpFilesize
104KB
-
memory/2428-146-0x00000000074A0000-0x0000000007536000-memory.dmpFilesize
600KB
-
memory/2428-147-0x0000000006880000-0x00000000068A2000-memory.dmpFilesize
136KB