Analysis
-
max time kernel
150s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:53
General
-
Target
Order Inquiry List With 3D Artwork.exe
-
Size
881KB
-
MD5
b9d10f4408bf860a0a8b6243083ea0b4
-
SHA1
25097e3d867496c1e0b1958283dfacd4cb10ff1e
-
SHA256
a95841c0ebc43b93e86d68701817f8d3401a92e9f65a8b6a8faf66de97f9bb7d
-
SHA512
218fec5a9cb9e073e58629b18c5b4995beed7a4e0bf3fdce18a389ecb0f43255b105dcabe67a2440e1372825645922d761c278105753324b181f448abbde2a4b
Score
10/10
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Inquiry List With 3D Artwork.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry List With 3D Artwork.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order Inquiry List With 3D Artwork.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry List With 3D Artwork.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Order Inquiry List With 3D Artwork.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry List With 3D Artwork.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry List With 3D Artwork.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry List With 3D Artwork.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1684-138-0x0000000000000000-mapping.dmp
-
memory/1852-142-0x00000000054E0000-0x0000000005502000-memory.dmpFilesize
136KB
-
memory/1852-143-0x0000000005CB0000-0x0000000005D16000-memory.dmpFilesize
408KB
-
memory/1852-140-0x0000000002A70000-0x0000000002AA6000-memory.dmpFilesize
216KB
-
memory/1852-141-0x0000000005680000-0x0000000005CA8000-memory.dmpFilesize
6.2MB
-
memory/1852-139-0x0000000000000000-mapping.dmp
-
memory/1852-147-0x0000000007620000-0x00000000076B6000-memory.dmpFilesize
600KB
-
memory/1852-146-0x0000000006890000-0x00000000068AA000-memory.dmpFilesize
104KB
-
memory/1852-145-0x0000000007C00000-0x000000000827A000-memory.dmpFilesize
6.5MB
-
memory/1852-148-0x0000000006990000-0x00000000069B2000-memory.dmpFilesize
136KB
-
memory/1852-144-0x00000000063B0000-0x00000000063CE000-memory.dmpFilesize
120KB
-
memory/2120-136-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/2120-137-0x0000000005310000-0x0000000005376000-memory.dmpFilesize
408KB
-
memory/2120-135-0x0000000000000000-mapping.dmp
-
memory/3032-134-0x0000000000000000-mapping.dmp
-
memory/3468-130-0x0000000000430000-0x0000000000512000-memory.dmpFilesize
904KB
-
memory/3468-133-0x00000000055D0000-0x0000000005662000-memory.dmpFilesize
584KB
-
memory/3468-131-0x0000000005090000-0x000000000512C000-memory.dmpFilesize
624KB
-
memory/3468-132-0x00000000059E0000-0x0000000005F84000-memory.dmpFilesize
5.6MB