Analysis
-
max time kernel
112s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:18
Static task
static1
Behavioral task
behavioral1
Sample
167647227-54134-sdfnt4-2.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
167647227-54134-sdfnt4-2.pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
167647227-54134-sdfnt4-2.pdf.exe
-
Size
845KB
-
MD5
7dc2565dadc8f091295dfe0b87fb40d8
-
SHA1
05de206b83b43fa25e199ac07a38eae56cc97e8d
-
SHA256
c75eff508f62cf4acb9960a32a93e15f4037325a66b8b669649c83d08ee70730
-
SHA512
dd1c27d1349c55056ce1af23c0f0123aeface0188c898b0dfa9d29fb78f45280430f00b8e775f85ad1a9bcac456c244b745bb2a2522b59ddb0990ed2b571e612
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\F293CD6622\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3692-133-0x0000000000400000-0x00000000004A6000-memory.dmp family_masslogger -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Executes dropped EXE 1 IoCs
Processes:
vlc.exepid process 5048 vlc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
167647227-54134-sdfnt4-2.pdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 167647227-54134-sdfnt4-2.pdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 167647227-54134-sdfnt4-2.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
167647227-54134-sdfnt4-2.pdf.exedescription pid process target process PID 2104 set thread context of 3692 2104 167647227-54134-sdfnt4-2.pdf.exe InstallUtil.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2764 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
InstallUtil.exepid process 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe 3692 InstallUtil.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
167647227-54134-sdfnt4-2.pdf.exepid process 2104 167647227-54134-sdfnt4-2.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 3692 InstallUtil.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
167647227-54134-sdfnt4-2.pdf.exeInstallUtil.execmd.execmd.exedescription pid process target process PID 2104 wrote to memory of 3692 2104 167647227-54134-sdfnt4-2.pdf.exe InstallUtil.exe PID 2104 wrote to memory of 3692 2104 167647227-54134-sdfnt4-2.pdf.exe InstallUtil.exe PID 2104 wrote to memory of 3692 2104 167647227-54134-sdfnt4-2.pdf.exe InstallUtil.exe PID 2104 wrote to memory of 3692 2104 167647227-54134-sdfnt4-2.pdf.exe InstallUtil.exe PID 3692 wrote to memory of 4040 3692 InstallUtil.exe cmd.exe PID 3692 wrote to memory of 4040 3692 InstallUtil.exe cmd.exe PID 3692 wrote to memory of 4040 3692 InstallUtil.exe cmd.exe PID 3692 wrote to memory of 3700 3692 InstallUtil.exe cmd.exe PID 3692 wrote to memory of 3700 3692 InstallUtil.exe cmd.exe PID 3692 wrote to memory of 3700 3692 InstallUtil.exe cmd.exe PID 4040 wrote to memory of 5072 4040 cmd.exe schtasks.exe PID 4040 wrote to memory of 5072 4040 cmd.exe schtasks.exe PID 4040 wrote to memory of 5072 4040 cmd.exe schtasks.exe PID 3700 wrote to memory of 2764 3700 cmd.exe timeout.exe PID 3700 wrote to memory of 2764 3700 cmd.exe timeout.exe PID 3700 wrote to memory of 2764 3700 cmd.exe timeout.exe PID 3700 wrote to memory of 5048 3700 cmd.exe vlc.exe PID 3700 wrote to memory of 5048 3700 cmd.exe vlc.exe PID 3700 wrote to memory of 5048 3700 cmd.exe vlc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\167647227-54134-sdfnt4-2.pdf.exe"C:\Users\Admin\AppData\Local\Temp\167647227-54134-sdfnt4-2.pdf.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'4⤵
- Creates scheduled task(s)
PID:5072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5ED9.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2764
-
-
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"4⤵
- Executes dropped EXE
PID:5048
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD50388225f5a505545fe6a4516312815bf
SHA1c636938995ee797981fce2fc213de0005544a725
SHA256aba2a658ae79eb624905a5b1a1605da68d955d172b7603cd23e84781e14d774b
SHA5124edea89564c5fbe776cacf29e5bacc989b0edd41ea2ca1bf603c968a78a6239b0c9f4e1fcab07d7fe481068630b4e07763f489a6970f98d91385b7e678fe2db2
-
Filesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
Filesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159