Analysis
-
max time kernel
122s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:35
Static task
static1
Behavioral task
behavioral1
Sample
Commercial Invoice.PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Commercial Invoice.PDF.exe
Resource
win10v2004-20220414-en
General
-
Target
Commercial Invoice.PDF.exe
-
Size
877KB
-
MD5
d8cf7fecfdf7a96bd9038dd3e6e7d0a1
-
SHA1
3739de1f03fe0681e6f2beed5385bee55f8f2690
-
SHA256
7e69a7faf816e90b60a9043118f59b3084def9f66bc69cb0c5ca8d59309acb82
-
SHA512
8e9fd42265f90bed721151d47d54cb65ebbe3d10f20e4ed16fc58fae26826284f49938803e2851dad2ad2e815ed31218e87e95fe022675d577fbc7352ff1b8fe
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 32 IoCs
Processes:
resource yara_rule behavioral2/memory/3668-139-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-142-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-144-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-146-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-148-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-150-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-152-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-154-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-156-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-158-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-160-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-162-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-164-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-166-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-168-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-170-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-172-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-174-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-176-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-178-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-180-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-182-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-184-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-186-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-190-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-188-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-192-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-194-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-196-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-198-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-200-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/3668-202-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Commercial Invoice.PDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Commercial Invoice.PDF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Commercial Invoice.PDF.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Commercial Invoice.PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Commercial Invoice.PDF.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Commercial Invoice.PDF.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Commercial Invoice.PDF.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Commercial Invoice.PDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Commercial Invoice.PDF.exedescription pid process target process PID 4660 set thread context of 3668 4660 Commercial Invoice.PDF.exe Commercial Invoice.PDF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Commercial Invoice.PDF.exepowershell.exepid process 4660 Commercial Invoice.PDF.exe 4660 Commercial Invoice.PDF.exe 4660 Commercial Invoice.PDF.exe 4660 Commercial Invoice.PDF.exe 4660 Commercial Invoice.PDF.exe 1668 powershell.exe 1668 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Commercial Invoice.PDF.exeCommercial Invoice.PDF.exepowershell.exedescription pid process Token: SeDebugPrivilege 4660 Commercial Invoice.PDF.exe Token: SeDebugPrivilege 3668 Commercial Invoice.PDF.exe Token: SeDebugPrivilege 1668 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Commercial Invoice.PDF.exeCommercial Invoice.PDF.execmd.exedescription pid process target process PID 4660 wrote to memory of 3188 4660 Commercial Invoice.PDF.exe schtasks.exe PID 4660 wrote to memory of 3188 4660 Commercial Invoice.PDF.exe schtasks.exe PID 4660 wrote to memory of 3188 4660 Commercial Invoice.PDF.exe schtasks.exe PID 4660 wrote to memory of 3444 4660 Commercial Invoice.PDF.exe Commercial Invoice.PDF.exe PID 4660 wrote to memory of 3444 4660 Commercial Invoice.PDF.exe Commercial Invoice.PDF.exe PID 4660 wrote to memory of 3444 4660 Commercial Invoice.PDF.exe Commercial Invoice.PDF.exe PID 4660 wrote to memory of 3668 4660 Commercial Invoice.PDF.exe Commercial Invoice.PDF.exe PID 4660 wrote to memory of 3668 4660 Commercial Invoice.PDF.exe Commercial Invoice.PDF.exe PID 4660 wrote to memory of 3668 4660 Commercial Invoice.PDF.exe Commercial Invoice.PDF.exe PID 4660 wrote to memory of 3668 4660 Commercial Invoice.PDF.exe Commercial Invoice.PDF.exe PID 4660 wrote to memory of 3668 4660 Commercial Invoice.PDF.exe Commercial Invoice.PDF.exe PID 4660 wrote to memory of 3668 4660 Commercial Invoice.PDF.exe Commercial Invoice.PDF.exe PID 4660 wrote to memory of 3668 4660 Commercial Invoice.PDF.exe Commercial Invoice.PDF.exe PID 4660 wrote to memory of 3668 4660 Commercial Invoice.PDF.exe Commercial Invoice.PDF.exe PID 3668 wrote to memory of 4048 3668 Commercial Invoice.PDF.exe cmd.exe PID 3668 wrote to memory of 4048 3668 Commercial Invoice.PDF.exe cmd.exe PID 3668 wrote to memory of 4048 3668 Commercial Invoice.PDF.exe cmd.exe PID 4048 wrote to memory of 1668 4048 cmd.exe powershell.exe PID 4048 wrote to memory of 1668 4048 cmd.exe powershell.exe PID 4048 wrote to memory of 1668 4048 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Commercial Invoice.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Commercial Invoice.PDF.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AOEwkQzimfZCfK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F29.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Commercial Invoice.PDF.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Commercial Invoice.PDF.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Commercial Invoice.PDF.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Commercial Invoice.PDF.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Commercial Invoice.PDF.exe.logFilesize
599B
MD5996b3ca5832df1ecc0baddffe880d881
SHA12daec644df4f8d8b4d3ce8767a64cc493431f53e
SHA25687d44a5bc3bc05d118076ef1cfe0af9bf45b74bdd4034986d58c65ba43bd06e9
SHA512b8bd04126d8ac7d8544acc475ed2f8d226d4cf61b2a611d3cbe4532f769322c530e4466303c4fd13187da12c8ba06847eabcc724e2b422707da9907e2c12fd2e
-
C:\Users\Admin\AppData\Local\Temp\tmp4F29.tmpFilesize
1KB
MD55e903ea2936285652f3cad9d45bf09cf
SHA1327528d5ae60cbf0e09f0b6a7c6d70e8005cefdb
SHA256c9ed89f765f68badf14ccf94ab8a87cb4cac2971a2e9fddf3d38ea9881841164
SHA5128222e86a905097bd5a444b1c4b3f2bb0105625553118781d9fc1572eafec3345f88cb0b728e03f069fd66472ea9ff6d3943fa63ddc5e7c00a936cab33e80f198
-
memory/1668-665-0x00000000063E0000-0x00000000063FA000-memory.dmpFilesize
104KB
-
memory/1668-667-0x00000000064B0000-0x00000000064D2000-memory.dmpFilesize
136KB
-
memory/1668-666-0x0000000007140000-0x00000000071D6000-memory.dmpFilesize
600KB
-
memory/1668-664-0x0000000007720000-0x0000000007D9A000-memory.dmpFilesize
6.5MB
-
memory/1668-663-0x0000000005EF0000-0x0000000005F0E000-memory.dmpFilesize
120KB
-
memory/1668-662-0x00000000057F0000-0x0000000005856000-memory.dmpFilesize
408KB
-
memory/1668-661-0x0000000005040000-0x0000000005062000-memory.dmpFilesize
136KB
-
memory/1668-660-0x00000000050D0000-0x00000000056F8000-memory.dmpFilesize
6.2MB
-
memory/1668-659-0x0000000004920000-0x0000000004956000-memory.dmpFilesize
216KB
-
memory/1668-658-0x0000000000000000-mapping.dmp
-
memory/3188-135-0x0000000000000000-mapping.dmp
-
memory/3444-137-0x0000000000000000-mapping.dmp
-
memory/3668-182-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-196-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-162-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-164-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-166-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-168-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-170-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-172-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-174-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-176-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-178-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-180-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-158-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-184-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-186-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-190-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-188-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-192-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-194-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-160-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-198-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-200-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-202-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-138-0x0000000000000000-mapping.dmp
-
memory/3668-156-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-154-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-152-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-150-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-148-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-146-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-144-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-142-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-139-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4048-657-0x0000000000000000-mapping.dmp
-
memory/4660-130-0x0000000000EC0000-0x0000000000FA2000-memory.dmpFilesize
904KB
-
memory/4660-131-0x0000000005CD0000-0x0000000005D6C000-memory.dmpFilesize
624KB
-
memory/4660-132-0x0000000005E10000-0x0000000005EA2000-memory.dmpFilesize
584KB
-
memory/4660-133-0x0000000007E20000-0x00000000083C4000-memory.dmpFilesize
5.6MB
-
memory/4660-134-0x0000000006470000-0x00000000064D6000-memory.dmpFilesize
408KB