Analysis
-
max time kernel
122s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:35
General
-
Target
Commercial Invoice.PDF.exe
-
Size
877KB
-
MD5
d8cf7fecfdf7a96bd9038dd3e6e7d0a1
-
SHA1
3739de1f03fe0681e6f2beed5385bee55f8f2690
-
SHA256
7e69a7faf816e90b60a9043118f59b3084def9f66bc69cb0c5ca8d59309acb82
-
SHA512
8e9fd42265f90bed721151d47d54cb65ebbe3d10f20e4ed16fc58fae26826284f49938803e2851dad2ad2e815ed31218e87e95fe022675d577fbc7352ff1b8fe
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 32 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Commercial Invoice.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Commercial Invoice.PDF.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AOEwkQzimfZCfK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F29.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Commercial Invoice.PDF.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Commercial Invoice.PDF.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Commercial Invoice.PDF.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Commercial Invoice.PDF.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Commercial Invoice.PDF.exe.logFilesize
599B
MD5996b3ca5832df1ecc0baddffe880d881
SHA12daec644df4f8d8b4d3ce8767a64cc493431f53e
SHA25687d44a5bc3bc05d118076ef1cfe0af9bf45b74bdd4034986d58c65ba43bd06e9
SHA512b8bd04126d8ac7d8544acc475ed2f8d226d4cf61b2a611d3cbe4532f769322c530e4466303c4fd13187da12c8ba06847eabcc724e2b422707da9907e2c12fd2e
-
C:\Users\Admin\AppData\Local\Temp\tmp4F29.tmpFilesize
1KB
MD55e903ea2936285652f3cad9d45bf09cf
SHA1327528d5ae60cbf0e09f0b6a7c6d70e8005cefdb
SHA256c9ed89f765f68badf14ccf94ab8a87cb4cac2971a2e9fddf3d38ea9881841164
SHA5128222e86a905097bd5a444b1c4b3f2bb0105625553118781d9fc1572eafec3345f88cb0b728e03f069fd66472ea9ff6d3943fa63ddc5e7c00a936cab33e80f198
-
memory/1668-665-0x00000000063E0000-0x00000000063FA000-memory.dmpFilesize
104KB
-
memory/1668-667-0x00000000064B0000-0x00000000064D2000-memory.dmpFilesize
136KB
-
memory/1668-666-0x0000000007140000-0x00000000071D6000-memory.dmpFilesize
600KB
-
memory/1668-664-0x0000000007720000-0x0000000007D9A000-memory.dmpFilesize
6.5MB
-
memory/1668-663-0x0000000005EF0000-0x0000000005F0E000-memory.dmpFilesize
120KB
-
memory/1668-662-0x00000000057F0000-0x0000000005856000-memory.dmpFilesize
408KB
-
memory/1668-661-0x0000000005040000-0x0000000005062000-memory.dmpFilesize
136KB
-
memory/1668-660-0x00000000050D0000-0x00000000056F8000-memory.dmpFilesize
6.2MB
-
memory/1668-659-0x0000000004920000-0x0000000004956000-memory.dmpFilesize
216KB
-
memory/1668-658-0x0000000000000000-mapping.dmp
-
memory/3188-135-0x0000000000000000-mapping.dmp
-
memory/3444-137-0x0000000000000000-mapping.dmp
-
memory/3668-182-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-196-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-162-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-164-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-166-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-168-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-170-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-172-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-174-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-176-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-178-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-180-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-158-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-184-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-186-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-190-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-188-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-192-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-194-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-160-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-198-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-200-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-202-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-138-0x0000000000000000-mapping.dmp
-
memory/3668-156-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-154-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-152-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-150-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-148-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-146-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-144-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-142-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3668-139-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4048-657-0x0000000000000000-mapping.dmp
-
memory/4660-130-0x0000000000EC0000-0x0000000000FA2000-memory.dmpFilesize
904KB
-
memory/4660-131-0x0000000005CD0000-0x0000000005D6C000-memory.dmpFilesize
624KB
-
memory/4660-132-0x0000000005E10000-0x0000000005EA2000-memory.dmpFilesize
584KB
-
memory/4660-133-0x0000000007E20000-0x00000000083C4000-memory.dmpFilesize
5.6MB
-
memory/4660-134-0x0000000006470000-0x00000000064D6000-memory.dmpFilesize
408KB