Analysis
-
max time kernel
152s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:54
Static task
static1
Behavioral task
behavioral1
Sample
Documents.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Documents.pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
Documents.pdf.exe
-
Size
842KB
-
MD5
301e1a6b59a0e2249372ee47aec99f37
-
SHA1
614105ff4c3c6677a8c44f734a7ba282db17ad0c
-
SHA256
44a9da622295549820b1eb9645b524cc0a54b3c91832be3ba44630866a179607
-
SHA512
fd773441e5012d9d45d62537b47921fc4ba7ac0e9f5cff084e8e9ffa6994a551728aabeb24beae6b4094df8c00713f1580a642f31874fe4c3f6b3aa1923b0484
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\F95B724EDE\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2236-139-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Documents.pdf.exeDocuments.pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Documents.pdf.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Documents.pdf.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 38 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Documents.pdf.exedescription pid process target process PID 2736 set thread context of 2236 2736 Documents.pdf.exe Documents.pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Documents.pdf.exepid process 2236 Documents.pdf.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Documents.pdf.exeDocuments.pdf.exepid process 2736 Documents.pdf.exe 2736 Documents.pdf.exe 2736 Documents.pdf.exe 2236 Documents.pdf.exe 2236 Documents.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Documents.pdf.exeDocuments.pdf.exedescription pid process Token: SeDebugPrivilege 2736 Documents.pdf.exe Token: SeDebugPrivilege 2236 Documents.pdf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Documents.pdf.exepid process 2236 Documents.pdf.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Documents.pdf.exedescription pid process target process PID 2736 wrote to memory of 5072 2736 Documents.pdf.exe schtasks.exe PID 2736 wrote to memory of 5072 2736 Documents.pdf.exe schtasks.exe PID 2736 wrote to memory of 5072 2736 Documents.pdf.exe schtasks.exe PID 2736 wrote to memory of 2304 2736 Documents.pdf.exe Documents.pdf.exe PID 2736 wrote to memory of 2304 2736 Documents.pdf.exe Documents.pdf.exe PID 2736 wrote to memory of 2304 2736 Documents.pdf.exe Documents.pdf.exe PID 2736 wrote to memory of 2236 2736 Documents.pdf.exe Documents.pdf.exe PID 2736 wrote to memory of 2236 2736 Documents.pdf.exe Documents.pdf.exe PID 2736 wrote to memory of 2236 2736 Documents.pdf.exe Documents.pdf.exe PID 2736 wrote to memory of 2236 2736 Documents.pdf.exe Documents.pdf.exe PID 2736 wrote to memory of 2236 2736 Documents.pdf.exe Documents.pdf.exe PID 2736 wrote to memory of 2236 2736 Documents.pdf.exe Documents.pdf.exe PID 2736 wrote to memory of 2236 2736 Documents.pdf.exe Documents.pdf.exe PID 2736 wrote to memory of 2236 2736 Documents.pdf.exe Documents.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmZtCG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB3EE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe"{path}"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB3EE.tmpFilesize
1KB
MD575c0c559a9135119b544089492ec308f
SHA171de193e0eff7444f110b6f689ae5265ca6b6f2c
SHA2565a6ca3b3748109f1ee3656a821c82775b50c8fa35f7dbfe0ee48fbcff9489080
SHA512a43559bd61242433da2a6360909b0b10bcac058ca2f79a4df110f32a3bdde8c284ad3b89caf5aef2ebe0c94e19c86d4f3eec28849439b1d57da729a62cfa00b0
-
memory/2236-138-0x0000000000000000-mapping.dmp
-
memory/2236-139-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2236-140-0x0000000005940000-0x00000000059A6000-memory.dmpFilesize
408KB
-
memory/2236-141-0x0000000007250000-0x000000000725A000-memory.dmpFilesize
40KB
-
memory/2304-137-0x0000000000000000-mapping.dmp
-
memory/2736-131-0x0000000000F50000-0x0000000001028000-memory.dmpFilesize
864KB
-
memory/2736-132-0x0000000005890000-0x000000000592C000-memory.dmpFilesize
624KB
-
memory/2736-133-0x0000000005A40000-0x0000000005AD2000-memory.dmpFilesize
584KB
-
memory/2736-134-0x0000000007970000-0x0000000007F14000-memory.dmpFilesize
5.6MB
-
memory/5072-135-0x0000000000000000-mapping.dmp