Analysis
-
max time kernel
93s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:53
Static task
static1
Behavioral task
behavioral1
Sample
LP40728194004.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
LP40728194004.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
LP40728194004.exe
-
Size
1.3MB
-
MD5
81297e7d0a24d0566bf47c8bebd0a3e2
-
SHA1
c2dc509acef33461268ba76bafbdb11e81e3d759
-
SHA256
3d0af7312beff6b913ae04b6c6b3f9aac323308a1933952d1c8bd732fdf290ce
-
SHA512
ac8bc8716d999c6bedc13f1c479e44e43288946beb46403a415004f43a1cbdbf63c5047ce6e5cf89065730fc750e1176b5bda8d006ece6e6d9a456df47aec986
Score
10/10
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 2 IoCs
resource yara_rule behavioral2/memory/3912-133-0x0000000000C00000-0x0000000000CB8000-memory.dmp family_masslogger behavioral2/memory/3912-132-0x0000000000C00000-0x0000000000CB8000-memory.dmp family_masslogger -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1684 set thread context of 3912 1684 LP40728194004.exe 79 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1684 LP40728194004.exe 1684 LP40728194004.exe 3912 LP40728194004.exe 3912 LP40728194004.exe 3404 powershell.exe 3404 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1684 LP40728194004.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3912 LP40728194004.exe Token: SeDebugPrivilege 3404 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1684 wrote to memory of 3912 1684 LP40728194004.exe 79 PID 1684 wrote to memory of 3912 1684 LP40728194004.exe 79 PID 1684 wrote to memory of 3912 1684 LP40728194004.exe 79 PID 3912 wrote to memory of 2556 3912 LP40728194004.exe 80 PID 3912 wrote to memory of 2556 3912 LP40728194004.exe 80 PID 3912 wrote to memory of 2556 3912 LP40728194004.exe 80 PID 2556 wrote to memory of 3404 2556 cmd.exe 82 PID 2556 wrote to memory of 3404 2556 cmd.exe 82 PID 2556 wrote to memory of 3404 2556 cmd.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\LP40728194004.exe"C:\Users\Admin\AppData\Local\Temp\LP40728194004.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\LP40728194004.exe"C:\Users\Admin\AppData\Local\Temp\LP40728194004.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\LP40728194004.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\LP40728194004.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
-