Analysis
-
max time kernel
106s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:18
General
-
Target
Order inquiry skmt042.exe
-
Size
886KB
-
MD5
293669a0b90d7bc20d639c077517ef93
-
SHA1
dbe8051a4f25ee4716297a36295cafb4e46c951c
-
SHA256
f6df04b1b109a5d525073529a3877c3df598f9fcb62278a82412fc7736ed1ba7
-
SHA512
1fbd62362ff5769bb07557a498c85eab818e4916a33aab2cc65dee5566ae3a6bc6b0761e943ea7d2551a70f7609881b8d3c23c1f69a60751ff1c80749079165a
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 32 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe"C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lgzxpd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB882.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
412B
MD5ad1c7f6525cfeb54c0487efd38b0e26c
SHA1ed3da94723ac7e3828a9e93d68418bb810592f3b
SHA2560a534a3d0fa82e6a427164c5f6e702cac7e4afc9967af9bc5ddba4f84ab33276
SHA51248d625e6be5391d91d95c2850226fe39bb2411cb72139797699cfe126e6b066182e83950a8ea67e63b64a66b0d45f58d8bc97cab0363d55c2fd88c0d1d28009c
-
Filesize
1KB
MD504498c80c01890f24b0cbd89c54cad62
SHA13335ac6b88441e0c095e61f655c8cf06fb0347d2
SHA256b29d81b395c5afdecf3c3cfdf30a921fce865880b3fc549900f52b24fdf3357e
SHA512c3fa7262d7a3b93b8395dcbb869f3cd7589cfaac90ff621823f47bc4dbd7f9a0f5b6e6b36bcbc53bb4ea00d6dd9aed5e34a357540118ce36f3ad368570c53e5b
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
912KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
136KB