Analysis
-
max time kernel
45s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:27
General
-
Target
Quotation_Sheet_PO_including FOB_MOQ.PDF.exe
-
Size
756KB
-
MD5
a59a17e0750535499b455d7e2bf4b4ff
-
SHA1
d659c6f80171c2142aa0b9f0352205ae6a79ca4d
-
SHA256
c2be817a60ed0f80dc7f6e3e5eafc3db7a7a170e1df0015e2189cd9daecec6c8
-
SHA512
83bab7d199df6dadc8ca1d8c3cb38bc8cf466309d25ee92b3579ea30eac012154b20c9193367f09441619c0e08a0134123cf89d97972a43aaac42a9bff212354
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OtuxuaaSs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A2D.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bd62cd91d6caa3a9a6ed8c1edf8704f7
SHA103bbaa70e9587948bf3127ac3085750fc0a7bc21
SHA25628f427c7d4fd5d984f7b912a41cb9534e873dbd100a37087a9c1adf1d9184da2
SHA512dce818d0f43a46d6a8999abc7de0b4080118cd1f5628097ae40c744313208aa1cdd7cd962b80559fbc315139b65dda8034c89c5ac4f6579c8198669d7f0ef7bc
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
68KB
-
Filesize
704KB
-
Filesize
272KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
32KB
-
Filesize
784KB
-
Filesize
8KB
-
Filesize
736KB