Analysis
-
max time kernel
45s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:27
General
-
Target
Quotation_Sheet_PO_including FOB_MOQ.PDF.exe
-
Size
756KB
-
MD5
a59a17e0750535499b455d7e2bf4b4ff
-
SHA1
d659c6f80171c2142aa0b9f0352205ae6a79ca4d
-
SHA256
c2be817a60ed0f80dc7f6e3e5eafc3db7a7a170e1df0015e2189cd9daecec6c8
-
SHA512
83bab7d199df6dadc8ca1d8c3cb38bc8cf466309d25ee92b3579ea30eac012154b20c9193367f09441619c0e08a0134123cf89d97972a43aaac42a9bff212354
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OtuxuaaSs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A2D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2A2D.tmpFilesize
1KB
MD5bd62cd91d6caa3a9a6ed8c1edf8704f7
SHA103bbaa70e9587948bf3127ac3085750fc0a7bc21
SHA25628f427c7d4fd5d984f7b912a41cb9534e873dbd100a37087a9c1adf1d9184da2
SHA512dce818d0f43a46d6a8999abc7de0b4080118cd1f5628097ae40c744313208aa1cdd7cd962b80559fbc315139b65dda8034c89c5ac4f6579c8198669d7f0ef7bc
-
memory/1064-84-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-63-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-579-0x0000000004D55000-0x0000000004D66000-memory.dmpFilesize
68KB
-
memory/1064-86-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-577-0x00000000006C0000-0x0000000000704000-memory.dmpFilesize
272KB
-
memory/1064-90-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-61-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-88-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-64-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-65-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-66-0x00000000004ABA6E-mapping.dmp
-
memory/1064-68-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-70-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-72-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-74-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-76-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-78-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-80-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-82-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-122-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-120-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-118-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-60-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-92-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-94-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-96-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-98-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-100-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-102-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-104-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-106-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-108-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-110-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-112-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-114-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1064-116-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1144-58-0x0000000000000000-mapping.dmp
-
memory/1948-56-0x0000000000620000-0x0000000000628000-memory.dmpFilesize
32KB
-
memory/1948-54-0x0000000000040000-0x0000000000104000-memory.dmpFilesize
784KB
-
memory/1948-55-0x0000000076571000-0x0000000076573000-memory.dmpFilesize
8KB
-
memory/1948-57-0x0000000005E00000-0x0000000005EB8000-memory.dmpFilesize
736KB