Analysis

  • max time kernel
    134s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 02:02

General

  • Target

    8875ae2d57289e7589027bd085c7c17a.exe

  • Size

    699KB

  • MD5

    8875ae2d57289e7589027bd085c7c17a

  • SHA1

    8ef58bda3235b6cac0dce3f977d194c0d33cb694

  • SHA256

    71ba0f2207724fdcd6ae946c22683e8208ea2da4ef1d0026f08966eaeaf39d1f

  • SHA512

    31a00a7fe10cbb922605289403b90f5bdd35520780742141957085f17ab6ef06eb81611624dbbc59bb44c6933faa6e1a48de5e9a8fd3ed6ed7b871f58c8d086b

  • SSDEEP

    12288:cE10Gk3EFpjUa+LVRsb2UsJ4BhBrZ4PhPNAwI6SKkYcjoYkjIGuD8G1VygfW7Ex:cwUUraVgsJ4B3QAJkkYc0JMGu1vKU

Malware Config

Signatures

  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

  • M00nD3v Logger payload 3 IoCs

    Detects M00nD3v Logger payload in memory.

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8875ae2d57289e7589027bd085c7c17a.exe
    "C:\Users\Admin\AppData\Local\Temp\8875ae2d57289e7589027bd085c7c17a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3088
    • C:\Users\Admin\AppData\Local\Temp\8875ae2d57289e7589027bd085c7c17a.exe
      "C:\Users\Admin\AppData\Local\Temp\8875ae2d57289e7589027bd085c7c17a.exe"
      2⤵
        PID:4872

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\8875ae2d57289e7589027bd085c7c17a.exe.log

      Filesize

      400B

      MD5

      0a9b4592cd49c3c21f6767c2dabda92f

      SHA1

      f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

      SHA256

      c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

      SHA512

      6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

    • memory/3088-11-0x0000000074C60000-0x0000000075211000-memory.dmp

      Filesize

      5.7MB

    • memory/3088-1-0x0000000074C60000-0x0000000075211000-memory.dmp

      Filesize

      5.7MB

    • memory/3088-2-0x0000000074C60000-0x0000000075211000-memory.dmp

      Filesize

      5.7MB

    • memory/3088-0-0x0000000074C62000-0x0000000074C63000-memory.dmp

      Filesize

      4KB

    • memory/3088-16-0x0000000074C60000-0x0000000075211000-memory.dmp

      Filesize

      5.7MB

    • memory/4872-3-0x0000000000400000-0x000000000048E000-memory.dmp

      Filesize

      568KB

    • memory/4872-9-0x0000000074C60000-0x0000000075211000-memory.dmp

      Filesize

      5.7MB

    • memory/4872-10-0x0000000074C60000-0x0000000075211000-memory.dmp

      Filesize

      5.7MB

    • memory/4872-7-0x0000000074C60000-0x0000000075211000-memory.dmp

      Filesize

      5.7MB

    • memory/4872-13-0x0000000074C60000-0x0000000075211000-memory.dmp

      Filesize

      5.7MB

    • memory/4872-4-0x0000000000400000-0x000000000048E000-memory.dmp

      Filesize

      568KB

    • memory/4872-15-0x0000000074C60000-0x0000000075211000-memory.dmp

      Filesize

      5.7MB

    • memory/4872-5-0x0000000000400000-0x000000000048E000-memory.dmp

      Filesize

      568KB