Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11-08-2024 10:57
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240802-en
General
-
Target
file.exe
-
Size
795KB
-
MD5
244ff9e90106994d5a14add8e8483484
-
SHA1
42a9a0fec6267a15752beb06d838ea21eaefed75
-
SHA256
655d4b33dd95b286d546c78a9e26e33c3b16b779d5cfb41b62250cb059ae1301
-
SHA512
3b727ab0e410ff276688196199bb29b26d87734c85f93181784a5e4170decfc7467aa02d1c178c81e1fddd37638567af1045e9c9f1d0bb689f53e18baf03f867
-
SSDEEP
12288:QZpTV9DFHzw7NU0EXN0c1qRcDnftLEY2D94ymrdbWF9mrgxTmta6GNfnEHLmmJ0:ipTp+kPcRIftn2D94ymp6FqgxkGFaN
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload 1 IoCs
resource yara_rule behavioral1/memory/2852-9-0x0000000008970000-0x0000000008A18000-memory.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\International\Geo\Nation file.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2360 2852 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2084 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2852 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2852 file.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2084 2852 file.exe 31 PID 2852 wrote to memory of 2084 2852 file.exe 31 PID 2852 wrote to memory of 2084 2852 file.exe 31 PID 2852 wrote to memory of 2084 2852 file.exe 31 PID 2852 wrote to memory of 2360 2852 file.exe 34 PID 2852 wrote to memory of 2360 2852 file.exe 34 PID 2852 wrote to memory of 2360 2852 file.exe 34 PID 2852 wrote to memory of 2360 2852 file.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UXABia" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 16002⤵
- Program crash
PID:2360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5838038852acd401e56a93028ef60e555
SHA1d941f20c01f25d4fd4c46427887ed8a9c8c39fc5
SHA2563f717884b7b7966638c250430832352207b4f52c0454270f424c4fa2de0252dd
SHA512717c92074c02f7f6620e9832896628663e9223e90ce6ff8526957d409c310211af2b062c3ec0fed456c584ff1a184b10cb6585c5e83c08ea0f928f14317f1123