Analysis
-
max time kernel
95s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14-08-2024 11:49
Static task
static1
Behavioral task
behavioral1
Sample
DHL AWB 405986998.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
DHL AWB 405986998.exe
Resource
win10v2004-20240802-en
General
-
Target
DHL AWB 405986998.exe
-
Size
936KB
-
MD5
4b0c7e94c712a92bdb4a84ccef01ac26
-
SHA1
108888e88b8b74ab567874a22abc8513d445678a
-
SHA256
6f00ffaa9b0fe22f4e8e46fc35998010ecabecac8ffbdc4629e1b59372393a6b
-
SHA512
4fa45c2246196ef1ccbd68b4329b3d6f79da8a5df79529628edcd6a1a5f7fc7d6f5740bf02f88a33288f6818dbdf221b7cc14731298af6a287fc0d2f04fc62cf
-
SSDEEP
12288:+Fwj4Jdm9X2I6P3qoJsUkBY7kahSrePdxlqbvPK9DaqEPRCz+bIv/0xRSgHxOt9t:X0Jo91oJES97qlPRg+bIn0XLHxg2Qn
Malware Config
Extracted
Protocol: smtp- Host:
mail.mytravelexplorer.com - Port:
587 - Username:
[email protected] - Password:
2JWcb}iP#4]+
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload 5 IoCs
resource yara_rule behavioral1/memory/3052-17-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger behavioral1/memory/3052-22-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger behavioral1/memory/3052-20-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger behavioral1/memory/3052-14-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger behavioral1/memory/3052-13-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\Geo\Nation DHL AWB 405986998.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook DHL AWB 405986998.exe Key queried \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DHL AWB 405986998.exe Key queried \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key queried \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook DHL AWB 405986998.exe Key opened \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key queried \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook DHL AWB 405986998.exe Key opened \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook DHL AWB 405986998.exe Key opened \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key queried \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DHL AWB 405986998.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 824 set thread context of 3052 824 DHL AWB 405986998.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHL AWB 405986998.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHL AWB 405986998.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3048 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3052 DHL AWB 405986998.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3052 DHL AWB 405986998.exe 3052 DHL AWB 405986998.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3052 DHL AWB 405986998.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3052 DHL AWB 405986998.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 824 wrote to memory of 3048 824 DHL AWB 405986998.exe 30 PID 824 wrote to memory of 3048 824 DHL AWB 405986998.exe 30 PID 824 wrote to memory of 3048 824 DHL AWB 405986998.exe 30 PID 824 wrote to memory of 3048 824 DHL AWB 405986998.exe 30 PID 824 wrote to memory of 3052 824 DHL AWB 405986998.exe 32 PID 824 wrote to memory of 3052 824 DHL AWB 405986998.exe 32 PID 824 wrote to memory of 3052 824 DHL AWB 405986998.exe 32 PID 824 wrote to memory of 3052 824 DHL AWB 405986998.exe 32 PID 824 wrote to memory of 3052 824 DHL AWB 405986998.exe 32 PID 824 wrote to memory of 3052 824 DHL AWB 405986998.exe 32 PID 824 wrote to memory of 3052 824 DHL AWB 405986998.exe 32 PID 824 wrote to memory of 3052 824 DHL AWB 405986998.exe 32 PID 824 wrote to memory of 3052 824 DHL AWB 405986998.exe 32 -
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB 405986998.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB 405986998.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Platwf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B31.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB 405986998.exe"{path}"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56985afa16ba3491fac90d381fe607f95
SHA1f55ddf5b9627a735991a0ab61dc8e1da2d000d9c
SHA2560dc745974210c24a630e04aade30e3102a5b5fd01e34dd8b76d95038e9bb970f
SHA51287a867b7fc11344b6bbde601bf4600f2963b3b9b5da0ebc8c9c0163b77112fcd89ed2f4a556abbdd1e2e3ee82271e9a2e29bbeb54002178bb34efec451780ac0