Overview

overview

10

Static

static

3

PAYMENT DE...ON.exe

windows7-x64

10

PAYMENT DE...ON.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENT DETAILS CONFIRMATION.exe

  • Size

    992KB

  • MD5

    73c81dd67773b2efa5261e20adf74a5b

  • SHA1

    fde0db688d6abb4aad0bb646db9f1c192d980b5a

  • SHA256

    ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42

  • SHA512

    8b2483b0dedf9d6b9329202d40544291b55601518c3b14f5df764e277114ee6538bdf6d08efcb8c3dad99ac7368471354acb1bf1ecd3f7da2c072f8c5a8e24d9

  • SSDEEP

    24576:8I3j32qQLhX/CUoDnbUVo2yhVx/NOMCh/zduiMxVRPXQJA:j6DhaJAMx/NOMChxp8PXg

Score
10/10
massloggerdefense_evasiondiscoveryevasionspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main payload 5 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe
    "C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe
      "C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:264
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe'
          4⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1768-0-0x00000000742EE000-0x00000000742EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-1-0x0000000001250000-0x000000000134E000-memory.dmp

    Filesize

    1016KB

    Download

  • memory/1768-2-0x0000000000920000-0x0000000000938000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1768-3-0x00000000742E0000-0x00000000749CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1768-4-0x00000000742EE000-0x00000000742EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-5-0x00000000742E0000-0x00000000749CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1768-6-0x00000000056B0000-0x000000000577A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1768-7-0x0000000000A90000-0x0000000000A96000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1768-8-0x0000000005780000-0x000000000583C000-memory.dmp

    Filesize

    752KB

    Download

  • memory/1768-22-0x00000000742E0000-0x00000000749CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2768-20-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2768-17-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2768-15-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2768-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2768-12-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2768-11-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2768-9-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2768-21-0x00000000742E0000-0x00000000749CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2768-10-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2768-24-0x00000000742E0000-0x00000000749CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2768-23-0x00000000010A0000-0x0000000001118000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2768-25-0x00000000742E0000-0x00000000749CE000-memory.dmp

    Filesize

    6.9MB

    Download