Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-ckt4jseag4
Target ca65b4f4e502d041504096fc855bf98d75bf824331442f6df97e2150df9c5821
SHA256 ca65b4f4e502d041504096fc855bf98d75bf824331442f6df97e2150df9c5821
Tags
masslogger spyware stealer coreentity ransomware rezer0
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca65b4f4e502d041504096fc855bf98d75bf824331442f6df97e2150df9c5821

Threat Level: Known bad

The file ca65b4f4e502d041504096fc855bf98d75bf824331442f6df97e2150df9c5821 was found to be: Known bad.

Malicious Activity Summary

masslogger spyware stealer coreentity ransomware rezer0

CoreEntity .NET Packer

MassLogger Main Payload

MassLogger

MassLogger log file

ReZer0 packer

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 02:08

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 02:08

Reported

2022-05-21 03:18

Platform

win10v2004-20220414-en

Max time kernel

94s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1416 set thread context of 4812 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1416 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1416 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1416 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1416 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 1416 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 1416 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 1416 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 1416 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 1416 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 1416 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 1416 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 4812 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe

"C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SHxDJYNQYtY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9FB0.tmp"

C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe'

Network

Country Destination Domain Proto
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp

Files

memory/1416-130-0x0000000000B60000-0x0000000000C34000-memory.dmp

memory/1416-131-0x0000000005C60000-0x0000000006204000-memory.dmp

memory/1416-132-0x0000000005850000-0x00000000058E2000-memory.dmp

memory/1416-133-0x0000000005840000-0x000000000584A000-memory.dmp

memory/1416-134-0x0000000008F40000-0x0000000008FDC000-memory.dmp

memory/4676-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9FB0.tmp

MD5 987f3d63aba0c13c1972b4742eff814a
SHA1 4f36f222798cf4d54dacd714e5590a019da240e0
SHA256 42cf2fe1fab7369061553a1b2f65e7f7b5694e3079605b79e4ad1d9acfd284c0
SHA512 4c0cc89a83e1a60d4773474cadd7169aa5dd6b589ce28b6f20d3e6b6a230041551331eebf411c5304c46e7f6cf5674d490f7f2eef96e046720c746a10d5e5fd9

memory/4812-137-0x0000000000000000-mapping.dmp

memory/4812-138-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipment document pdf.exe.log

MD5 400f1cc1a0a0ce1cdabda365ab3368ce
SHA1 1ecf683f14271d84f3b6063493dce00ff5f42075
SHA256 c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA512 14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

memory/4812-141-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-143-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-145-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-147-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-149-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-151-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-153-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-155-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-157-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-159-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-161-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-163-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-165-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-167-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-169-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-171-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-173-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-175-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-177-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-179-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-181-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-183-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-185-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-189-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-187-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-191-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-193-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-195-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-197-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-199-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-201-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4812-646-0x00000000055F0000-0x0000000005656000-memory.dmp

memory/3272-647-0x0000000000000000-mapping.dmp

memory/964-648-0x0000000000000000-mapping.dmp

memory/964-649-0x00000000051A0000-0x00000000051D6000-memory.dmp

memory/964-650-0x0000000005980000-0x0000000005FA8000-memory.dmp

memory/964-651-0x0000000005880000-0x00000000058A2000-memory.dmp

memory/964-652-0x0000000005FB0000-0x0000000006016000-memory.dmp

memory/964-653-0x00000000054E0000-0x00000000054FE000-memory.dmp

memory/964-654-0x0000000007DA0000-0x000000000841A000-memory.dmp

memory/964-655-0x0000000006C20000-0x0000000006C3A000-memory.dmp

memory/964-656-0x00000000077C0000-0x0000000007856000-memory.dmp

memory/964-657-0x0000000006D20000-0x0000000006D42000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 02:08

Reported

2022-05-21 03:18

Platform

win7-20220414-en

Max time kernel

30s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe"

Signatures

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 916 set thread context of 1324 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 916 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 916 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 916 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 916 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 916 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 916 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 916 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 916 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 916 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 916 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 916 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 916 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
PID 916 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe

"C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SHxDJYNQYtY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp46D1.tmp"

C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp

Files

memory/916-54-0x0000000001240000-0x0000000001314000-memory.dmp

memory/916-55-0x0000000075711000-0x0000000075713000-memory.dmp

memory/916-56-0x0000000000860000-0x0000000000868000-memory.dmp

memory/916-57-0x00000000050A0000-0x0000000005150000-memory.dmp

memory/852-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp46D1.tmp

MD5 64138be51175adf53614cfbf4860ae46
SHA1 88410d1fb75007ddbe4f71f273a318cf46522f1a
SHA256 c6b3a3bd2e473f5583e5867e2a15c837bda2e27e08660bb0ac3ecfce9b387ab3
SHA512 afd2e4620b4db46705eb49a4b19f5a2e9f6464cbb2d9c248722e82e498321472d43bfce5a73f1ff54084d88dc2dce919e24882527477e79268ff1bb73ec458d6

memory/1324-60-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-61-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-63-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-64-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-65-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-66-0x00000000004A2E6E-mapping.dmp

memory/1324-68-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-70-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-72-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-74-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-76-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-78-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-80-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-82-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-84-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-86-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-88-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-90-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-92-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-94-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-96-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-98-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-100-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-102-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-104-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-106-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-108-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-110-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-112-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-114-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-116-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-118-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-120-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-122-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1324-578-0x00000000006E5000-0x00000000006F6000-memory.dmp