Overview

overview

10

Static

static

HCtR5cTfBBvX0Tt.exe

windows7_x64

10

HCtR5cTfBBvX0Tt.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    84s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 03:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HCtR5cTfBBvX0Tt.exe

  • Size

    956KB

  • MD5

    946617f29b6f4d728a590d6eaae36126

  • SHA1

    d06818f1f24d85e26d7159845076f346564253a0

  • SHA256

    45ef1e51df38e6778aaf2cd726748b55459b4aa54a2c8c2fea445cab0885f7bc

  • SHA512

    7204f1163662f391fe09c2637ca9c2e07e08bc1c047fab4e1594c49a37fb222093d86298c267cec9ee27f842f538f480c2bb8078ffea59c501f4777ff50a7d2f

Score
10/10
massloggercollectioncoreentityransomwarerezer0spywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 5:08:28 AM MassLogger Started: 5/21/2022 5:08:17 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\HCtR5cTfBBvX0Tt.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    @willsmith1.,

Signatures

  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HCtR5cTfBBvX0Tt.exe
    "C:\Users\Admin\AppData\Local\Temp\HCtR5cTfBBvX0Tt.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AvKneptmDajjT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB9A0.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1064
    • C:\Users\Admin\AppData\Local\Temp\HCtR5cTfBBvX0Tt.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:844

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpB9A0.tmp
    Filesize

    1KB

    MD5

    b2336f50de47446f830fd67d5313a0ec

    SHA1

    ec2ef40bcf9a2dcf33b627b1416d288429559b82

    SHA256

    68773bf984a5f20858101c30b61bc82567ca5c4e38e8823d5baea133006e6fb6

    SHA512

    dc0d6537b8803695bee4aeb04fc3ce331a4ce721e940c6b27bcb3b29026134754de9ebe5a99d641357d93e1048a69fdfd365bf15fb40c8cf5ec1e6370767f730

    Download Submit

  • memory/844-87-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-107-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-585-0x0000000004810000-0x0000000004824000-memory.dmp

    Filesize

    80KB

    Download

  • memory/844-85-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-582-0x00000000008B0000-0x00000000008F4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/844-123-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-61-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-62-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-64-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-65-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-66-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-67-0x00000000004ABB2E-mapping.dmp

    Download

  • memory/844-69-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-71-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-73-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-89-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-77-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-79-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-83-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-81-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-584-0x0000000004D65000-0x0000000004D76000-memory.dmp

    Filesize

    68KB

    Download

  • memory/844-121-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-75-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-91-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-93-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-95-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-97-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-99-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-101-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-103-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-105-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-119-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-109-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-111-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-113-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-115-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/844-117-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1064-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1644-56-0x0000000076781000-0x0000000076783000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1644-58-0x0000000005E30000-0x0000000005EE8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1644-55-0x0000000000600000-0x00000000006CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1644-54-0x0000000000050000-0x0000000000148000-memory.dmp

    Filesize

    992KB

    Download

  • memory/1644-57-0x00000000004E0000-0x00000000004E8000-memory.dmp

    Filesize

    32KB

    Download