Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 03:28
Static task
static1
Behavioral task
behavioral1
Sample
RK__PO_2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RK__PO_2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
RK__PO_N.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
RK__PO_N.exe
Resource
win10v2004-20220414-en
General
-
Target
RK__PO_2.exe
-
Size
982KB
-
MD5
a5796bf649f72fdcae32b0a0241de4fb
-
SHA1
f302b9c34ed15e69f1fbe938fc7b0c817a2c963f
-
SHA256
5e2a294936d4b10a484ef84819a6279566e1f3028fd684b653998054f7f42181
-
SHA512
96f30fc24421f53160080936ef73741df0b5b604d1a158e3bcbb2bb747b1bb827a46fa6b71276b1645c2b9b6bcc28f9e0f250d4d698a04321c70257f9b9ac92b
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\0F48153F20\Log.txt
masslogger
Extracted
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
cruizjamesvhjkl@
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 32 IoCs
Processes:
resource yara_rule behavioral2/memory/2032-140-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-143-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-145-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-147-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-149-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-151-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-153-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-155-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-157-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-159-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-161-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-163-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-165-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-167-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-169-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-171-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-173-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-175-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-177-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-179-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-181-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-183-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-185-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-187-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-189-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-191-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-193-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-195-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-197-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-199-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-201-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger behavioral2/memory/2032-203-0x0000000000400000-0x00000000004B2000-memory.dmp family_masslogger -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RK__PO_2.exeRK__PO_2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation RK__PO_2.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation RK__PO_2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
Processes:
RK__PO_2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RK__PO_2.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RK__PO_2.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook RK__PO_2.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RK__PO_2.exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RK__PO_2.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RK__PO_2.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook RK__PO_2.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RK__PO_2.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RK__PO_2.exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook RK__PO_2.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RK__PO_2.exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RK__PO_2.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RK__PO_2.exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook RK__PO_2.exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RK__PO_2.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RK__PO_2.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RK__PO_2.exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RK__PO_2.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 39 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RK__PO_2.exedescription pid process target process PID 2408 set thread context of 2032 2408 RK__PO_2.exe RK__PO_2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
RK__PO_2.exeRK__PO_2.exepid process 2408 RK__PO_2.exe 2408 RK__PO_2.exe 2408 RK__PO_2.exe 2408 RK__PO_2.exe 2408 RK__PO_2.exe 2408 RK__PO_2.exe 2408 RK__PO_2.exe 2032 RK__PO_2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RK__PO_2.exeRK__PO_2.exedescription pid process Token: SeDebugPrivilege 2408 RK__PO_2.exe Token: SeDebugPrivilege 2032 RK__PO_2.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
RK__PO_2.exedescription pid process target process PID 2408 wrote to memory of 4012 2408 RK__PO_2.exe schtasks.exe PID 2408 wrote to memory of 4012 2408 RK__PO_2.exe schtasks.exe PID 2408 wrote to memory of 4012 2408 RK__PO_2.exe schtasks.exe PID 2408 wrote to memory of 3708 2408 RK__PO_2.exe RK__PO_2.exe PID 2408 wrote to memory of 3708 2408 RK__PO_2.exe RK__PO_2.exe PID 2408 wrote to memory of 3708 2408 RK__PO_2.exe RK__PO_2.exe PID 2408 wrote to memory of 4948 2408 RK__PO_2.exe RK__PO_2.exe PID 2408 wrote to memory of 4948 2408 RK__PO_2.exe RK__PO_2.exe PID 2408 wrote to memory of 4948 2408 RK__PO_2.exe RK__PO_2.exe PID 2408 wrote to memory of 2032 2408 RK__PO_2.exe RK__PO_2.exe PID 2408 wrote to memory of 2032 2408 RK__PO_2.exe RK__PO_2.exe PID 2408 wrote to memory of 2032 2408 RK__PO_2.exe RK__PO_2.exe PID 2408 wrote to memory of 2032 2408 RK__PO_2.exe RK__PO_2.exe PID 2408 wrote to memory of 2032 2408 RK__PO_2.exe RK__PO_2.exe PID 2408 wrote to memory of 2032 2408 RK__PO_2.exe RK__PO_2.exe PID 2408 wrote to memory of 2032 2408 RK__PO_2.exe RK__PO_2.exe PID 2408 wrote to memory of 2032 2408 RK__PO_2.exe RK__PO_2.exe -
outlook_office_path 1 IoCs
Processes:
RK__PO_2.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RK__PO_2.exe -
outlook_win_path 1 IoCs
Processes:
RK__PO_2.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RK__PO_2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe"C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZyngPFdO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp"2⤵
- Creates scheduled task(s)
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe"{path}"2⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe"{path}"2⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe"{path}"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5400f1cc1a0a0ce1cdabda365ab3368ce
SHA11ecf683f14271d84f3b6063493dce00ff5f42075
SHA256c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA51214c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45
-
Filesize
1KB
MD51175547db226a3ea782db17c1e2a651d
SHA1a27659e0affe6609e8b2e9fe8e4ff5852295284e
SHA256c093ea4ed31764d241444855db605d9885a63b14022838d3b7e9b018934c84ed
SHA5126bee2eabbd33dd497ef75c99ec94eba3992bc58b02961442b3e8672200ae945f6d116cb0e9b0ae8478a9fabd387b59b79b8c4bd7b599dd62d1101e1ea251c7bf