Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21/05/2022, 03:28
General
-
Target
RK__PO_N.exe
-
Size
981KB
-
MD5
96de546b32289587f7db830e1e385a26
-
SHA1
60f2925dc7ebdb8aa4c844edcaa3b0b5c6b4954b
-
SHA256
00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c
-
SHA512
f26fe0d399a4b428a80a828c29e63145c7eb406200829fa473ae40e77c055f45071d4cacb02c8a59c87969ecb0dc3f7a7e97387bc0ecf34d080ede36b18951fd
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 32 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe"C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hffwylP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBFA6.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5400f1cc1a0a0ce1cdabda365ab3368ce
SHA11ecf683f14271d84f3b6063493dce00ff5f42075
SHA256c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA51214c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45
-
Filesize
1KB
MD5541e13162b02b801210b581259326985
SHA140a7b5e6a0a7cade43dd40f81143ae68223ebc9f
SHA256a4fbb92255c1350690efdcdb768e19442eecb00330571d4fdaf530c45c19d604
SHA5124f839d09db90b8771ff9d2db77781a283ddeeb40a6e543518c4c302787462b87d4b2193543ce6545ff1f6638468a8de7d737edf5fdaa55e4dd95c0fea24177b8
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
408KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
1016KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
136KB