Malware Analysis Report

2024-10-19 08:46

Sample ID 220521-d1t9xsbfel
Target 10a4ba420a16ca28bd4a7b50d7f947d4705bba87031009a45e8ace94e7dee855
SHA256 10a4ba420a16ca28bd4a7b50d7f947d4705bba87031009a45e8ace94e7dee855
Tags
masslogger collection ransomware rezer0 spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10a4ba420a16ca28bd4a7b50d7f947d4705bba87031009a45e8ace94e7dee855

Threat Level: Known bad

The file 10a4ba420a16ca28bd4a7b50d7f947d4705bba87031009a45e8ace94e7dee855 was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware rezer0 spyware stealer

MassLogger Main Payload

MassLogger

MassLogger log file

ReZer0 packer

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 03:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 03:28

Reported

2022-05-21 05:10

Platform

win7-20220414-en

Max time kernel

145s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2040 set thread context of 1120 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2040 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2040 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2040 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2040 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2040 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2040 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2040 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2040 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe

"C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZyngPFdO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8518.tmp"

C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.yandex.ru udp
RU 77.88.21.158:587 smtp.yandex.ru tcp

Files

memory/2040-54-0x0000000000980000-0x0000000000A80000-memory.dmp

memory/2040-55-0x0000000005C50000-0x0000000005D2C000-memory.dmp

memory/2040-56-0x0000000000640000-0x0000000000654000-memory.dmp

memory/2040-57-0x0000000005F10000-0x0000000005FC8000-memory.dmp

memory/1784-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8518.tmp

MD5 632983e1c563da4f8529159afcf45fd0
SHA1 cf4d787bfe93edf2f1f0f770104e7f3e2721c110
SHA256 bd6b913378dd8232e8f8c3c5a3b949bf63410993039f5c0e51e80331b4a427cd
SHA512 80c0bf2593e4a3acff9715d117bd8e050e8a9bc6dfcaaa0f07b7a79c6d960a593babd99197d260cf37687ac546d37538944dfad2ec66c72f661f00f6bf2768e3

memory/1120-60-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-61-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-63-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-64-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-66-0x00000000004ACD7E-mapping.dmp

memory/1120-65-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-68-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-70-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-72-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-74-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-76-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-78-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-80-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-82-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-84-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-86-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-90-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-88-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-92-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-94-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-96-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-98-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-100-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-102-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-104-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-110-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-108-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-112-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-106-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-114-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-116-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-118-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-120-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-122-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-124-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1120-587-0x00000000007D0000-0x0000000000814000-memory.dmp

memory/1120-589-0x0000000005005000-0x0000000005016000-memory.dmp

memory/1120-590-0x00000000021D0000-0x00000000021E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 03:28

Reported

2022-05-21 05:11

Platform

win10v2004-20220414-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2408 set thread context of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2408 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2408 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2408 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2408 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2408 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2408 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2408 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2408 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2408 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2408 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2408 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2408 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2408 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2408 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2408 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
PID 2408 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe

"C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZyngPFdO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp"

C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe

"{path}"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 20.189.173.1:443 tcp
FR 2.18.109.224:443 tcp
US 104.18.25.243:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.yandex.ru udp
RU 77.88.21.158:587 smtp.yandex.ru tcp

Files

memory/2408-130-0x00000000006B0000-0x00000000007B0000-memory.dmp

memory/2408-131-0x000000000AE50000-0x000000000B3F4000-memory.dmp

memory/2408-132-0x000000000AA40000-0x000000000AAD2000-memory.dmp

memory/2408-133-0x000000000A9C0000-0x000000000A9CA000-memory.dmp

memory/2408-134-0x000000000E190000-0x000000000E22C000-memory.dmp

memory/4012-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp

MD5 1175547db226a3ea782db17c1e2a651d
SHA1 a27659e0affe6609e8b2e9fe8e4ff5852295284e
SHA256 c093ea4ed31764d241444855db605d9885a63b14022838d3b7e9b018934c84ed
SHA512 6bee2eabbd33dd497ef75c99ec94eba3992bc58b02961442b3e8672200ae945f6d116cb0e9b0ae8478a9fabd387b59b79b8c4bd7b599dd62d1101e1ea251c7bf

memory/3708-137-0x0000000000000000-mapping.dmp

memory/4948-138-0x0000000000000000-mapping.dmp

memory/2032-139-0x0000000000000000-mapping.dmp

memory/2032-140-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RK__PO_2.exe.log

MD5 400f1cc1a0a0ce1cdabda365ab3368ce
SHA1 1ecf683f14271d84f3b6063493dce00ff5f42075
SHA256 c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA512 14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

memory/2032-143-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-145-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-147-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-149-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-151-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-153-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-155-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-157-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-159-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-161-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-163-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-165-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-167-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-169-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-171-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-173-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-175-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-177-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-179-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-181-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-183-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-185-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-187-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-189-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-191-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-193-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-195-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-197-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-199-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-201-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-203-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2032-658-0x00000000052E0000-0x0000000005346000-memory.dmp

memory/2032-659-0x0000000006870000-0x00000000068C0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2022-05-21 03:28

Reported

2022-05-21 05:10

Platform

win7-20220414-en

Max time kernel

122s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1348 set thread context of 1980 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 1348 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 1348 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 1348 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 1348 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 1348 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 1348 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 1348 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 1348 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe

"C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hffwylP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp587D.tmp"

C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.yandex.ru udp
RU 77.88.21.158:587 smtp.yandex.ru tcp
US 8.8.8.8:53 repository.certum.pl udp
NL 104.110.191.14:80 repository.certum.pl tcp

Files

memory/1348-54-0x0000000001010000-0x000000000110E000-memory.dmp

memory/1348-55-0x0000000007F90000-0x000000000806C000-memory.dmp

memory/1348-56-0x0000000000450000-0x0000000000464000-memory.dmp

memory/1348-57-0x0000000005D40000-0x0000000005DF8000-memory.dmp

memory/1632-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp587D.tmp

MD5 65197dfa78bbca84590ea14307adef72
SHA1 31237357c5154fe6384c3f21bdf88444213455b5
SHA256 6a9393a1c262013842cac1bfbd6738e8bac5ec47e5637361488ff3709a00fb77
SHA512 3c89e59b4e326ee0aac7913f749109190cf28027399b1c57d7a732b9e905d943f0a5666b40881ed58f10a89362d25f9dd0ab14c5fd226819b64199777b8b2f2e

memory/1980-60-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-61-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-63-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-64-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-66-0x00000000004AC9AE-mapping.dmp

memory/1980-65-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-68-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-70-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-72-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-74-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-76-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-78-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-80-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-82-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-84-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-86-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-88-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-90-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-92-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-96-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-94-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-98-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-100-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-102-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-104-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-106-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-108-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-110-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-114-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-112-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-116-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-118-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-120-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-122-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-124-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1980-587-0x0000000000C60000-0x0000000000CA4000-memory.dmp

memory/1980-589-0x0000000000CD5000-0x0000000000CE6000-memory.dmp

memory/1980-590-0x0000000000D10000-0x0000000000D24000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-05-21 03:28

Reported

2022-05-21 05:11

Platform

win10v2004-20220414-en

Max time kernel

112s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4732 set thread context of 1764 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4732 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Windows\SysWOW64\schtasks.exe
PID 4732 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Windows\SysWOW64\schtasks.exe
PID 4732 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Windows\SysWOW64\schtasks.exe
PID 4732 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 4732 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 4732 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 4732 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 4732 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 4732 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 4732 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 4732 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
PID 1764 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3640 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3640 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe

"C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hffwylP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBFA6.tmp"

C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe'

Network

Country Destination Domain Proto
US 20.42.65.85:443 tcp
FR 2.18.109.224:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 87.248.202.1:80 tcp
US 104.18.24.243:80 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp

Files

memory/4732-130-0x0000000000080000-0x000000000017E000-memory.dmp

memory/4732-131-0x000000000A830000-0x000000000ADD4000-memory.dmp

memory/4732-132-0x000000000A420000-0x000000000A4B2000-memory.dmp

memory/4732-133-0x000000000A380000-0x000000000A38A000-memory.dmp

memory/4732-134-0x000000000DBC0000-0x000000000DC5C000-memory.dmp

memory/3476-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBFA6.tmp

MD5 541e13162b02b801210b581259326985
SHA1 40a7b5e6a0a7cade43dd40f81143ae68223ebc9f
SHA256 a4fbb92255c1350690efdcdb768e19442eecb00330571d4fdaf530c45c19d604
SHA512 4f839d09db90b8771ff9d2db77781a283ddeeb40a6e543518c4c302787462b87d4b2193543ce6545ff1f6638468a8de7d737edf5fdaa55e4dd95c0fea24177b8

memory/1764-137-0x0000000000000000-mapping.dmp

memory/1764-138-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RK__PO_N.exe.log

MD5 400f1cc1a0a0ce1cdabda365ab3368ce
SHA1 1ecf683f14271d84f3b6063493dce00ff5f42075
SHA256 c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA512 14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

memory/1764-141-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-143-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-145-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-147-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-149-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-151-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-153-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-155-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-157-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-159-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-161-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-163-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-165-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-167-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-169-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-171-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-173-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-175-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-177-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-179-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-181-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-183-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-185-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-187-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-189-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-191-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-193-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-195-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-197-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-199-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-201-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1764-656-0x0000000005D50000-0x0000000005DB6000-memory.dmp

memory/3640-657-0x0000000000000000-mapping.dmp

memory/4904-658-0x0000000000000000-mapping.dmp

memory/4904-659-0x0000000004B70000-0x0000000004BA6000-memory.dmp

memory/4904-660-0x00000000051E0000-0x0000000005808000-memory.dmp

memory/4904-661-0x00000000059A0000-0x00000000059C2000-memory.dmp

memory/4904-662-0x0000000005A40000-0x0000000005AA6000-memory.dmp

memory/4904-663-0x0000000006130000-0x000000000614E000-memory.dmp

memory/4904-664-0x0000000007990000-0x000000000800A000-memory.dmp

memory/4904-665-0x0000000006630000-0x000000000664A000-memory.dmp

memory/4904-666-0x00000000073B0000-0x0000000007446000-memory.dmp

memory/4904-667-0x0000000006700000-0x0000000006722000-memory.dmp