Overview

overview

10

Static

static

Inquiry -B...df.exe

windows7_x64

10

Inquiry -B...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    98s
  • max time network
    102s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 03:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Inquiry -Batenburg Bevestigingstechnie QO202000182________________________pdf.exe

  • Size

    864KB

  • MD5

    174bc3327e9eaad09baff6bbfae225b0

  • SHA1

    188400f03c706a49ebdbb1970fc35f78147c69da

  • SHA256

    6b287b9b3200533c490357e28b5e9c65856740c2a63c32dae9bd50b042557664

  • SHA512

    f33a07376bbacca4b17791805f93da524f4ebe7bba08859654e300e5ac7f9239f6690f5323d3697b4db07a9671cdae885f08b38f3ea8511fd1b41631539f3aa6

Score
10/10
massloggercollectionrezer0spywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    money123@@@

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 32 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Inquiry -Batenburg Bevestigingstechnie QO202000182________________________pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Inquiry -Batenburg Bevestigingstechnie QO202000182________________________pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NcWHnUdwWgUd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp75FB.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2000
    • C:\Users\Admin\AppData\Local\Temp\Inquiry -Batenburg Bevestigingstechnie QO202000182________________________pdf.exe
      "{path}"
      2⤵
        PID:1944
      • C:\Users\Admin\AppData\Local\Temp\Inquiry -Batenburg Bevestigingstechnie QO202000182________________________pdf.exe
        "{path}"
        2⤵
          PID:1812
        • C:\Users\Admin\AppData\Local\Temp\Inquiry -Batenburg Bevestigingstechnie QO202000182________________________pdf.exe
          "{path}"
          2⤵
          • Checks computer location settings
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • outlook_office_path
          • outlook_win_path
          PID:1920

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp75FB.tmp
        Filesize

        1KB

        MD5

        8b94c7188addd627c9bedf9ebeb51e54

        SHA1

        fb821fc4c269610c00946acf8719deade33d5599

        SHA256

        5aad6462ad0a987948cd6ff06929dd6d1f741f993be1ce61f638e2c58c40839f

        SHA512

        e4112dcb50a38be2f6e6c93ebe32ecc1d69d655ebb8513a22087c3b113f248511869358613d3e467d161670e6ab02cf089b98577a55c5c64e392f9c23ce71f1d

        Download Submit
      • memory/1504-55-0x0000000075271000-0x0000000075273000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1504-56-0x0000000000470000-0x0000000000478000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1504-57-0x0000000005680000-0x000000000572E000-memory.dmp
        Filesize

        696KB

        Download
      • memory/1504-54-0x0000000000180000-0x000000000025E000-memory.dmp
        Filesize

        888KB

        Download
      • memory/1920-84-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-88-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-61-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-63-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-64-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-65-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-66-0x00000000004A183E-mapping.dmp
        Download
      • memory/1920-68-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-70-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-72-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-74-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-76-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-78-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-80-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-82-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-572-0x0000000002110000-0x0000000002154000-memory.dmp
        Filesize

        272KB

        Download
      • memory/1920-86-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-60-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-90-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-92-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-94-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-96-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-98-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-100-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-102-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-104-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-106-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-108-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-110-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-112-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-114-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-116-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-118-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-120-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1920-122-0x0000000000400000-0x00000000004A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/2000-58-0x0000000000000000-mapping.dmp
        Download