Malware Analysis Report

2024-10-23 21:33

Sample ID 220521-n1kqlaede6
Target c164654ca1dfb82339fc77a71dd10b14f0ae3ee59b3fc0778453da33594b7768
SHA256 c164654ca1dfb82339fc77a71dd10b14f0ae3ee59b3fc0778453da33594b7768
Tags
rezer0 masslogger collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c164654ca1dfb82339fc77a71dd10b14f0ae3ee59b3fc0778453da33594b7768

Threat Level: Known bad

The file c164654ca1dfb82339fc77a71dd10b14f0ae3ee59b3fc0778453da33594b7768 was found to be: Known bad.

Malicious Activity Summary

rezer0 masslogger collection ransomware spyware stealer

MassLogger

MassLogger Main Payload

MassLogger log file

ReZer0 packer

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 11:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 11:51

Reported

2022-05-21 12:43

Platform

win7-20220414-en

Max time kernel

97s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO 0856.exe"

Signatures

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 908 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Windows\SysWOW64\schtasks.exe
PID 908 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Windows\SysWOW64\schtasks.exe
PID 908 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Windows\SysWOW64\schtasks.exe
PID 908 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Windows\SysWOW64\schtasks.exe
PID 908 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 908 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO 0856.exe

"C:\Users\Admin\AppData\Local\Temp\PO 0856.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\swGthhEL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4970.tmp"

C:\Users\Admin\AppData\Local\Temp\PO 0856.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\PO 0856.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\PO 0856.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\PO 0856.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\PO 0856.exe

"{path}"

Network

N/A

Files

memory/908-54-0x00000000003E0000-0x00000000004B4000-memory.dmp

memory/908-55-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/908-56-0x0000000006780000-0x0000000006830000-memory.dmp

memory/320-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4970.tmp

MD5 71656eacd4e12e01ea4918af799dc1f8
SHA1 5d9e4e574f2286404702a4570b8ec37a478bb579
SHA256 4805168eb6b0ae26c05cb05e52eca4890436c8dd9dc69f04ff80abeb39991db4
SHA512 123bf3e07f5635d2fe00b804364b13c6b304aceff6241e1acd56681a53e2a5ef8c636f745019e3a116aebf0d850f00e6fa6e8e0541dbe1b7d8cfcbf604964e40

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 11:51

Reported

2022-05-21 12:43

Platform

win10v2004-20220414-en

Max time kernel

183s

Max time network

192s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO 0856.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1140 set thread context of 3788 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1140 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Windows\SysWOW64\schtasks.exe
PID 1140 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Windows\SysWOW64\schtasks.exe
PID 1140 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Windows\SysWOW64\schtasks.exe
PID 1140 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 1140 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 1140 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 1140 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 1140 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 1140 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 1140 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 1140 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 1140 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 1140 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
PID 1140 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\PO 0856.exe C:\Users\Admin\AppData\Local\Temp\PO 0856.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PO 0856.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PO 0856.exe

"C:\Users\Admin\AppData\Local\Temp\PO 0856.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\swGthhEL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF879.tmp"

C:\Users\Admin\AppData\Local\Temp\PO 0856.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\PO 0856.exe

"{path}"

Network

Country Destination Domain Proto
GB 92.123.143.240:80 tcp
GB 92.123.143.240:80 tcp
GB 92.123.143.240:80 tcp
US 20.189.173.10:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp

Files

memory/1140-130-0x0000000000B20000-0x0000000000BF4000-memory.dmp

memory/1140-131-0x0000000005540000-0x00000000055DC000-memory.dmp

memory/1140-132-0x0000000005710000-0x00000000057A2000-memory.dmp

memory/1140-133-0x0000000007690000-0x0000000007C34000-memory.dmp

memory/2560-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF879.tmp

MD5 8dc2c47c54c361276076319091a42f90
SHA1 b4f3697bb6ff23cfd705237af18d396386c94aa1
SHA256 e68a1a41f49f52d45605f22fcffd0c5a8cca84d071d1df073eb2f747f5c0337b
SHA512 810532aec29fd9b606d68aa47fb62bc7061c57bcabb8319dab6628975337de0677b568183cb71fe650106593b177bba55e103bed3f237cae637e5882220e1a6b

memory/3104-136-0x0000000000000000-mapping.dmp

memory/3788-137-0x0000000000000000-mapping.dmp

memory/3788-138-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3788-139-0x00000000055B0000-0x0000000005616000-memory.dmp

memory/3788-140-0x0000000006EE0000-0x0000000006EEA000-memory.dmp

memory/3788-141-0x0000000007000000-0x0000000007050000-memory.dmp