Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

RFQ #0605176.exe

windows7_x64

RFQ #0605176.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    101s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21/05/2022, 11:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ #0605176.exe

  • Size

    1.4MB

  • MD5

    c711fc1c2e67bfa34d1117e526365033

  • SHA1

    842f0492db652ad8da1553b98240a5dd0a439de2

  • SHA256

    3027dc21e325fddbc9e6cd21b0491f3270190f219776de4971e510c4490d3c25

  • SHA512

    95e1628a6249fe7a0059f699c4e61a6f132c67c76c669056ecb37d36afc11e88d3f1cddcc5c7d72763c3f32f137c4b22c21231197c9078229265a04ed6d9db8b

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F293CD6622\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:35:03 PM MassLogger Started: 5/21/2022 1:34:52 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe As Administrator: True

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    m4cfund@yandex.com
  • Password:
    Dmacdavid

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ #0605176.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ #0605176.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5016
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:4720

Network

  • flag-us
    DNS
    api.ipify.org
    InstallUtil.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN CNAME
    api.ipify.org.herokudns.com
    api.ipify.org.herokudns.com
    IN A
    54.91.59.199
    api.ipify.org.herokudns.com
    IN A
    52.20.78.240
    api.ipify.org.herokudns.com
    IN A
    3.220.57.224
    api.ipify.org.herokudns.com
    IN A
    3.232.242.170
  • flag-us
    GET
    http://api.ipify.org/
    InstallUtil.exe
    Remote address:
    54.91.59.199:80
    Request
    GET / HTTP/1.1
    Host: api.ipify.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: Cowboy
    Connection: keep-alive
    Content-Type: text/plain
    Vary: Origin
    Date: Sat, 21 May 2022 11:34:58 GMT
    Content-Length: 12
    Via: 1.1 vegur
  • flag-us
    DNS
    15.89.54.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.89.54.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    smtp.yandex.com
    InstallUtil.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.yandex.com
    IN A
    Response
    smtp.yandex.com
    IN CNAME
    smtp.yandex.ru
    smtp.yandex.ru
    IN A
    77.88.21.158
  • 104.110.191.133:80
    322 B
     7
  • 104.110.191.133:80
    322 B
     7
  • 20.42.73.26:443
    322 B
     7
  • 92.123.143.240:80
    322 B
     7
  • 92.123.143.240:80
    322 B
     7
  • 92.123.143.240:80
    322 B
     7
  • 54.91.59.199:80
    http://api.ipify.org/
    http
    InstallUtil.exe
    293 B
     316 B
     5
    3

    HTTP Request

    GET http://api.ipify.org/

    HTTP Response

    200
  • 77.88.21.158:587
    smtp.yandex.com
    smtp-submission
    InstallUtil.exe
    1.4kB
     6.3kB
     19
    15
  • 8.8.8.8:53
    api.ipify.org
    dns
    InstallUtil.exe
    59 B
     164 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    54.91.59.199
    52.20.78.240
    3.220.57.224
    3.232.242.170

  • 8.8.8.8:53
    15.89.54.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    15.89.54.20.in-addr.arpa

  • 8.8.8.8:53
    smtp.yandex.com
    dns
    InstallUtil.exe
    61 B
     105 B
     1
    1

    DNS Request

    smtp.yandex.com

    DNS Response

    77.88.21.158

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit

  • memory/4720-166-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-168-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-170-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-136-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-646-0x00000000080D0000-0x000000000816C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4720-645-0x0000000007FE0000-0x0000000008030000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4720-140-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-142-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-144-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-146-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-148-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-150-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-152-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-154-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-156-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-158-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-160-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-162-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-164-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-644-0x0000000006710000-0x000000000671A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4720-643-0x0000000005BF0000-0x0000000005C56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4720-200-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-172-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-174-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-176-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-178-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-180-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-182-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-184-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-186-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-188-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-190-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-192-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-194-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-196-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4720-198-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/5016-134-0x0000000005830000-0x00000000058C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5016-130-0x0000000000A10000-0x0000000000B44000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5016-132-0x0000000005740000-0x0000000005784000-memory.dmp

    Filesize

    272KB

    Download

  • memory/5016-131-0x0000000005CF0000-0x0000000006294000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5016-133-0x00000000053C0000-0x00000000053E2000-memory.dmp

    Filesize

    136KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.