Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

PO#052620.exe

windows7_x64

10

PO#052620.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    72s
  • max time network
    77s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21/05/2022, 12:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO#052620.exe

  • Size

    916KB

  • MD5

    6b9b5794e44f69ab2773ce2799463454

  • SHA1

    5ae3669ecff1e3de5569d81a0c4bae495e4be457

  • SHA256

    9c5b8535e2ac554768c5cfc3d655a3aed7647fe2280e66161a516296eb5a5918

  • SHA512

    b5d666a93bd724e010fc63f5d70078c54a7a8bebf6aab647ad2a49d049d99703ac14ba2b7fe408632eef308d85af5b2725e89c18e193f2966ff0cb1b72460731

Score
10/10
massloggercollectioncoreentityransomwarerezer0spywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:31:14 PM MassLogger Started: 5/21/2022 2:30:43 PM Interval: 2 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe As Administrator: True

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    don8@intarscan.org
  • Password:
    ?qlva43X~o%I

Signatures

  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 32 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO#052620.exe
    "C:\Users\Admin\AppData\Local\Temp\PO#052620.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:1124

Network

  • flag-us
    DNS
    api.ipify.org
    RegSvcs.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN CNAME
    api.ipify.org.herokudns.com
    api.ipify.org.herokudns.com
    IN A
    52.20.78.240
    api.ipify.org.herokudns.com
    IN A
    3.220.57.224
    api.ipify.org.herokudns.com
    IN A
    3.232.242.170
    api.ipify.org.herokudns.com
    IN A
    54.91.59.199
  • flag-us
    GET
    http://api.ipify.org/
    RegSvcs.exe
    Remote address:
    52.20.78.240:80
    Request
    GET / HTTP/1.1
    Host: api.ipify.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: Cowboy
    Connection: keep-alive
    Content-Type: text/plain
    Vary: Origin
    Date: Sat, 21 May 2022 12:31:12 GMT
    Content-Length: 12
    Via: 1.1 vegur
  • flag-us
    DNS
    us2.smtp.mailhostbox.com
    RegSvcs.exe
    Remote address:
    8.8.8.8:53
    Request
    us2.smtp.mailhostbox.com
    IN A
    Response
    us2.smtp.mailhostbox.com
    IN A
    208.91.198.46
    us2.smtp.mailhostbox.com
    IN A
    162.222.225.29
    us2.smtp.mailhostbox.com
    IN A
    208.91.198.38
    us2.smtp.mailhostbox.com
    IN A
    162.222.225.16
  • 52.20.78.240:80
    http://api.ipify.org/
    http
    RegSvcs.exe
    299 B
     540 B
     5
    4

    HTTP Request

    GET http://api.ipify.org/

    HTTP Response

    200
  • 208.91.198.46:587
    us2.smtp.mailhostbox.com
    smtp
    RegSvcs.exe
    1.7kB
     7.8kB
     17
    21
  • 8.8.8.8:53
    api.ipify.org
    dns
    RegSvcs.exe
    59 B
     164 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    52.20.78.240
    3.220.57.224
    3.232.242.170
    54.91.59.199

  • 8.8.8.8:53
    us2.smtp.mailhostbox.com
    dns
    RegSvcs.exe
    70 B
     134 B
     1
    1

    DNS Request

    us2.smtp.mailhostbox.com

    DNS Response

    208.91.198.46
    162.222.225.29
    208.91.198.38
    162.222.225.16

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1124-82-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-78-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-576-0x0000000004EB0000-0x0000000004EF4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1124-120-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-58-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-59-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-61-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-62-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-63-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-66-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-68-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-70-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-72-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-74-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-76-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-84-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-80-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-118-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-116-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-92-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-88-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-90-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-86-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-94-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-96-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-98-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-100-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-102-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-104-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-106-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-108-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-110-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-112-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1124-114-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1880-54-0x0000000000830000-0x000000000091C000-memory.dmp

    Filesize

    944KB

    Download

  • memory/1880-55-0x00000000755A1000-0x00000000755A3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1880-57-0x00000000081F0000-0x000000000829E000-memory.dmp

    Filesize

    696KB

    Download

  • memory/1880-56-0x0000000000360000-0x0000000000368000-memory.dmp

    Filesize

    32KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.