Analysis
-
max time kernel
164s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:19
Static task
static1
Behavioral task
behavioral1
Sample
Enquiry.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Enquiry.exe
Resource
win10v2004-20220414-en
General
-
Target
Enquiry.exe
-
Size
797KB
-
MD5
f71557e9155556d4f0ea0e03b307f11d
-
SHA1
a04a977026b26e1da0f43ba3fd6a1112df109db9
-
SHA256
1f4f66b6c25fcf9e510c93af0fb57942013de942175617a7b3a515709a44bed5
-
SHA512
8a575f1a4364f35d3187cb9eb117a7bfdbc4d152ce2a72bfbca4dc80f6007493109de56ec4e870a2486df30bd17904970f08c463119280df07b06f7d8c9596f7
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1064-63-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger behavioral1/memory/1064-62-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger behavioral1/memory/1064-69-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger behavioral1/memory/1064-67-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger behavioral1/memory/1064-65-0x00000000004A303E-mapping.dmp family_masslogger behavioral1/memory/1064-64-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/624-56-0x0000000005970000-0x0000000005A20000-memory.dmp rezer0 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Enquiry.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation Enquiry.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
Processes:
Enquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Enquiry.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Enquiry.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Enquiry.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Enquiry.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Enquiry.exedescription pid process target process PID 624 set thread context of 1064 624 Enquiry.exe Enquiry.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Enquiry.exepid process 1064 Enquiry.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Enquiry.exeEnquiry.exepid process 624 Enquiry.exe 1064 Enquiry.exe 1064 Enquiry.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Enquiry.exeEnquiry.exedescription pid process Token: SeDebugPrivilege 624 Enquiry.exe Token: SeDebugPrivilege 1064 Enquiry.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Enquiry.exepid process 1064 Enquiry.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Enquiry.exedescription pid process target process PID 624 wrote to memory of 1536 624 Enquiry.exe schtasks.exe PID 624 wrote to memory of 1536 624 Enquiry.exe schtasks.exe PID 624 wrote to memory of 1536 624 Enquiry.exe schtasks.exe PID 624 wrote to memory of 1536 624 Enquiry.exe schtasks.exe PID 624 wrote to memory of 1764 624 Enquiry.exe Enquiry.exe PID 624 wrote to memory of 1764 624 Enquiry.exe Enquiry.exe PID 624 wrote to memory of 1764 624 Enquiry.exe Enquiry.exe PID 624 wrote to memory of 1764 624 Enquiry.exe Enquiry.exe PID 624 wrote to memory of 1064 624 Enquiry.exe Enquiry.exe PID 624 wrote to memory of 1064 624 Enquiry.exe Enquiry.exe PID 624 wrote to memory of 1064 624 Enquiry.exe Enquiry.exe PID 624 wrote to memory of 1064 624 Enquiry.exe Enquiry.exe PID 624 wrote to memory of 1064 624 Enquiry.exe Enquiry.exe PID 624 wrote to memory of 1064 624 Enquiry.exe Enquiry.exe PID 624 wrote to memory of 1064 624 Enquiry.exe Enquiry.exe PID 624 wrote to memory of 1064 624 Enquiry.exe Enquiry.exe PID 624 wrote to memory of 1064 624 Enquiry.exe Enquiry.exe -
outlook_office_path 1 IoCs
Processes:
Enquiry.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe -
outlook_win_path 1 IoCs
Processes:
Enquiry.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Enquiry.exe"C:\Users\Admin\AppData\Local\Temp\Enquiry.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BOWbzufm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB5C9.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Enquiry.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Enquiry.exe"{path}"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB5C9.tmpFilesize
1KB
MD561f6ce0ef4e13a72ed8777044ddca6e3
SHA16828fc4ebc86b43f054c50800ad7b9298a276fbe
SHA25624ec2bc9414764d24a28a0c1839f47e4baa4636b38b292f1d25c36b40adb6e18
SHA5128755b449db60e3d7e525a52e4ef57df3cc7f86a8551000e82e33d2fea0aa31469c4b1748caff2af90b4a5e149c11c4715498e76fcfafc7b4335bafd243e125c3
-
memory/624-55-0x0000000000200000-0x0000000000210000-memory.dmpFilesize
64KB
-
memory/624-56-0x0000000005970000-0x0000000005A20000-memory.dmpFilesize
704KB
-
memory/624-54-0x0000000000E90000-0x0000000000F5E000-memory.dmpFilesize
824KB
-
memory/1064-62-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1064-59-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1064-60-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1064-63-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1064-69-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1064-67-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1064-65-0x00000000004A303E-mapping.dmp
-
memory/1064-64-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1064-70-0x0000000000770000-0x00000000007B4000-memory.dmpFilesize
272KB
-
memory/1064-71-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1064-72-0x0000000004D75000-0x0000000004D86000-memory.dmpFilesize
68KB
-
memory/1536-57-0x0000000000000000-mapping.dmp