Malware Analysis Report

2024-10-19 08:46

Sample ID 220521-pjqe7aafcl
Target 7ba17d8b3d366f0a2d4c1dd3f95995831375c7433e0aa81c526849e54549182d
SHA256 7ba17d8b3d366f0a2d4c1dd3f95995831375c7433e0aa81c526849e54549182d
Tags
rezer0 masslogger collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ba17d8b3d366f0a2d4c1dd3f95995831375c7433e0aa81c526849e54549182d

Threat Level: Known bad

The file 7ba17d8b3d366f0a2d4c1dd3f95995831375c7433e0aa81c526849e54549182d was found to be: Known bad.

Malicious Activity Summary

rezer0 masslogger collection ransomware spyware stealer

MassLogger log file

MassLogger

ReZer0 packer

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 12:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 12:21

Reported

2022-05-21 12:34

Platform

win7-20220414-en

Max time kernel

148s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe"

Signatures

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1016 set thread context of 584 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1016 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1016 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1016 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1016 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe

"C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JYFAGrRGPfsz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp50FE.tmp"

C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe

"{path}"

Network

N/A

Files

memory/1016-54-0x0000000000820000-0x00000000008DE000-memory.dmp

memory/1016-55-0x0000000075F61000-0x0000000075F63000-memory.dmp

memory/1016-56-0x0000000000580000-0x0000000000590000-memory.dmp

memory/1016-57-0x0000000005E80000-0x0000000005F16000-memory.dmp

memory/1776-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp50FE.tmp

MD5 98ee8df28e311145dc3a4446e04a2571
SHA1 45c943cefa65a0a8525a4d3ec7ee24f16e9a79ea
SHA256 22c6868b92aa3f7be296268d78ec9dd8b77969b7ec287cdb31f150e70684ec55
SHA512 7dce05823df4a55671ac4f9001ad3c8db23e44a64888f7cf3c9b035ac0c0c29b189429b58195f9b596e92b862a779459b586d7b381f2f7e2dae85ebdbfe9b21c

memory/584-60-0x0000000000400000-0x000000000048E000-memory.dmp

memory/584-61-0x0000000000400000-0x000000000048E000-memory.dmp

memory/584-63-0x0000000000400000-0x000000000048E000-memory.dmp

memory/584-64-0x0000000000400000-0x000000000048E000-memory.dmp

memory/584-65-0x0000000000400000-0x000000000048E000-memory.dmp

memory/584-66-0x000000000048952E-mapping.dmp

memory/584-68-0x0000000000400000-0x000000000048E000-memory.dmp

memory/584-70-0x0000000000400000-0x000000000048E000-memory.dmp

memory/584-71-0x00000000006F0000-0x0000000000734000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 12:21

Reported

2022-05-21 12:34

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2580 set thread context of 4964 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Windows\SysWOW64\schtasks.exe
PID 2580 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Windows\SysWOW64\schtasks.exe
PID 2580 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Windows\SysWOW64\schtasks.exe
PID 2580 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 2580 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 2580 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 2580 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 2580 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 2580 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 2580 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 2580 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 2580 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 2580 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 2580 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 2580 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 2580 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
PID 2580 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe

"C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JYFAGrRGPfsz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp391C.tmp"

C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe

"{path}"

Network

Country Destination Domain Proto
NL 104.97.14.81:80 tcp
IE 20.54.110.249:443 tcp
NL 104.110.191.133:80 tcp
US 52.168.117.170:443 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 8.8.8.8:53 mail.privateemail.com udp
US 198.54.122.135:587 mail.privateemail.com tcp

Files

memory/2580-130-0x0000000000FC0000-0x000000000107E000-memory.dmp

memory/2580-131-0x0000000005F00000-0x00000000064A4000-memory.dmp

memory/2580-132-0x0000000005950000-0x00000000059E2000-memory.dmp

memory/2580-133-0x00000000058F0000-0x00000000058FA000-memory.dmp

memory/2580-134-0x0000000009340000-0x00000000093DC000-memory.dmp

memory/4544-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp391C.tmp

MD5 f92e0ad7da878f270dcfeb3cd4776ba1
SHA1 351e78b5811f9d45afa763e1a2b707a5278c7af9
SHA256 29de4e7b4dc6fe770340293cf283d5f0f0b091ccbdcaffa148c70580a9d15876
SHA512 cfa5b8901ceb30d4e2a1bdb09e01101e6c5c66a8095df06e8c7b06368dc623a24ce69d4bb2b35c746198905525e445d5b989ece3f41cfc5472e3aeb8a06e58a8

memory/4716-137-0x0000000000000000-mapping.dmp

memory/1092-138-0x0000000000000000-mapping.dmp

memory/4964-139-0x0000000000000000-mapping.dmp

memory/4964-140-0x0000000000400000-0x000000000048E000-memory.dmp

memory/4964-141-0x00000000052E0000-0x0000000005346000-memory.dmp

memory/4964-142-0x0000000008590000-0x00000000085E0000-memory.dmp