Analysis
-
max time kernel
113s -
max time network
180s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:25
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO.exe
Resource
win10v2004-20220414-en
General
-
Target
PO.exe
-
Size
1.5MB
-
MD5
f512638b09983b315c24199bffae80cc
-
SHA1
f62de084522901915b43ce766bca6e3a0797cdf3
-
SHA256
f937bbe27c6d52452a121bc9aa320c26ae7eada7cadc9dda0fafc2c6b1bd5818
-
SHA512
a9566748c0c34168fafc88d2e3c1522fc7d1422266fa65b1beafbc82f45a88394d4ada16104b011e97f5e1396fa745d20bee185dc11447f4ad162e5c7ada48d8
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
yara_rule masslogger_log_file -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0007000000013a17-630.dat acprotect -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
resource yara_rule behavioral1/memory/1760-58-0x0000000005870000-0x00000000059D6000-memory.dmp rezer0 -
resource yara_rule behavioral1/files/0x0007000000013a17-630.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation PO.exe -
Loads dropped DLL 1 IoCs
pid Process 2028 PO.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook PO.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook PO.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook PO.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook PO.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook PO.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook PO.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1760 set thread context of 2028 1760 PO.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1232 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2028 PO.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2028 PO.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2028 PO.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2028 PO.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1760 wrote to memory of 1232 1760 PO.exe 28 PID 1760 wrote to memory of 1232 1760 PO.exe 28 PID 1760 wrote to memory of 1232 1760 PO.exe 28 PID 1760 wrote to memory of 1232 1760 PO.exe 28 PID 1760 wrote to memory of 2028 1760 PO.exe 30 PID 1760 wrote to memory of 2028 1760 PO.exe 30 PID 1760 wrote to memory of 2028 1760 PO.exe 30 PID 1760 wrote to memory of 2028 1760 PO.exe 30 PID 1760 wrote to memory of 2028 1760 PO.exe 30 PID 1760 wrote to memory of 2028 1760 PO.exe 30 PID 1760 wrote to memory of 2028 1760 PO.exe 30 PID 1760 wrote to memory of 2028 1760 PO.exe 30 PID 1760 wrote to memory of 2028 1760 PO.exe 30 -
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\secOYgd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp845D.tmp"2⤵
- Creates scheduled task(s)
PID:1232
-
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2028
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50e0e27f38cd0652db7f258edeae21337
SHA1f17b1219b23ba415853234453f15462444482c69
SHA256290fa9515da5da2ed0ca669aa3d1d89b92372fe7fc94e81f1248aafd70205349
SHA51212c1a34964e781e5401fbd51d9080d76c559d1d4b2cfaca8ae7d8735612d5452e8d60d9d6c147b3e7f001526b67a8e13819b85b8e1e38edccf5f0eae6b071e8c
-
Filesize
594KB
MD5e81aeac387c5db32b7f9b07d15e788e0
SHA1829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3
SHA25644f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06
SHA512cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e