Overview

overview

10

Static

static

pqI75Aqgj0J5fmF.exe

windows7-x64

10

pqI75Aqgj0J5fmF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    30-07-2022 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pqI75Aqgj0J5fmF.exe

  • Size

    994KB

  • MD5

    72115f284ae26d36cc4e0427fc3be420

  • SHA1

    086b2d81c7913aac1f10632f34623356bf8cb081

  • SHA256

    21178d3dc240fc60a328a125280b58e073cd8cb677553cc867a62fcdceca210f

  • SHA512

    c29cd1e96a2d70ac1677806068614378bd4add58cc29b06a83f2abea1bf8151f930016cc97ec116ea3ad3ca0ad0598f27bfcaa267ca0be29df2948b5eb794f63

Score
10/10
massloggercoreentityransomwarerezer0spywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8B25A76FBE\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 7/30/2022 10:52:52 PM MassLogger Started: 7/30/2022 10:52:45 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main payload 32 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe
    "C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tzZSSBSPX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D59.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:840
    • C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9D59.tmp
    Filesize

    1KB

    MD5

    583695862bf95a6f9175b37ba1deea14

    SHA1

    fc390fa98c450dbf0cd73e467b7c53e195a13adb

    SHA256

    7dc7756c0e0c316c87614ba9482d6a137a779857d2a8529424aeba3b23ed915e

    SHA512

    f820c44d1ad24497eacf9573e768408c6a80cbadc6ca2d0b2bdb30f83b83df78f220548b296cc339fef21e87a27d00841214077e83a85453b5d2ae453c79f4fc

    Download Submit
  • memory/840-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1940-54-0x00000000013C0000-0x00000000014BE000-memory.dmp
    Filesize

    1016KB

    Download
  • memory/1940-55-0x00000000762A1000-0x00000000762A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1940-56-0x0000000000240000-0x0000000000248000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1940-57-0x0000000004CB0000-0x0000000004D68000-memory.dmp
    Filesize

    736KB

    Download
  • memory/2040-84-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-90-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-63-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-64-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-65-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-66-0x00000000004AB90E-mapping.dmp
    Download
  • memory/2040-68-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-70-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-72-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-74-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-76-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-78-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-80-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-82-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-60-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-86-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-88-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-61-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-92-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-94-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-96-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-98-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-100-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-102-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-104-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-106-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-110-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-108-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-112-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-114-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-116-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-118-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-120-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-122-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2040-579-0x0000000000530000-0x0000000000574000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2040-581-0x0000000000C75000-0x0000000000C86000-memory.dmp
    Filesize

    68KB

    Download