Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
30/07/2022, 22:09
Static task
static1
Behavioral task
behavioral1
Sample
pqI75Aqgj0J5fmF.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
pqI75Aqgj0J5fmF.exe
Resource
win10v2004-20220721-en
General
-
Target
pqI75Aqgj0J5fmF.exe
-
Size
994KB
-
MD5
72115f284ae26d36cc4e0427fc3be420
-
SHA1
086b2d81c7913aac1f10632f34623356bf8cb081
-
SHA256
21178d3dc240fc60a328a125280b58e073cd8cb677553cc867a62fcdceca210f
-
SHA512
c29cd1e96a2d70ac1677806068614378bd4add58cc29b06a83f2abea1bf8151f930016cc97ec116ea3ad3ca0ad0598f27bfcaa267ca0be29df2948b5eb794f63
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\8B25A76FBE\Log.txt
masslogger
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
resource yara_rule behavioral1/memory/1940-56-0x0000000000240000-0x0000000000248000-memory.dmp coreentity -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload 32 IoCs
resource yara_rule behavioral1/memory/2040-63-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-64-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-65-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-66-0x00000000004AB90E-mapping.dmp family_masslogger behavioral1/memory/2040-68-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-70-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-72-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-74-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-76-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-78-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-80-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-82-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-84-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-86-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-88-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-90-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-92-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-94-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-96-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-98-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-100-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-102-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-104-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-106-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-110-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-108-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-112-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-114-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-116-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-118-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-120-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral1/memory/2040-122-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
yara_rule masslogger_log_file -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
resource yara_rule behavioral1/memory/1940-57-0x0000000004CB0000-0x0000000004D68000-memory.dmp rezer0 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Control Panel\International\Geo\Nation pqI75Aqgj0J5fmF.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1940 set thread context of 2040 1940 pqI75Aqgj0J5fmF.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 840 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2040 pqI75Aqgj0J5fmF.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1940 pqI75Aqgj0J5fmF.exe 2040 pqI75Aqgj0J5fmF.exe 2040 pqI75Aqgj0J5fmF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1940 pqI75Aqgj0J5fmF.exe Token: SeDebugPrivilege 2040 pqI75Aqgj0J5fmF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2040 pqI75Aqgj0J5fmF.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1940 wrote to memory of 840 1940 pqI75Aqgj0J5fmF.exe 27 PID 1940 wrote to memory of 840 1940 pqI75Aqgj0J5fmF.exe 27 PID 1940 wrote to memory of 840 1940 pqI75Aqgj0J5fmF.exe 27 PID 1940 wrote to memory of 840 1940 pqI75Aqgj0J5fmF.exe 27 PID 1940 wrote to memory of 2040 1940 pqI75Aqgj0J5fmF.exe 29 PID 1940 wrote to memory of 2040 1940 pqI75Aqgj0J5fmF.exe 29 PID 1940 wrote to memory of 2040 1940 pqI75Aqgj0J5fmF.exe 29 PID 1940 wrote to memory of 2040 1940 pqI75Aqgj0J5fmF.exe 29 PID 1940 wrote to memory of 2040 1940 pqI75Aqgj0J5fmF.exe 29 PID 1940 wrote to memory of 2040 1940 pqI75Aqgj0J5fmF.exe 29 PID 1940 wrote to memory of 2040 1940 pqI75Aqgj0J5fmF.exe 29 PID 1940 wrote to memory of 2040 1940 pqI75Aqgj0J5fmF.exe 29 PID 1940 wrote to memory of 2040 1940 pqI75Aqgj0J5fmF.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe"C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tzZSSBSPX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D59.tmp"2⤵
- Creates scheduled task(s)
PID:840
-
-
C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe"{path}"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2040
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5583695862bf95a6f9175b37ba1deea14
SHA1fc390fa98c450dbf0cd73e467b7c53e195a13adb
SHA2567dc7756c0e0c316c87614ba9482d6a137a779857d2a8529424aeba3b23ed915e
SHA512f820c44d1ad24497eacf9573e768408c6a80cbadc6ca2d0b2bdb30f83b83df78f220548b296cc339fef21e87a27d00841214077e83a85453b5d2ae453c79f4fc