Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

pqI75Aqgj0J5fmF.exe

windows7-x64

10

pqI75Aqgj0J5fmF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/07/2022, 22:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pqI75Aqgj0J5fmF.exe

  • Size

    994KB

  • MD5

    72115f284ae26d36cc4e0427fc3be420

  • SHA1

    086b2d81c7913aac1f10632f34623356bf8cb081

  • SHA256

    21178d3dc240fc60a328a125280b58e073cd8cb677553cc867a62fcdceca210f

  • SHA512

    c29cd1e96a2d70ac1677806068614378bd4add58cc29b06a83f2abea1bf8151f930016cc97ec116ea3ad3ca0ad0598f27bfcaa267ca0be29df2948b5eb794f63

Score
10/10
massloggerspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main payload 32 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe
    "C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tzZSSBSPX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A9A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3804
    • C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe
      "{path}"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2692

Network

  • flag-us
    DNS
    176.122.125.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    176.122.125.40.in-addr.arpa
    IN PTR
    Response
  • 2.18.109.224:443
    322 B
     7
  • 20.50.80.209:443
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 8.248.7.254:80
    46 B
     40 B
     1
    1
  • 8.8.8.8:53
    176.122.125.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    176.122.125.40.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pqI75Aqgj0J5fmF.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp2A9A.tmp
    Filesize

    1KB

    MD5

    e522379c3ae68cf2e1712cc284301295

    SHA1

    cebcdd20c8fd7fe0956102bda6b5386ea8657f46

    SHA256

    78915b3ee58cd590410b4ce107dae912147978bbc214dd30da87d0544684698f

    SHA512

    2f7737c7e503fe15b5615bef3dd1f679cbca9d9f48e73592269d18afd0907c04ea9e8edfc3a17763117e94c25e9977023bcca502cac4377948c0493143f7275d

    Download Submit

  • memory/1880-183-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-171-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-141-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-143-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-145-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-147-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-149-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-151-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-153-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-155-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-157-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-159-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-161-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-163-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-165-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-167-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-169-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-173-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-175-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-177-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-179-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-181-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-138-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-187-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-185-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-189-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-191-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-193-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-195-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-197-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-199-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-201-0x0000000000400000-0x00000000004B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/1880-648-0x0000000005320000-0x0000000005386000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2692-657-0x0000000006770000-0x000000000678A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2692-656-0x0000000007B00000-0x000000000817A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2692-651-0x0000000002930000-0x0000000002966000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2692-652-0x0000000005690000-0x0000000005CB8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2692-653-0x00000000053D0000-0x00000000053F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2692-654-0x0000000005470000-0x00000000054D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2692-655-0x0000000006280000-0x000000000629E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2692-659-0x0000000006840000-0x0000000006862000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2692-658-0x0000000007480000-0x0000000007516000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4464-130-0x0000000000890000-0x000000000098E000-memory.dmp

    Filesize

    1016KB

    Download

  • memory/4464-131-0x00000000057D0000-0x0000000005D74000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4464-132-0x0000000005320000-0x00000000053B2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4464-133-0x0000000005740000-0x000000000574A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4464-134-0x0000000007A90000-0x0000000007B2C000-memory.dmp

    Filesize

    624KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.