Analysis
-
max time kernel
131s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-11-2020 18:23
Static task
static1
Behavioral task
behavioral1
Sample
1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe
Resource
win7v20201028
General
-
Target
1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe
-
Size
962KB
-
MD5
cdf406d710f0927d0c3da612522ecf81
-
SHA1
adb902ad470511d4c47923d0a3637428f59b8dff
-
SHA256
1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6
-
SHA512
288dc89a4f5421488a2faffdaedd047093d340593a851c46e6f2fe57cd8b7e0ab93b44233633928451d403c764f6741aeece631bb6fb315f338c0fc6d2969cbd
Malware Config
Extracted
Protocol: smtp- Host:
smtp.casalsmd.com - Port:
587 - Username:
carolina@casalsmd.com - Password:
Carolina123
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 196 Windows Update.exe 2040 Windows Update.exe -
Processes:
resource yara_rule behavioral2/memory/2672-1-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral2/memory/2672-3-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral2/memory/2672-4-0x0000000000400000-0x000000000051D000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 2040 Windows Update.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 whatismyipaddress.com 12 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1044 set thread context of 2672 1044 1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe 1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe PID 196 set thread context of 2040 196 Windows Update.exe Windows Update.exe PID 2040 set thread context of 3992 2040 Windows Update.exe vbc.exe PID 2040 set thread context of 3060 2040 Windows Update.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exeWindows Update.exevbc.exeWindows Update.exepid process 1044 1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe 1044 1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe 196 Windows Update.exe 196 Windows Update.exe 3060 vbc.exe 3060 vbc.exe 2040 Windows Update.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exeWindows Update.exepid process 1044 1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe 196 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 2040 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 2040 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1044 wrote to memory of 2672 1044 1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe 1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe PID 1044 wrote to memory of 2672 1044 1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe 1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe PID 1044 wrote to memory of 2672 1044 1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe 1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe PID 2672 wrote to memory of 196 2672 1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe Windows Update.exe PID 2672 wrote to memory of 196 2672 1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe Windows Update.exe PID 2672 wrote to memory of 196 2672 1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe Windows Update.exe PID 196 wrote to memory of 2040 196 Windows Update.exe Windows Update.exe PID 196 wrote to memory of 2040 196 Windows Update.exe Windows Update.exe PID 196 wrote to memory of 2040 196 Windows Update.exe Windows Update.exe PID 2040 wrote to memory of 3992 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3992 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3992 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3992 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3992 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3992 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3992 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3992 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3992 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3060 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3060 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3060 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3060 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3060 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3060 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3060 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3060 2040 Windows Update.exe vbc.exe PID 2040 wrote to memory of 3060 2040 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe"C:\Users\Admin\AppData\Local\Temp\1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe"C:\Users\Admin\AppData\Local\Temp\1532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtMD5
0005a2320272e7a94e72ce281d01294e
SHA15e3ec4dc01bff8fb220c3c98c57a1d178c982724
SHA256c50f130ae53620aa1d1996278cc8e7fe0a2f0174c28c9dac013994daae10bf36
SHA5127c4e5b716f1da9d27ab4ac3ff3937337e11912599d62fcfbaade68fcd19cede6ff1a203e30544758adf86cd04ea9821a2c9c545428782390a03d496cb3926f2d
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtMD5
f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeMD5
cdf406d710f0927d0c3da612522ecf81
SHA1adb902ad470511d4c47923d0a3637428f59b8dff
SHA2561532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6
SHA512288dc89a4f5421488a2faffdaedd047093d340593a851c46e6f2fe57cd8b7e0ab93b44233633928451d403c764f6741aeece631bb6fb315f338c0fc6d2969cbd
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeMD5
cdf406d710f0927d0c3da612522ecf81
SHA1adb902ad470511d4c47923d0a3637428f59b8dff
SHA2561532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6
SHA512288dc89a4f5421488a2faffdaedd047093d340593a851c46e6f2fe57cd8b7e0ab93b44233633928451d403c764f6741aeece631bb6fb315f338c0fc6d2969cbd
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeMD5
cdf406d710f0927d0c3da612522ecf81
SHA1adb902ad470511d4c47923d0a3637428f59b8dff
SHA2561532c731a4a27f84217899e49abaf03a3913765074700b7f896f246715a64cb6
SHA512288dc89a4f5421488a2faffdaedd047093d340593a851c46e6f2fe57cd8b7e0ab93b44233633928451d403c764f6741aeece631bb6fb315f338c0fc6d2969cbd
-
memory/196-10-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/196-7-0x0000000000000000-mapping.dmp
-
memory/1044-0-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/2040-17-0x00000000024B2000-0x00000000024B3000-memory.dmpFilesize
4KB
-
memory/2040-12-0x000000000051B4D0-mapping.dmp
-
memory/2040-16-0x0000000000AE0000-0x0000000000B68000-memory.dmpFilesize
544KB
-
memory/2672-2-0x000000000051B4D0-mapping.dmp
-
memory/2672-3-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/2672-5-0x0000000002340000-0x00000000023C8000-memory.dmpFilesize
544KB
-
memory/2672-6-0x0000000002332000-0x0000000002333000-memory.dmpFilesize
4KB
-
memory/2672-4-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/2672-1-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/3060-22-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3060-23-0x0000000000442628-mapping.dmp
-
memory/3060-24-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3992-19-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3992-20-0x0000000000411654-mapping.dmp
-
memory/3992-21-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB