Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-02-2021 21:12
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice GLV225445686.exe
Resource
win7v20201028
General
-
Target
Payment Advice GLV225445686.exe
-
Size
708KB
-
MD5
757844785304a9b94d0f994b24a2f177
-
SHA1
4d01dcfa4292530139fc7d9264466bafd63ab8ed
-
SHA256
9c3da492d0b98fec833d5217e46cee71fd67cf4d0bae48267cc4007095f096d2
-
SHA512
5d0c21c7648c2b618eb079bb2cf699f89a36deab5e360b9db3244b1213b1da967b248708999bc89c7d039c9afdb5b3c4756f34d3e6203d8ef3b1ca89cd5a8176
Malware Config
Signatures
-
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
Processes:
resource yara_rule behavioral2/memory/636-7-0x0000000004C50000-0x0000000004CFE000-memory.dmp beds_protector -
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/3764-11-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral2/memory/3764-12-0x000000000047EA9E-mapping.dmp MailPassView behavioral2/memory/3860-25-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3860-26-0x0000000000411654-mapping.dmp MailPassView behavioral2/memory/3860-27-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/3764-11-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral2/memory/3764-12-0x000000000047EA9E-mapping.dmp WebBrowserPassView behavioral2/memory/2888-29-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2888-30-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral2/memory/2888-32-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
Processes:
resource yara_rule behavioral2/memory/3764-11-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral2/memory/3764-12-0x000000000047EA9E-mapping.dmp Nirsoft behavioral2/memory/3860-25-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3860-26-0x0000000000411654-mapping.dmp Nirsoft behavioral2/memory/3860-27-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2888-29-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2888-30-0x0000000000442628-mapping.dmp Nirsoft behavioral2/memory/2888-32-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Payment Advice GLV225445686.exePayment Advice GLV225445686.exedescription pid process target process PID 636 set thread context of 3764 636 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 3764 set thread context of 3860 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 set thread context of 2888 3764 Payment Advice GLV225445686.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 2888 vbc.exe 2888 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment Advice GLV225445686.exedescription pid process Token: SeDebugPrivilege 3764 Payment Advice GLV225445686.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
Payment Advice GLV225445686.exePayment Advice GLV225445686.exedescription pid process target process PID 636 wrote to memory of 3764 636 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 636 wrote to memory of 3764 636 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 636 wrote to memory of 3764 636 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 636 wrote to memory of 3764 636 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 636 wrote to memory of 3764 636 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 636 wrote to memory of 3764 636 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 636 wrote to memory of 3764 636 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 636 wrote to memory of 3764 636 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 3764 wrote to memory of 3860 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 3860 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 3860 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 3860 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 3860 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 3860 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 3860 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 3860 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 3860 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 2888 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 2888 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 2888 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 2888 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 2888 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 2888 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 2888 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 2888 3764 Payment Advice GLV225445686.exe vbc.exe PID 3764 wrote to memory of 2888 3764 Payment Advice GLV225445686.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice GLV225445686.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice GLV225445686.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice GLV225445686.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice GLV225445686.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Advice GLV225445686.exe.logMD5
a12c47683d03ed3323264b06840fea15
SHA15dc1d35c839bdd64d084a83ca422ebf2038a1f94
SHA256e70034847f32a07907bf1dc9575f1d38ba028191170a653fcb7a171703f674cc
SHA512e695bceaf8f2242530ca7db10e377211b52d9378d40ff7e9c88fef491e5793f9122404a1e6f3151179fd5500ab1a094cfa372e03bce417614fe1948b67541778
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtMD5
f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
memory/636-9-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/636-6-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/636-7-0x0000000004C50000-0x0000000004CFE000-memory.dmpFilesize
696KB
-
memory/636-8-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/636-10-0x0000000004D20000-0x0000000004D2F000-memory.dmpFilesize
60KB
-
memory/636-5-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/636-3-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/636-2-0x0000000073190000-0x000000007387E000-memory.dmpFilesize
6.9MB
-
memory/2888-29-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2888-32-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2888-30-0x0000000000442628-mapping.dmp
-
memory/3764-20-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/3764-22-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/3764-23-0x00000000096C0000-0x00000000096C1000-memory.dmpFilesize
4KB
-
memory/3764-24-0x0000000007400000-0x0000000007402000-memory.dmpFilesize
8KB
-
memory/3764-21-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/3764-14-0x0000000073190000-0x000000007387E000-memory.dmpFilesize
6.9MB
-
memory/3764-31-0x00000000057D3000-0x00000000057D5000-memory.dmpFilesize
8KB
-
memory/3764-12-0x000000000047EA9E-mapping.dmp
-
memory/3764-11-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3860-25-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3860-26-0x0000000000411654-mapping.dmp
-
memory/3860-27-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB