Analysis
-
max time kernel
137s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22/02/2022, 22:53
Static task
static1
Behavioral task
behavioral1
Sample
0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe
Resource
win10v2004-en-20220113
General
-
Target
0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe
-
Size
521KB
-
MD5
d4f46b9f4fe5b1d4a86c0e24fdcc4dae
-
SHA1
846da87986e53202f4ebf79ff780e96331711b08
-
SHA256
0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c
-
SHA512
605782e589e17cdfee5ca5f0694aea7caffbc06f92ff31fb2c822b17ba6eef92865ba0fedf3fe8f11cefb34110308ad10af190a5423a7e4d90061979e9dcebae
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
GODbless888
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/files/0x000800000001223c-58.dat MailPassView behavioral1/files/0x000800000001223c-59.dat MailPassView behavioral1/files/0x000800000001223c-60.dat MailPassView behavioral1/memory/1060-66-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1060-69-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/files/0x000800000001223c-76.dat MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x000800000001223c-58.dat WebBrowserPassView behavioral1/files/0x000800000001223c-59.dat WebBrowserPassView behavioral1/files/0x000800000001223c-60.dat WebBrowserPassView behavioral1/memory/2040-71-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2040-73-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/files/0x000800000001223c-76.dat WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral1/files/0x000800000001223c-58.dat Nirsoft behavioral1/files/0x000800000001223c-59.dat Nirsoft behavioral1/files/0x000800000001223c-60.dat Nirsoft behavioral1/memory/1060-66-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1060-69-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2040-71-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2040-73-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/files/0x000800000001223c-76.dat Nirsoft -
Executes dropped EXE 1 IoCs
pid Process 520 Windows Update.exe -
Deletes itself 1 IoCs
pid Process 520 Windows Update.exe -
Loads dropped DLL 2 IoCs
pid Process 1748 0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe 1556 dw20.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 520 set thread context of 1060 520 Windows Update.exe 29 PID 520 set thread context of 2040 520 Windows Update.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118 Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0400000001000000100000002c8f9f661d1890b147269d8e86828ca90300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180400000001000000100000002c8f9f661d1890b147269d8e86828ca92000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 Windows Update.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 520 Windows Update.exe 520 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 520 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 520 Windows Update.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1748 wrote to memory of 520 1748 0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe 27 PID 1748 wrote to memory of 520 1748 0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe 27 PID 1748 wrote to memory of 520 1748 0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe 27 PID 1748 wrote to memory of 520 1748 0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe 27 PID 1748 wrote to memory of 520 1748 0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe 27 PID 1748 wrote to memory of 520 1748 0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe 27 PID 1748 wrote to memory of 520 1748 0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe 27 PID 520 wrote to memory of 1060 520 Windows Update.exe 29 PID 520 wrote to memory of 1060 520 Windows Update.exe 29 PID 520 wrote to memory of 1060 520 Windows Update.exe 29 PID 520 wrote to memory of 1060 520 Windows Update.exe 29 PID 520 wrote to memory of 1060 520 Windows Update.exe 29 PID 520 wrote to memory of 1060 520 Windows Update.exe 29 PID 520 wrote to memory of 1060 520 Windows Update.exe 29 PID 520 wrote to memory of 1060 520 Windows Update.exe 29 PID 520 wrote to memory of 1060 520 Windows Update.exe 29 PID 520 wrote to memory of 1060 520 Windows Update.exe 29 PID 520 wrote to memory of 2040 520 Windows Update.exe 30 PID 520 wrote to memory of 2040 520 Windows Update.exe 30 PID 520 wrote to memory of 2040 520 Windows Update.exe 30 PID 520 wrote to memory of 2040 520 Windows Update.exe 30 PID 520 wrote to memory of 2040 520 Windows Update.exe 30 PID 520 wrote to memory of 2040 520 Windows Update.exe 30 PID 520 wrote to memory of 2040 520 Windows Update.exe 30 PID 520 wrote to memory of 2040 520 Windows Update.exe 30 PID 520 wrote to memory of 2040 520 Windows Update.exe 30 PID 520 wrote to memory of 2040 520 Windows Update.exe 30 PID 520 wrote to memory of 1556 520 Windows Update.exe 34 PID 520 wrote to memory of 1556 520 Windows Update.exe 34 PID 520 wrote to memory of 1556 520 Windows Update.exe 34 PID 520 wrote to memory of 1556 520 Windows Update.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe"C:\Users\Admin\AppData\Local\Temp\0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
PID:1060
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵PID:2040
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 13723⤵
- Loads dropped DLL
PID:1556
-
-