Analysis
-
max time kernel
158s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22/02/2022, 19:34
Static task
static1
Behavioral task
behavioral1
Sample
0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe
Resource
win10v2004-en-20220113
General
-
Target
0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe
-
Size
13.7MB
-
MD5
c2183b7c9c1379e8f373afb7dc3ce5c6
-
SHA1
aa108b83f7a8b3549da0d73fff9b7437a390ae74
-
SHA256
0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2
-
SHA512
cc2ef515ed510fb24c4646e485a91b48f8fd7a1c301d1097cb320dac84b527ac9674c39400bc095b17361ea375bb9b291fd714ce8c1efcd9a277d07a449ccdeb
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
zcb79451
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
zcb79451
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/files/0x00070000000132cc-58.dat MailPassView behavioral1/files/0x00070000000132cc-59.dat MailPassView behavioral1/files/0x00070000000132cc-60.dat MailPassView behavioral1/files/0x0006000000013947-100.dat MailPassView behavioral1/files/0x0006000000013947-101.dat MailPassView behavioral1/files/0x0006000000013947-102.dat MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x00070000000132cc-58.dat WebBrowserPassView behavioral1/files/0x00070000000132cc-59.dat WebBrowserPassView behavioral1/files/0x00070000000132cc-60.dat WebBrowserPassView behavioral1/files/0x0006000000013947-100.dat WebBrowserPassView behavioral1/files/0x0006000000013947-101.dat WebBrowserPassView behavioral1/files/0x0006000000013947-102.dat WebBrowserPassView -
Nirsoft 13 IoCs
resource yara_rule behavioral1/files/0x00070000000132cc-58.dat Nirsoft behavioral1/files/0x00070000000132cc-59.dat Nirsoft behavioral1/files/0x00070000000132cc-60.dat Nirsoft behavioral1/memory/1660-79-0x0000000000C60000-0x0000000000CC2000-memory.dmp Nirsoft behavioral1/files/0x00070000000138c1-81.dat Nirsoft behavioral1/files/0x00070000000138c1-82.dat Nirsoft behavioral1/files/0x00070000000138c1-83.dat Nirsoft behavioral1/files/0x0006000000013929-90.dat Nirsoft behavioral1/files/0x0006000000013929-91.dat Nirsoft behavioral1/files/0x0006000000013929-92.dat Nirsoft behavioral1/files/0x0006000000013947-100.dat Nirsoft behavioral1/files/0x0006000000013947-101.dat Nirsoft behavioral1/files/0x0006000000013947-102.dat Nirsoft -
Executes dropped EXE 9 IoCs
pid Process 1660 SMB2021.dll.exe 760 34.exe 1060 saint-1.0-jar-with-dependencies.exe 1736 result.exe 1704 WebBrowserPassView1.exe 1760 WebBrowserPassView2.exe 1936 WebBrowserPassView3.exe 1784 WebBrowserPassView4.exe 1920 Windows Update.exe -
resource yara_rule behavioral1/files/0x0006000000013921-86.dat upx behavioral1/files/0x0006000000013921-88.dat upx behavioral1/files/0x0006000000013921-87.dat upx behavioral1/files/0x0005000000012062-95.dat upx behavioral1/files/0x0005000000012062-96.dat upx behavioral1/files/0x0005000000012062-97.dat upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion result.exe -
Loads dropped DLL 14 IoCs
pid Process 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 1660 SMB2021.dll.exe 1660 SMB2021.dll.exe 1660 SMB2021.dll.exe 1660 SMB2021.dll.exe 1660 SMB2021.dll.exe 1660 SMB2021.dll.exe 1660 SMB2021.dll.exe 1660 SMB2021.dll.exe 760 34.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 whatismyip.akamai.com 9 whatismyipaddress.com 11 whatismyipaddress.com 12 whatismyipaddress.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 result.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString result.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier result.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1736 result.exe 1736 result.exe 1736 result.exe 1736 result.exe 1736 result.exe 1736 result.exe 1736 result.exe 1736 result.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe 1920 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1760 WebBrowserPassView2.exe Token: SeRestorePrivilege 1760 WebBrowserPassView2.exe Token: SeBackupPrivilege 1760 WebBrowserPassView2.exe Token: SeDebugPrivilege 1660 SMB2021.dll.exe Token: SeDebugPrivilege 1920 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1920 Windows Update.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 740 wrote to memory of 1660 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 27 PID 740 wrote to memory of 1660 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 27 PID 740 wrote to memory of 1660 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 27 PID 740 wrote to memory of 1660 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 27 PID 740 wrote to memory of 760 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 28 PID 740 wrote to memory of 760 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 28 PID 740 wrote to memory of 760 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 28 PID 740 wrote to memory of 760 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 28 PID 740 wrote to memory of 1060 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 29 PID 740 wrote to memory of 1060 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 29 PID 740 wrote to memory of 1060 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 29 PID 740 wrote to memory of 1060 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 29 PID 740 wrote to memory of 1736 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 30 PID 740 wrote to memory of 1736 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 30 PID 740 wrote to memory of 1736 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 30 PID 740 wrote to memory of 1736 740 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 30 PID 1060 wrote to memory of 1092 1060 saint-1.0-jar-with-dependencies.exe 31 PID 1060 wrote to memory of 1092 1060 saint-1.0-jar-with-dependencies.exe 31 PID 1060 wrote to memory of 1092 1060 saint-1.0-jar-with-dependencies.exe 31 PID 1060 wrote to memory of 1092 1060 saint-1.0-jar-with-dependencies.exe 31 PID 1660 wrote to memory of 1704 1660 SMB2021.dll.exe 33 PID 1660 wrote to memory of 1704 1660 SMB2021.dll.exe 33 PID 1660 wrote to memory of 1704 1660 SMB2021.dll.exe 33 PID 1660 wrote to memory of 1704 1660 SMB2021.dll.exe 33 PID 1660 wrote to memory of 1760 1660 SMB2021.dll.exe 34 PID 1660 wrote to memory of 1760 1660 SMB2021.dll.exe 34 PID 1660 wrote to memory of 1760 1660 SMB2021.dll.exe 34 PID 1660 wrote to memory of 1760 1660 SMB2021.dll.exe 34 PID 1660 wrote to memory of 1936 1660 SMB2021.dll.exe 35 PID 1660 wrote to memory of 1936 1660 SMB2021.dll.exe 35 PID 1660 wrote to memory of 1936 1660 SMB2021.dll.exe 35 PID 1660 wrote to memory of 1936 1660 SMB2021.dll.exe 35 PID 1660 wrote to memory of 1784 1660 SMB2021.dll.exe 36 PID 1660 wrote to memory of 1784 1660 SMB2021.dll.exe 36 PID 1660 wrote to memory of 1784 1660 SMB2021.dll.exe 36 PID 1660 wrote to memory of 1784 1660 SMB2021.dll.exe 36 PID 760 wrote to memory of 1920 760 34.exe 38 PID 760 wrote to memory of 1920 760 34.exe 38 PID 760 wrote to memory of 1920 760 34.exe 38 PID 760 wrote to memory of 1920 760 34.exe 38 PID 760 wrote to memory of 1920 760 34.exe 38 PID 760 wrote to memory of 1920 760 34.exe 38 PID 760 wrote to memory of 1920 760 34.exe 38 PID 1736 wrote to memory of 1860 1736 result.exe 39 PID 1736 wrote to memory of 1860 1736 result.exe 39 PID 1736 wrote to memory of 1860 1736 result.exe 39 PID 1736 wrote to memory of 1860 1736 result.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe"C:\Users\Admin\AppData\Local\Temp\0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\SMB2021.dll.exe"C:\Users\Admin\AppData\Local\Temp\SMB2021.dll.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.txt3⤵
- Executes dropped EXE
PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.txt3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.txt3⤵
- Executes dropped EXE
PID:1936
-
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.txt3⤵
- Executes dropped EXE
PID:1784
-
-
-
C:\Users\Admin\AppData\Local\Temp\34.exe"C:\Users\Admin\AppData\Local\Temp\34.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
-
C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"3⤵PID:1092
-
-
-
C:\Users\Admin\AppData\Local\Temp\result.exe"C:\Users\Admin\AppData\Local\Temp\result.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\result.exe" >> NUL3⤵PID:1860
-
-