Analysis
-
max time kernel
139s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22/02/2022, 20:49
Static task
static1
Behavioral task
behavioral1
Sample
0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe
Resource
win10v2004-en-20220113
General
-
Target
0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe
-
Size
506KB
-
MD5
4c9b6f853ba3503aa128ed95bb9485c0
-
SHA1
65c7ba7fd7bc6745ab4a2b2dde97015f64796995
-
SHA256
0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25
-
SHA512
8bdd7547ac203bb5a43deeb6070ca2bee5eada4bf6d7ea0b56f343a8fb5e4cbb18f9dd8595e1c15b4fc03c244f160e7a369ddbf415ada4a43404e73325ee6841
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
godfirst123123123
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1140-59-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1140-61-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1164-62-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1164-65-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
resource yara_rule behavioral1/memory/1140-59-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1140-61-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1164-62-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1164-65-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 288 set thread context of 1140 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 28 PID 288 set thread context of 1164 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 29 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0400000001000000100000002c8f9f661d1890b147269d8e86828ca90300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180400000001000000100000002c8f9f661d1890b147269d8e86828ca92000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 288 wrote to memory of 1140 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 28 PID 288 wrote to memory of 1140 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 28 PID 288 wrote to memory of 1140 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 28 PID 288 wrote to memory of 1140 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 28 PID 288 wrote to memory of 1140 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 28 PID 288 wrote to memory of 1140 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 28 PID 288 wrote to memory of 1140 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 28 PID 288 wrote to memory of 1140 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 28 PID 288 wrote to memory of 1140 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 28 PID 288 wrote to memory of 1140 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 28 PID 288 wrote to memory of 1164 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 29 PID 288 wrote to memory of 1164 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 29 PID 288 wrote to memory of 1164 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 29 PID 288 wrote to memory of 1164 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 29 PID 288 wrote to memory of 1164 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 29 PID 288 wrote to memory of 1164 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 29 PID 288 wrote to memory of 1164 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 29 PID 288 wrote to memory of 1164 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 29 PID 288 wrote to memory of 1164 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 29 PID 288 wrote to memory of 1164 288 0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe"C:\Users\Admin\AppData\Local\Temp\0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"2⤵
- Accesses Microsoft Outlook accounts
PID:1140
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"2⤵PID:1164
-