Analysis
-
max time kernel
148s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22/02/2022, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe
Resource
win10v2004-en-20220113
General
-
Target
0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe
-
Size
1.6MB
-
MD5
ff3fe4fe833b4f463bee3ef01057bf3a
-
SHA1
7eb61441d0d14117c05edbbff96bedf438561b67
-
SHA256
0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c
-
SHA512
91d7b35777afd433b250fc1a601a172440270be2e50af55f3e035e503c5f4a61ee2a131bd19c77611beaa7262cc9fa6cef16dea23f68497c833d95c5f6bb523c
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
asa112233
Signatures
-
NirSoft MailPassView 11 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/files/0x0008000000013327-55.dat MailPassView behavioral1/files/0x0008000000013327-56.dat MailPassView behavioral1/files/0x0008000000013327-57.dat MailPassView behavioral1/files/0x0008000000013327-58.dat MailPassView behavioral1/files/0x0008000000013327-59.dat MailPassView behavioral1/files/0x0008000000013327-60.dat MailPassView behavioral1/files/0x0006000000013919-65.dat MailPassView behavioral1/files/0x0006000000013919-66.dat MailPassView behavioral1/files/0x0006000000013919-67.dat MailPassView behavioral1/memory/1960-73-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1960-76-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 11 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x0008000000013327-55.dat WebBrowserPassView behavioral1/files/0x0008000000013327-56.dat WebBrowserPassView behavioral1/files/0x0008000000013327-57.dat WebBrowserPassView behavioral1/files/0x0008000000013327-58.dat WebBrowserPassView behavioral1/files/0x0008000000013327-59.dat WebBrowserPassView behavioral1/files/0x0008000000013327-60.dat WebBrowserPassView behavioral1/files/0x0006000000013919-65.dat WebBrowserPassView behavioral1/files/0x0006000000013919-66.dat WebBrowserPassView behavioral1/files/0x0006000000013919-67.dat WebBrowserPassView behavioral1/memory/980-77-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/980-80-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 13 IoCs
resource yara_rule behavioral1/files/0x0008000000013327-55.dat Nirsoft behavioral1/files/0x0008000000013327-56.dat Nirsoft behavioral1/files/0x0008000000013327-57.dat Nirsoft behavioral1/files/0x0008000000013327-58.dat Nirsoft behavioral1/files/0x0008000000013327-59.dat Nirsoft behavioral1/files/0x0008000000013327-60.dat Nirsoft behavioral1/files/0x0006000000013919-65.dat Nirsoft behavioral1/files/0x0006000000013919-66.dat Nirsoft behavioral1/files/0x0006000000013919-67.dat Nirsoft behavioral1/memory/1960-73-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1960-76-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/980-77-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/980-80-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 1064 3466.exe 1772 Windows Update.exe -
Loads dropped DLL 5 IoCs
pid Process 1472 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe 1472 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe 1472 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe 1472 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe 1064 3466.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 whatismyipaddress.com 4 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1772 set thread context of 1960 1772 Windows Update.exe 30 PID 1772 set thread context of 980 1772 Windows Update.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1772 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1772 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1772 Windows Update.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1472 wrote to memory of 1064 1472 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe 27 PID 1472 wrote to memory of 1064 1472 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe 27 PID 1472 wrote to memory of 1064 1472 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe 27 PID 1472 wrote to memory of 1064 1472 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe 27 PID 1064 wrote to memory of 1772 1064 3466.exe 28 PID 1064 wrote to memory of 1772 1064 3466.exe 28 PID 1064 wrote to memory of 1772 1064 3466.exe 28 PID 1064 wrote to memory of 1772 1064 3466.exe 28 PID 1064 wrote to memory of 1772 1064 3466.exe 28 PID 1064 wrote to memory of 1772 1064 3466.exe 28 PID 1064 wrote to memory of 1772 1064 3466.exe 28 PID 1772 wrote to memory of 1960 1772 Windows Update.exe 30 PID 1772 wrote to memory of 1960 1772 Windows Update.exe 30 PID 1772 wrote to memory of 1960 1772 Windows Update.exe 30 PID 1772 wrote to memory of 1960 1772 Windows Update.exe 30 PID 1772 wrote to memory of 1960 1772 Windows Update.exe 30 PID 1772 wrote to memory of 1960 1772 Windows Update.exe 30 PID 1772 wrote to memory of 1960 1772 Windows Update.exe 30 PID 1772 wrote to memory of 1960 1772 Windows Update.exe 30 PID 1772 wrote to memory of 1960 1772 Windows Update.exe 30 PID 1772 wrote to memory of 1960 1772 Windows Update.exe 30 PID 1772 wrote to memory of 980 1772 Windows Update.exe 31 PID 1772 wrote to memory of 980 1772 Windows Update.exe 31 PID 1772 wrote to memory of 980 1772 Windows Update.exe 31 PID 1772 wrote to memory of 980 1772 Windows Update.exe 31 PID 1772 wrote to memory of 980 1772 Windows Update.exe 31 PID 1772 wrote to memory of 980 1772 Windows Update.exe 31 PID 1772 wrote to memory of 980 1772 Windows Update.exe 31 PID 1772 wrote to memory of 980 1772 Windows Update.exe 31 PID 1772 wrote to memory of 980 1772 Windows Update.exe 31 PID 1772 wrote to memory of 980 1772 Windows Update.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe"C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\3466\3466.exe"C:\Users\Admin\AppData\Local\Temp\3466\3466.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
PID:1960
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵PID:980
-
-
-