Analysis Overview
SHA256
0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c
Threat Level: Known bad
The file 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c was found to be: Known bad.
Malicious Activity Summary
HawkEye
Nirsoft
NirSoft WebBrowserPassView
NirSoft MailPassView
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Adds Run key to start application
Looks up external IP address via web service
autoit_exe
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-22 20:50
Signatures
autoit_exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-22 20:50
Reported
2022-02-22 21:04
Platform
win7-en-20211208
Max time kernel
148s
Max time network
136s
Command Line
Signatures
HawkEye
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3466\3466.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1772 set thread context of 1960 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1772 set thread context of 980 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe
"C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe"
C:\Users\Admin\AppData\Local\Temp\3466\3466.exe
"C:\Users\Admin\AppData\Local\Temp\3466\3466.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.16.155.36:80 | whatismyipaddress.com | tcp |
| US | 104.16.155.36:443 | whatismyipaddress.com | tcp |
| US | 104.16.155.36:443 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | smtp.gmail.com | udp |
| US | 142.250.102.109:587 | smtp.gmail.com | tcp |
| US | 142.250.102.109:587 | smtp.gmail.com | tcp |
Files
memory/1472-54-0x0000000076151000-0x0000000076153000-memory.dmp
\Users\Admin\AppData\Local\Temp\3466\3466.exe
| MD5 | 8911ced838a1e703cd5feec9a6cd3d86 |
| SHA1 | a0b7da517f0a6eceb94e29e00f78630cb96ba046 |
| SHA256 | f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102 |
| SHA512 | 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632 |
\Users\Admin\AppData\Local\Temp\3466\3466.exe
| MD5 | 8911ced838a1e703cd5feec9a6cd3d86 |
| SHA1 | a0b7da517f0a6eceb94e29e00f78630cb96ba046 |
| SHA256 | f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102 |
| SHA512 | 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632 |
\Users\Admin\AppData\Local\Temp\3466\3466.exe
| MD5 | 8911ced838a1e703cd5feec9a6cd3d86 |
| SHA1 | a0b7da517f0a6eceb94e29e00f78630cb96ba046 |
| SHA256 | f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102 |
| SHA512 | 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632 |
\Users\Admin\AppData\Local\Temp\3466\3466.exe
| MD5 | 8911ced838a1e703cd5feec9a6cd3d86 |
| SHA1 | a0b7da517f0a6eceb94e29e00f78630cb96ba046 |
| SHA256 | f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102 |
| SHA512 | 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632 |
C:\Users\Admin\AppData\Local\Temp\3466\3466.exe
| MD5 | 8911ced838a1e703cd5feec9a6cd3d86 |
| SHA1 | a0b7da517f0a6eceb94e29e00f78630cb96ba046 |
| SHA256 | f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102 |
| SHA512 | 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632 |
C:\Users\Admin\AppData\Local\Temp\3466\3466.exe
| MD5 | 8911ced838a1e703cd5feec9a6cd3d86 |
| SHA1 | a0b7da517f0a6eceb94e29e00f78630cb96ba046 |
| SHA256 | f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102 |
| SHA512 | 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632 |
memory/1064-62-0x0000000074251000-0x0000000074252000-memory.dmp
memory/1064-64-0x0000000074252000-0x0000000074254000-memory.dmp
memory/1064-63-0x0000000000750000-0x0000000000751000-memory.dmp
\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | 8911ced838a1e703cd5feec9a6cd3d86 |
| SHA1 | a0b7da517f0a6eceb94e29e00f78630cb96ba046 |
| SHA256 | f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102 |
| SHA512 | 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632 |
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | 8911ced838a1e703cd5feec9a6cd3d86 |
| SHA1 | a0b7da517f0a6eceb94e29e00f78630cb96ba046 |
| SHA256 | f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102 |
| SHA512 | 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632 |
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | 8911ced838a1e703cd5feec9a6cd3d86 |
| SHA1 | a0b7da517f0a6eceb94e29e00f78630cb96ba046 |
| SHA256 | f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102 |
| SHA512 | 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632 |
memory/1772-70-0x00000000021F0000-0x00000000021F1000-memory.dmp
memory/1772-69-0x0000000074251000-0x0000000074252000-memory.dmp
memory/1772-71-0x0000000074252000-0x0000000074254000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
| MD5 | 99de8d7177c283523f98a7d7dd0519c3 |
| SHA1 | 04864a33e03c6a5bc3c8b5bb9fb8a127a39455ab |
| SHA256 | 6501ba7ac6b6a7b48f6a06963b2101112ff8587d4873d497eb7fa4880acb47bb |
| SHA512 | 96acbc6f5e2fb7b42d3c657807600e5f10afa028601e651625d95066d7b270331b0e23d839031ac672431d865c3eb853eef91f18d3da9345add7887b7cfc6da0 |
memory/1960-73-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1772-75-0x0000000002206000-0x0000000002207000-memory.dmp
memory/1960-76-0x0000000000400000-0x000000000041B000-memory.dmp
memory/980-77-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/980-80-0x0000000000400000-0x0000000000458000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-22 20:50
Reported
2022-02-22 21:04
Platform
win10v2004-en-20220113
Max time kernel
150s
Max time network
168s
Command Line
Signatures
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3466\3466.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe
"C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe"
C:\Users\Admin\AppData\Local\Temp\3466\3466.exe
"C:\Users\Admin\AppData\Local\Temp\3466\3466.exe"
C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.20:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\3466\3466.exe
| MD5 | 8911ced838a1e703cd5feec9a6cd3d86 |
| SHA1 | a0b7da517f0a6eceb94e29e00f78630cb96ba046 |
| SHA256 | f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102 |
| SHA512 | 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632 |
C:\Users\Admin\AppData\Local\Temp\3466\3466.exe
| MD5 | 8911ced838a1e703cd5feec9a6cd3d86 |
| SHA1 | a0b7da517f0a6eceb94e29e00f78630cb96ba046 |
| SHA256 | f7c260f7f93ba2044e65d7bb132946705fbfdca2b4769d762b7cadd51131a102 |
| SHA512 | 95aeaa2c7eafdec567d75b357d585a96886cd51df772ca97e599ee9478fa013765352eb8af2923692122ce90d8d5d878c11e10e9200051b94e36e351f8139632 |