Analysis
-
max time kernel
4294208s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
10/03/2022, 02:55
Static task
static1
Behavioral task
behavioral1
Sample
6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe
Resource
win10v2004-en-20220113
General
-
Target
6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe
-
Size
522KB
-
MD5
48d4d71b8425a1b2c6e338581eaa1a57
-
SHA1
2eccb47306a0251a8767f80085c132807d24114e
-
SHA256
6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b
-
SHA512
c7048e207ed6d2d4efa85ace9e007325b0ac910d241d43a5bd5fc1e30cd5180651f494c08910c15d0b74555f6579976c332e2107642fad3af22588b573de6c4b
Malware Config
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/444-57-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/444-60-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1604-62-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1604-65-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
resource yara_rule behavioral1/memory/444-57-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/444-60-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1604-62-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1604-65-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 whatismyipaddress.com 7 whatismyipaddress.com 4 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 964 set thread context of 444 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 28 PID 964 set thread context of 1604 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 29 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 964 wrote to memory of 444 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 28 PID 964 wrote to memory of 444 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 28 PID 964 wrote to memory of 444 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 28 PID 964 wrote to memory of 444 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 28 PID 964 wrote to memory of 444 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 28 PID 964 wrote to memory of 444 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 28 PID 964 wrote to memory of 444 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 28 PID 964 wrote to memory of 444 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 28 PID 964 wrote to memory of 444 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 28 PID 964 wrote to memory of 444 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 28 PID 964 wrote to memory of 1604 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 29 PID 964 wrote to memory of 1604 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 29 PID 964 wrote to memory of 1604 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 29 PID 964 wrote to memory of 1604 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 29 PID 964 wrote to memory of 1604 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 29 PID 964 wrote to memory of 1604 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 29 PID 964 wrote to memory of 1604 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 29 PID 964 wrote to memory of 1604 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 29 PID 964 wrote to memory of 1604 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 29 PID 964 wrote to memory of 1604 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 29 PID 964 wrote to memory of 828 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 33 PID 964 wrote to memory of 828 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 33 PID 964 wrote to memory of 828 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 33 PID 964 wrote to memory of 828 964 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe"C:\Users\Admin\AppData\Local\Temp\6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"2⤵
- Accesses Microsoft Outlook accounts
PID:444
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"2⤵PID:1604
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4482⤵PID:828
-