Analysis
-
max time kernel
4294209s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
10/03/2022, 03:46
Static task
static1
Behavioral task
behavioral1
Sample
68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe
Resource
win10v2004-en-20220112
General
-
Target
68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe
-
Size
430KB
-
MD5
5be38d3bc0d36a3b177d1979dc0c4f66
-
SHA1
596a4027afbcfa3b286972c777e52e16759bf809
-
SHA256
68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764
-
SHA512
f71fc5f4ed65286e1416d4bea0e4fac5b658ef0d835a659e47aae6b123b81687979644d16b669d2f3f8331ace293e260d2f0a34df17402f5d2292e55f924cfa3
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
YWhoQG..GhvdG1...
Signatures
-
NirSoft MailPassView 9 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/files/0x000900000001230b-68.dat MailPassView behavioral1/files/0x000900000001230b-69.dat MailPassView behavioral1/files/0x000900000001230b-72.dat MailPassView behavioral1/files/0x000900000001230b-73.dat MailPassView behavioral1/files/0x000900000001230b-74.dat MailPassView behavioral1/memory/620-88-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/620-91-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/620-93-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/files/0x000900000001230b-104.dat MailPassView -
NirSoft WebBrowserPassView 9 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x000900000001230b-68.dat WebBrowserPassView behavioral1/files/0x000900000001230b-69.dat WebBrowserPassView behavioral1/files/0x000900000001230b-72.dat WebBrowserPassView behavioral1/files/0x000900000001230b-73.dat WebBrowserPassView behavioral1/files/0x000900000001230b-74.dat WebBrowserPassView behavioral1/memory/1456-95-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1456-99-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1456-101-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/files/0x000900000001230b-104.dat WebBrowserPassView -
Nirsoft 12 IoCs
resource yara_rule behavioral1/files/0x000900000001230b-68.dat Nirsoft behavioral1/files/0x000900000001230b-69.dat Nirsoft behavioral1/files/0x000900000001230b-72.dat Nirsoft behavioral1/files/0x000900000001230b-73.dat Nirsoft behavioral1/files/0x000900000001230b-74.dat Nirsoft behavioral1/memory/620-88-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/620-91-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/620-93-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1456-95-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1456-99-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1456-101-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/files/0x000900000001230b-104.dat Nirsoft -
Executes dropped EXE 4 IoCs
pid Process 524 MULTIBOT05.exe 472 svchost.exe 600 taskhost.exe 1556 svchost.exe -
Modifies Installed Components in the registry 2 TTPs
-
Loads dropped DLL 11 IoCs
pid Process 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 524 MULTIBOT05.exe 524 MULTIBOT05.exe 524 MULTIBOT05.exe 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 600 taskhost.exe 600 taskhost.exe 764 dw20.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\server windows host = "C:\\Users\\avatarrr\\AppData\\Roaming\\Microsoft\\Local\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\server windows host = "C:\\Users\\avatarrr\\AppData\\Roaming\\Microsoft\\Local\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\server windows host = "C:\\Users\\avatarrr\\AppData\\Roaming\\Microsoft\\Local\\svchost.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\server windows host = "C:\\Users\\avatarrr\\AppData\\Roaming\\Microsoft\\Local\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" taskhost.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 whatismyipaddress.com 6 whatismyipaddress.com 8 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 600 set thread context of 620 600 taskhost.exe 32 PID 600 set thread context of 1456 600 taskhost.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 472 svchost.exe 472 svchost.exe 600 taskhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1556 svchost.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 600 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 472 svchost.exe Token: SeDebugPrivilege 600 taskhost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 524 MULTIBOT05.exe 472 svchost.exe 1556 svchost.exe 600 taskhost.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1940 wrote to memory of 524 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 27 PID 1940 wrote to memory of 524 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 27 PID 1940 wrote to memory of 524 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 27 PID 1940 wrote to memory of 524 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 27 PID 1940 wrote to memory of 524 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 27 PID 1940 wrote to memory of 524 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 27 PID 1940 wrote to memory of 524 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 27 PID 1940 wrote to memory of 472 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 28 PID 1940 wrote to memory of 472 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 28 PID 1940 wrote to memory of 472 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 28 PID 1940 wrote to memory of 472 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 28 PID 1940 wrote to memory of 600 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 29 PID 1940 wrote to memory of 600 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 29 PID 1940 wrote to memory of 600 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 29 PID 1940 wrote to memory of 600 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 29 PID 1940 wrote to memory of 600 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 29 PID 1940 wrote to memory of 600 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 29 PID 1940 wrote to memory of 600 1940 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 29 PID 472 wrote to memory of 1556 472 svchost.exe 30 PID 472 wrote to memory of 1556 472 svchost.exe 30 PID 472 wrote to memory of 1556 472 svchost.exe 30 PID 600 wrote to memory of 620 600 taskhost.exe 32 PID 600 wrote to memory of 620 600 taskhost.exe 32 PID 600 wrote to memory of 620 600 taskhost.exe 32 PID 600 wrote to memory of 620 600 taskhost.exe 32 PID 600 wrote to memory of 620 600 taskhost.exe 32 PID 600 wrote to memory of 620 600 taskhost.exe 32 PID 600 wrote to memory of 620 600 taskhost.exe 32 PID 600 wrote to memory of 620 600 taskhost.exe 32 PID 600 wrote to memory of 620 600 taskhost.exe 32 PID 600 wrote to memory of 620 600 taskhost.exe 32 PID 600 wrote to memory of 620 600 taskhost.exe 32 PID 600 wrote to memory of 620 600 taskhost.exe 32 PID 600 wrote to memory of 620 600 taskhost.exe 32 PID 600 wrote to memory of 1456 600 taskhost.exe 33 PID 600 wrote to memory of 1456 600 taskhost.exe 33 PID 600 wrote to memory of 1456 600 taskhost.exe 33 PID 600 wrote to memory of 1456 600 taskhost.exe 33 PID 600 wrote to memory of 1456 600 taskhost.exe 33 PID 600 wrote to memory of 1456 600 taskhost.exe 33 PID 600 wrote to memory of 1456 600 taskhost.exe 33 PID 600 wrote to memory of 1456 600 taskhost.exe 33 PID 600 wrote to memory of 1456 600 taskhost.exe 33 PID 600 wrote to memory of 1456 600 taskhost.exe 33 PID 600 wrote to memory of 1456 600 taskhost.exe 33 PID 600 wrote to memory of 1456 600 taskhost.exe 33 PID 600 wrote to memory of 1456 600 taskhost.exe 33 PID 600 wrote to memory of 764 600 taskhost.exe 37 PID 600 wrote to memory of 764 600 taskhost.exe 37 PID 600 wrote to memory of 764 600 taskhost.exe 37 PID 600 wrote to memory of 764 600 taskhost.exe 37 PID 600 wrote to memory of 764 600 taskhost.exe 37 PID 600 wrote to memory of 764 600 taskhost.exe 37 PID 600 wrote to memory of 764 600 taskhost.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe"C:\Users\Admin\AppData\Local\Temp\68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\MULTIBOT05.exe"C:\Users\Admin\AppData\Local\Temp\MULTIBOT05.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:524
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Users\avatarrr\AppData\Roaming\Microsoft\Local\svchost.exe"C:\Users\avatarrr\AppData\Roaming\Microsoft\Local\svchost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1556
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
PID:620
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵PID:1456
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5403⤵
- Loads dropped DLL
PID:764
-
-