Analysis
-
max time kernel
4294213s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
10/03/2022, 04:16
Static task
static1
Behavioral task
behavioral1
Sample
673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe
Resource
win10v2004-20220310-en
General
-
Target
673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe
-
Size
578KB
-
MD5
acf9e25c86232c4508b3cb2b94240efc
-
SHA1
72bf43d4cdaef66fe09033a5b3c5ca71129c9215
-
SHA256
673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996
-
SHA512
296261037a6ceb1d1e43994a8d54c63ac17ee1be5c3f234bd10d38dc0121237e94d9cf16e54bea61dda0367596918ebd95d23e50fa1c40dd7f2e2a87365d8e1d
Malware Config
Signatures
-
NirSoft MailPassView 7 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/files/0x000b0000000122f9-55.dat MailPassView behavioral1/files/0x000b0000000122f9-56.dat MailPassView behavioral1/files/0x000b0000000122f9-57.dat MailPassView behavioral1/files/0x000b0000000122f9-58.dat MailPassView behavioral1/files/0x000b0000000122f9-59.dat MailPassView behavioral1/files/0x000b0000000122f9-60.dat MailPassView behavioral1/memory/1600-65-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x000b0000000122f9-55.dat WebBrowserPassView behavioral1/files/0x000b0000000122f9-56.dat WebBrowserPassView behavioral1/files/0x000b0000000122f9-57.dat WebBrowserPassView behavioral1/files/0x000b0000000122f9-58.dat WebBrowserPassView behavioral1/files/0x000b0000000122f9-59.dat WebBrowserPassView behavioral1/files/0x000b0000000122f9-60.dat WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral1/files/0x000b0000000122f9-55.dat Nirsoft behavioral1/files/0x000b0000000122f9-56.dat Nirsoft behavioral1/files/0x000b0000000122f9-57.dat Nirsoft behavioral1/files/0x000b0000000122f9-58.dat Nirsoft behavioral1/files/0x000b0000000122f9-59.dat Nirsoft behavioral1/files/0x000b0000000122f9-60.dat Nirsoft behavioral1/memory/1600-65-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
pid Process 1932 Launcher.exe -
Loads dropped DLL 4 IoCs
pid Process 304 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe 304 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe 304 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe 304 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Launcher.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 whatismyipaddress.com 7 whatismyipaddress.com 4 whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1932 set thread context of 1600 1932 Launcher.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 304 wrote to memory of 1932 304 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe 27 PID 304 wrote to memory of 1932 304 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe 27 PID 304 wrote to memory of 1932 304 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe 27 PID 304 wrote to memory of 1932 304 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe 27 PID 304 wrote to memory of 1932 304 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe 27 PID 304 wrote to memory of 1932 304 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe 27 PID 304 wrote to memory of 1932 304 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe 27 PID 1932 wrote to memory of 1600 1932 Launcher.exe 31 PID 1932 wrote to memory of 1600 1932 Launcher.exe 31 PID 1932 wrote to memory of 1600 1932 Launcher.exe 31 PID 1932 wrote to memory of 1600 1932 Launcher.exe 31 PID 1932 wrote to memory of 1600 1932 Launcher.exe 31 PID 1932 wrote to memory of 1600 1932 Launcher.exe 31 PID 1932 wrote to memory of 1600 1932 Launcher.exe 31 PID 1932 wrote to memory of 1600 1932 Launcher.exe 31 PID 1932 wrote to memory of 1600 1932 Launcher.exe 31 PID 1932 wrote to memory of 1600 1932 Launcher.exe 31 PID 1932 wrote to memory of 1600 1932 Launcher.exe 31 PID 1932 wrote to memory of 1600 1932 Launcher.exe 31 PID 1932 wrote to memory of 1600 1932 Launcher.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe"C:\Users\Admin\AppData\Local\Temp\673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Launcher.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵PID:1600
-
-