Analysis
-
max time kernel
186s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:10
Static task
static1
Behavioral task
behavioral1
Sample
order17062020BN77384.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
order17062020BN77384.exe
Resource
win10v2004-20220414-en
General
-
Target
order17062020BN77384.exe
-
Size
924KB
-
MD5
eeff91ec45d81b553a4772c1183be863
-
SHA1
9338477c46a9ebfe2338a9783efe15ec0eced3cf
-
SHA256
a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
-
SHA512
58a3a2b700a2e79b7c46f471745c3cc18026f8b4291df26c570e3a851347b56f58c056b3bfa4848b153db3b5e55930cb5505b4bcc4db4318f56872f35aa78d5c
Malware Config
Extracted
Protocol: smtp- Host:
smtp.urban.co.th - Port:
587 - Username:
[email protected] - Password:
Urban@1143
Signatures
-
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/952-57-0x0000000001DC0000-0x0000000001E48000-memory.dmp MailPassView behavioral1/memory/952-58-0x0000000001DC0000-0x0000000001E48000-memory.dmp MailPassView behavioral1/memory/1840-76-0x0000000002170000-0x00000000021F8000-memory.dmp MailPassView behavioral1/memory/1840-77-0x0000000002170000-0x00000000021F8000-memory.dmp MailPassView behavioral1/memory/1716-80-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1716-81-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1716-84-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1716-87-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 8 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/952-57-0x0000000001DC0000-0x0000000001E48000-memory.dmp WebBrowserPassView behavioral1/memory/952-58-0x0000000001DC0000-0x0000000001E48000-memory.dmp WebBrowserPassView behavioral1/memory/1840-76-0x0000000002170000-0x00000000021F8000-memory.dmp WebBrowserPassView behavioral1/memory/1840-77-0x0000000002170000-0x00000000021F8000-memory.dmp WebBrowserPassView behavioral1/memory/1884-88-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1884-89-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1884-92-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1884-94-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 12 IoCs
Processes:
resource yara_rule behavioral1/memory/952-57-0x0000000001DC0000-0x0000000001E48000-memory.dmp Nirsoft behavioral1/memory/952-58-0x0000000001DC0000-0x0000000001E48000-memory.dmp Nirsoft behavioral1/memory/1840-76-0x0000000002170000-0x00000000021F8000-memory.dmp Nirsoft behavioral1/memory/1840-77-0x0000000002170000-0x00000000021F8000-memory.dmp Nirsoft behavioral1/memory/1716-80-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1716-81-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1716-84-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1716-87-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1884-88-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1884-89-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1884-92-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1884-94-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 1696 Windows Update.exe 1840 Windows Update.exe -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 1840 Windows Update.exe -
Loads dropped DLL 8 IoCs
Processes:
order17062020BN77384.exeWindows Update.exeWindows Update.exepid process 952 order17062020BN77384.exe 1696 Windows Update.exe 1696 Windows Update.exe 1696 Windows Update.exe 1696 Windows Update.exe 1840 Windows Update.exe 1840 Windows Update.exe 1840 Windows Update.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 whatismyipaddress.com 4 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
order17062020BN77384.exeWindows Update.exeWindows Update.exedescription pid process target process PID 904 set thread context of 952 904 order17062020BN77384.exe order17062020BN77384.exe PID 1696 set thread context of 1840 1696 Windows Update.exe Windows Update.exe PID 1840 set thread context of 1716 1840 Windows Update.exe vbc.exe PID 1840 set thread context of 1884 1840 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
order17062020BN77384.exeWindows Update.exeWindows Update.exepid process 904 order17062020BN77384.exe 1696 Windows Update.exe 1840 Windows Update.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
order17062020BN77384.exeWindows Update.exepid process 904 order17062020BN77384.exe 1696 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 1840 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 1840 Windows Update.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
order17062020BN77384.exeorder17062020BN77384.exeWindows Update.exeWindows Update.exedescription pid process target process PID 904 wrote to memory of 952 904 order17062020BN77384.exe order17062020BN77384.exe PID 904 wrote to memory of 952 904 order17062020BN77384.exe order17062020BN77384.exe PID 904 wrote to memory of 952 904 order17062020BN77384.exe order17062020BN77384.exe PID 904 wrote to memory of 952 904 order17062020BN77384.exe order17062020BN77384.exe PID 952 wrote to memory of 1696 952 order17062020BN77384.exe Windows Update.exe PID 952 wrote to memory of 1696 952 order17062020BN77384.exe Windows Update.exe PID 952 wrote to memory of 1696 952 order17062020BN77384.exe Windows Update.exe PID 952 wrote to memory of 1696 952 order17062020BN77384.exe Windows Update.exe PID 952 wrote to memory of 1696 952 order17062020BN77384.exe Windows Update.exe PID 952 wrote to memory of 1696 952 order17062020BN77384.exe Windows Update.exe PID 952 wrote to memory of 1696 952 order17062020BN77384.exe Windows Update.exe PID 1696 wrote to memory of 1840 1696 Windows Update.exe Windows Update.exe PID 1696 wrote to memory of 1840 1696 Windows Update.exe Windows Update.exe PID 1696 wrote to memory of 1840 1696 Windows Update.exe Windows Update.exe PID 1696 wrote to memory of 1840 1696 Windows Update.exe Windows Update.exe PID 1696 wrote to memory of 1840 1696 Windows Update.exe Windows Update.exe PID 1696 wrote to memory of 1840 1696 Windows Update.exe Windows Update.exe PID 1696 wrote to memory of 1840 1696 Windows Update.exe Windows Update.exe PID 1840 wrote to memory of 1716 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1716 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1716 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1716 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1716 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1716 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1716 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1716 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1716 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1716 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1716 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1716 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1716 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1884 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1884 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1884 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1884 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1884 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1884 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1884 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1884 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1884 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1884 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1884 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1884 1840 Windows Update.exe vbc.exe PID 1840 wrote to memory of 1884 1840 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\order17062020BN77384.exe"C:\Users\Admin\AppData\Local\Temp\order17062020BN77384.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Local\Temp\order17062020BN77384.exe"C:\Users\Admin\AppData\Local\Temp\order17062020BN77384.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
PID:1716 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵PID:1884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
58B
MD5dea58d1aa5929b2b938de563f2619846
SHA1baa3c2eb672ec73e80953e94ca0ca5a9f50fd7d2
SHA25631ba94b91df34f0c8c4323732ddd163276af288a9389e8eea4baa05400f29d9f
SHA5126bdd5661e5fab50e85ed6074904e184edbeed8efaf7d826c60f3309e22236118911c72dd7e0e56cdd8b3b4b5ab8e5ad551256dd69126e9214269beae75bec635
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
924KB
MD5eeff91ec45d81b553a4772c1183be863
SHA19338477c46a9ebfe2338a9783efe15ec0eced3cf
SHA256a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
SHA51258a3a2b700a2e79b7c46f471745c3cc18026f8b4291df26c570e3a851347b56f58c056b3bfa4848b153db3b5e55930cb5505b4bcc4db4318f56872f35aa78d5c
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
924KB
MD5eeff91ec45d81b553a4772c1183be863
SHA19338477c46a9ebfe2338a9783efe15ec0eced3cf
SHA256a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
SHA51258a3a2b700a2e79b7c46f471745c3cc18026f8b4291df26c570e3a851347b56f58c056b3bfa4848b153db3b5e55930cb5505b4bcc4db4318f56872f35aa78d5c
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
924KB
MD5eeff91ec45d81b553a4772c1183be863
SHA19338477c46a9ebfe2338a9783efe15ec0eced3cf
SHA256a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
SHA51258a3a2b700a2e79b7c46f471745c3cc18026f8b4291df26c570e3a851347b56f58c056b3bfa4848b153db3b5e55930cb5505b4bcc4db4318f56872f35aa78d5c
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
924KB
MD5eeff91ec45d81b553a4772c1183be863
SHA19338477c46a9ebfe2338a9783efe15ec0eced3cf
SHA256a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
SHA51258a3a2b700a2e79b7c46f471745c3cc18026f8b4291df26c570e3a851347b56f58c056b3bfa4848b153db3b5e55930cb5505b4bcc4db4318f56872f35aa78d5c
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
924KB
MD5eeff91ec45d81b553a4772c1183be863
SHA19338477c46a9ebfe2338a9783efe15ec0eced3cf
SHA256a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
SHA51258a3a2b700a2e79b7c46f471745c3cc18026f8b4291df26c570e3a851347b56f58c056b3bfa4848b153db3b5e55930cb5505b4bcc4db4318f56872f35aa78d5c
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
924KB
MD5eeff91ec45d81b553a4772c1183be863
SHA19338477c46a9ebfe2338a9783efe15ec0eced3cf
SHA256a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
SHA51258a3a2b700a2e79b7c46f471745c3cc18026f8b4291df26c570e3a851347b56f58c056b3bfa4848b153db3b5e55930cb5505b4bcc4db4318f56872f35aa78d5c
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
924KB
MD5eeff91ec45d81b553a4772c1183be863
SHA19338477c46a9ebfe2338a9783efe15ec0eced3cf
SHA256a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
SHA51258a3a2b700a2e79b7c46f471745c3cc18026f8b4291df26c570e3a851347b56f58c056b3bfa4848b153db3b5e55930cb5505b4bcc4db4318f56872f35aa78d5c
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
924KB
MD5eeff91ec45d81b553a4772c1183be863
SHA19338477c46a9ebfe2338a9783efe15ec0eced3cf
SHA256a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
SHA51258a3a2b700a2e79b7c46f471745c3cc18026f8b4291df26c570e3a851347b56f58c056b3bfa4848b153db3b5e55930cb5505b4bcc4db4318f56872f35aa78d5c
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
924KB
MD5eeff91ec45d81b553a4772c1183be863
SHA19338477c46a9ebfe2338a9783efe15ec0eced3cf
SHA256a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
SHA51258a3a2b700a2e79b7c46f471745c3cc18026f8b4291df26c570e3a851347b56f58c056b3bfa4848b153db3b5e55930cb5505b4bcc4db4318f56872f35aa78d5c
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
924KB
MD5eeff91ec45d81b553a4772c1183be863
SHA19338477c46a9ebfe2338a9783efe15ec0eced3cf
SHA256a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
SHA51258a3a2b700a2e79b7c46f471745c3cc18026f8b4291df26c570e3a851347b56f58c056b3bfa4848b153db3b5e55930cb5505b4bcc4db4318f56872f35aa78d5c
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
924KB
MD5eeff91ec45d81b553a4772c1183be863
SHA19338477c46a9ebfe2338a9783efe15ec0eced3cf
SHA256a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
SHA51258a3a2b700a2e79b7c46f471745c3cc18026f8b4291df26c570e3a851347b56f58c056b3bfa4848b153db3b5e55930cb5505b4bcc4db4318f56872f35aa78d5c
-
memory/904-56-0x00000000003D0000-0x00000000003D9000-memory.dmpFilesize
36KB
-
memory/904-54-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/952-57-0x0000000001DC0000-0x0000000001E48000-memory.dmpFilesize
544KB
-
memory/952-58-0x0000000001DC0000-0x0000000001E48000-memory.dmpFilesize
544KB
-
memory/952-60-0x00000000749E0000-0x0000000074F8B000-memory.dmpFilesize
5.7MB
-
memory/952-55-0x000000000051B4E0-mapping.dmp
-
memory/1696-62-0x0000000000000000-mapping.dmp
-
memory/1716-81-0x0000000000411654-mapping.dmp
-
memory/1716-87-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1716-84-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1716-80-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1840-79-0x0000000074770000-0x0000000074D1B000-memory.dmpFilesize
5.7MB
-
memory/1840-70-0x000000000051B4E0-mapping.dmp
-
memory/1840-86-0x00000000023D5000-0x00000000023E6000-memory.dmpFilesize
68KB
-
memory/1840-77-0x0000000002170000-0x00000000021F8000-memory.dmpFilesize
544KB
-
memory/1840-76-0x0000000002170000-0x00000000021F8000-memory.dmpFilesize
544KB
-
memory/1884-88-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1884-89-0x0000000000442628-mapping.dmp
-
memory/1884-92-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1884-94-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB