Analysis
-
max time kernel
108s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:02
Static task
static1
Behavioral task
behavioral1
Sample
PO3902939304.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO3902939304.exe
Resource
win10v2004-20220414-en
General
-
Target
PO3902939304.exe
-
Size
976KB
-
MD5
ab0e982a52e2b90858413c0b49102fa1
-
SHA1
28b4bd9790d00b2b8287f15e8c6b6a29661e8cf0
-
SHA256
0be2fd26cdd52bc071b076fc7350077db4962173366192cbc9870df8b3cb234c
-
SHA512
5e3cfe9999288a63fcbad2cd69927b9ad062683014e15a4c483053bfa446d9bb7b1af58a5c0cc57271d615471548c219aefebb051748e9790e0adda82b412f10
Malware Config
Extracted
Protocol: smtp- Host:
smtp.urban.co.th - Port:
587 - Username:
[email protected] - Password:
Urban@1143
Signatures
-
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4724-131-0x0000000000B20000-0x0000000000BA8000-memory.dmp MailPassView behavioral2/memory/4724-132-0x0000000000B20000-0x0000000000BA8000-memory.dmp MailPassView behavioral2/memory/3616-141-0x0000000000B10000-0x0000000000B98000-memory.dmp MailPassView behavioral2/memory/3616-140-0x0000000000B10000-0x0000000000B98000-memory.dmp MailPassView behavioral2/memory/4372-144-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/4372-145-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4372-147-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4372-148-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 8 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4724-131-0x0000000000B20000-0x0000000000BA8000-memory.dmp WebBrowserPassView behavioral2/memory/4724-132-0x0000000000B20000-0x0000000000BA8000-memory.dmp WebBrowserPassView behavioral2/memory/3616-141-0x0000000000B10000-0x0000000000B98000-memory.dmp WebBrowserPassView behavioral2/memory/3616-140-0x0000000000B10000-0x0000000000B98000-memory.dmp WebBrowserPassView behavioral2/memory/4764-149-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/4764-150-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4764-152-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4764-153-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 12 IoCs
Processes:
resource yara_rule behavioral2/memory/4724-131-0x0000000000B20000-0x0000000000BA8000-memory.dmp Nirsoft behavioral2/memory/4724-132-0x0000000000B20000-0x0000000000BA8000-memory.dmp Nirsoft behavioral2/memory/3616-141-0x0000000000B10000-0x0000000000B98000-memory.dmp Nirsoft behavioral2/memory/3616-140-0x0000000000B10000-0x0000000000B98000-memory.dmp Nirsoft behavioral2/memory/4372-144-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4372-145-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4372-147-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4372-148-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4764-149-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4764-150-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4764-152-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4764-153-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 4496 Windows Update.exe 3616 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PO3902939304.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation PO3902939304.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PO3902939304.exeWindows Update.exeWindows Update.exedescription pid process target process PID 3976 set thread context of 4724 3976 PO3902939304.exe PO3902939304.exe PID 4496 set thread context of 3616 4496 Windows Update.exe Windows Update.exe PID 3616 set thread context of 4372 3616 Windows Update.exe vbc.exe PID 3616 set thread context of 4764 3616 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
PO3902939304.exeWindows Update.exevbc.exeWindows Update.exepid process 3976 PO3902939304.exe 3976 PO3902939304.exe 4496 Windows Update.exe 4496 Windows Update.exe 4764 vbc.exe 4764 vbc.exe 3616 Windows Update.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
PO3902939304.exeWindows Update.exepid process 3976 PO3902939304.exe 4496 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 3616 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 3616 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
PO3902939304.exePO3902939304.exeWindows Update.exeWindows Update.exedescription pid process target process PID 3976 wrote to memory of 4724 3976 PO3902939304.exe PO3902939304.exe PID 3976 wrote to memory of 4724 3976 PO3902939304.exe PO3902939304.exe PID 3976 wrote to memory of 4724 3976 PO3902939304.exe PO3902939304.exe PID 4724 wrote to memory of 4496 4724 PO3902939304.exe Windows Update.exe PID 4724 wrote to memory of 4496 4724 PO3902939304.exe Windows Update.exe PID 4724 wrote to memory of 4496 4724 PO3902939304.exe Windows Update.exe PID 4496 wrote to memory of 3616 4496 Windows Update.exe Windows Update.exe PID 4496 wrote to memory of 3616 4496 Windows Update.exe Windows Update.exe PID 4496 wrote to memory of 3616 4496 Windows Update.exe Windows Update.exe PID 3616 wrote to memory of 4372 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4372 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4372 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4372 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4372 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4372 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4372 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4372 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4372 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4764 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4764 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4764 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4764 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4764 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4764 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4764 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4764 3616 Windows Update.exe vbc.exe PID 3616 wrote to memory of 4764 3616 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO3902939304.exe"C:\Users\Admin\AppData\Local\Temp\PO3902939304.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\PO3902939304.exe"C:\Users\Admin\AppData\Local\Temp\PO3902939304.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
PID:4372 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
50B
MD519da27840e899137dee51ab1bda17e15
SHA139790af21f6c8ab31f27f090a7713c068ad46f5b
SHA256988fc60996420e226191ab5597806abcaefd8d9bff9b2333576580ed6d603c7c
SHA512f39d34cf65f3ac88817ff29cb2f94d16cec0e1c01ae25d4c99fd9647092d66d4b4800d7aad6fb6b7571120c1cd44ef83472ae5c50090aed8ca2c7ec70f603bcf
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
976KB
MD5ab0e982a52e2b90858413c0b49102fa1
SHA128b4bd9790d00b2b8287f15e8c6b6a29661e8cf0
SHA2560be2fd26cdd52bc071b076fc7350077db4962173366192cbc9870df8b3cb234c
SHA5125e3cfe9999288a63fcbad2cd69927b9ad062683014e15a4c483053bfa446d9bb7b1af58a5c0cc57271d615471548c219aefebb051748e9790e0adda82b412f10
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
976KB
MD5ab0e982a52e2b90858413c0b49102fa1
SHA128b4bd9790d00b2b8287f15e8c6b6a29661e8cf0
SHA2560be2fd26cdd52bc071b076fc7350077db4962173366192cbc9870df8b3cb234c
SHA5125e3cfe9999288a63fcbad2cd69927b9ad062683014e15a4c483053bfa446d9bb7b1af58a5c0cc57271d615471548c219aefebb051748e9790e0adda82b412f10
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
976KB
MD5ab0e982a52e2b90858413c0b49102fa1
SHA128b4bd9790d00b2b8287f15e8c6b6a29661e8cf0
SHA2560be2fd26cdd52bc071b076fc7350077db4962173366192cbc9870df8b3cb234c
SHA5125e3cfe9999288a63fcbad2cd69927b9ad062683014e15a4c483053bfa446d9bb7b1af58a5c0cc57271d615471548c219aefebb051748e9790e0adda82b412f10
-
memory/3616-141-0x0000000000B10000-0x0000000000B98000-memory.dmpFilesize
544KB
-
memory/3616-142-0x0000000074940000-0x0000000074EF1000-memory.dmpFilesize
5.7MB
-
memory/3616-140-0x0000000000B10000-0x0000000000B98000-memory.dmpFilesize
544KB
-
memory/3616-138-0x0000000000000000-mapping.dmp
-
memory/3976-133-0x0000000002290000-0x000000000229A000-memory.dmpFilesize
40KB
-
memory/4372-145-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4372-144-0x0000000000000000-mapping.dmp
-
memory/4372-147-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4372-148-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4496-135-0x0000000000000000-mapping.dmp
-
memory/4724-134-0x0000000074550000-0x0000000074B01000-memory.dmpFilesize
5.7MB
-
memory/4724-132-0x0000000000B20000-0x0000000000BA8000-memory.dmpFilesize
544KB
-
memory/4724-130-0x0000000000000000-mapping.dmp
-
memory/4724-131-0x0000000000B20000-0x0000000000BA8000-memory.dmpFilesize
544KB
-
memory/4764-149-0x0000000000000000-mapping.dmp
-
memory/4764-150-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4764-152-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4764-153-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB