Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:33
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
Resource
win10v2004-20220414-en
General
-
Target
Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
-
Size
1.8MB
-
MD5
cc5e307e68ccb5b363a1d8125e0edfb1
-
SHA1
0937747b83e0624bec024daadeaf5c7effdbcb36
-
SHA256
82ffa88d2b058317fcbc1af1c6fe06d7927be41ee28c7473a397f3db42670ca5
-
SHA512
ac464272963a2208cf7061e22c75d2ae5b9c76ade74cd1c21aeb28690d2d2ccee45c2cfafe09ad588a56a802f438dfc9a56e60792f87e483db727b8286968815
Malware Config
Extracted
Protocol: smtp- Host:
outback.websitewelcome.com - Port:
587 - Username:
sungearmotors@2020weddingeventz2.com - Password:
chukwuma12
Signatures
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2108-133-0x0000000000600000-0x0000000000688000-memory.dmp MailPassView behavioral2/memory/4200-139-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/4200-140-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4200-142-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4200-143-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2108-133-0x0000000000600000-0x0000000000688000-memory.dmp WebBrowserPassView behavioral2/memory/3792-144-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/3792-145-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3792-147-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3792-148-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 9 IoCs
Processes:
resource yara_rule behavioral2/memory/2108-133-0x0000000000600000-0x0000000000688000-memory.dmp Nirsoft behavioral2/memory/4200-139-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4200-140-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4200-142-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4200-143-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3792-144-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3792-145-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3792-147-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3792-148-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Drops startup file 1 IoCs
Processes:
Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FsIso.url Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" MSBuild.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 whatismyipaddress.com 13 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exedescription pid process target process PID 1088 set thread context of 2108 1088 Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe MSBuild.exe PID 2108 set thread context of 4200 2108 MSBuild.exe vbc.exe PID 2108 set thread context of 3792 2108 MSBuild.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exeMSBuild.exepid process 3792 vbc.exe 3792 vbc.exe 2108 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 2108 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exepid process 1088 Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe 1088 Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe 1088 Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exepid process 1088 Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe 1088 Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe 1088 Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 2108 MSBuild.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exedescription pid process target process PID 1088 wrote to memory of 2108 1088 Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe MSBuild.exe PID 1088 wrote to memory of 2108 1088 Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe MSBuild.exe PID 1088 wrote to memory of 2108 1088 Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe MSBuild.exe PID 1088 wrote to memory of 2108 1088 Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe MSBuild.exe PID 1088 wrote to memory of 2108 1088 Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe MSBuild.exe PID 2108 wrote to memory of 4200 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 4200 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 4200 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 4200 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 4200 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 4200 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 4200 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 4200 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 4200 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 3792 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 3792 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 3792 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 3792 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 3792 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 3792 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 3792 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 3792 2108 MSBuild.exe vbc.exe PID 2108 wrote to memory of 3792 2108 MSBuild.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
memory/1088-130-0x0000000005530000-0x0000000005635000-memory.dmpFilesize
1.0MB
-
memory/1088-131-0x0000000005420000-0x0000000005525000-memory.dmpFilesize
1.0MB
-
memory/2108-132-0x0000000000000000-mapping.dmp
-
memory/2108-133-0x0000000000600000-0x0000000000688000-memory.dmpFilesize
544KB
-
memory/2108-138-0x00000000754F0000-0x0000000075AA1000-memory.dmpFilesize
5.7MB
-
memory/3792-144-0x0000000000000000-mapping.dmp
-
memory/3792-145-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3792-147-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3792-148-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4200-142-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4200-143-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4200-140-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4200-139-0x0000000000000000-mapping.dmp