General
Target

PO9087665788.exe

Filesize

825KB

Completed

21-05-2022 18:53

Task

behavioral1

Score
10/10
MD5

105cab9441e63917a5c774c36ab801c6

SHA1

c343476262267c46ebee6cf8683de3620ca938d0

SHA256

60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

SHA256

5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

Malware Config

Extracted

Credentials

Protocol: smtp

Host: webmail.tos-thailand.com

Port: 587

Username: sudarat.k@tos-thailand.com

Password: P@ssw0rd

Signatures 18

Filter: none

Collection
Defense Evasion
Discovery
Persistence
  • HawkEye

    Description

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView

    Description

    Password recovery tool for various email clients

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/900-56-0x0000000001ED0000-0x0000000001F58000-memory.dmpMailPassView
    behavioral1/memory/900-57-0x0000000001ED0000-0x0000000001F58000-memory.dmpMailPassView
    behavioral1/memory/1076-76-0x0000000002040000-0x00000000020C8000-memory.dmpMailPassView
    behavioral1/memory/1076-77-0x0000000002040000-0x00000000020C8000-memory.dmpMailPassView
    behavioral1/memory/1072-81-0x0000000000400000-0x000000000041B000-memory.dmpMailPassView
    behavioral1/memory/1072-82-0x0000000000411654-mapping.dmpMailPassView
    behavioral1/memory/1072-85-0x0000000000400000-0x000000000041B000-memory.dmpMailPassView
    behavioral1/memory/1072-87-0x0000000000400000-0x000000000041B000-memory.dmpMailPassView
  • NirSoft WebBrowserPassView

    Description

    Password recovery tool for various web browsers

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/900-56-0x0000000001ED0000-0x0000000001F58000-memory.dmpWebBrowserPassView
    behavioral1/memory/900-57-0x0000000001ED0000-0x0000000001F58000-memory.dmpWebBrowserPassView
    behavioral1/memory/1076-76-0x0000000002040000-0x00000000020C8000-memory.dmpWebBrowserPassView
    behavioral1/memory/1076-77-0x0000000002040000-0x00000000020C8000-memory.dmpWebBrowserPassView
    behavioral1/memory/1208-88-0x0000000000400000-0x0000000000458000-memory.dmpWebBrowserPassView
    behavioral1/memory/1208-89-0x0000000000442628-mapping.dmpWebBrowserPassView
    behavioral1/memory/1208-92-0x0000000000400000-0x0000000000458000-memory.dmpWebBrowserPassView
    behavioral1/memory/1208-94-0x0000000000400000-0x0000000000458000-memory.dmpWebBrowserPassView
  • Nirsoft

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/900-56-0x0000000001ED0000-0x0000000001F58000-memory.dmpNirsoft
    behavioral1/memory/900-57-0x0000000001ED0000-0x0000000001F58000-memory.dmpNirsoft
    behavioral1/memory/1076-76-0x0000000002040000-0x00000000020C8000-memory.dmpNirsoft
    behavioral1/memory/1076-77-0x0000000002040000-0x00000000020C8000-memory.dmpNirsoft
    behavioral1/memory/1072-81-0x0000000000400000-0x000000000041B000-memory.dmpNirsoft
    behavioral1/memory/1072-82-0x0000000000411654-mapping.dmpNirsoft
    behavioral1/memory/1072-85-0x0000000000400000-0x000000000041B000-memory.dmpNirsoft
    behavioral1/memory/1072-87-0x0000000000400000-0x000000000041B000-memory.dmpNirsoft
    behavioral1/memory/1208-88-0x0000000000400000-0x0000000000458000-memory.dmpNirsoft
    behavioral1/memory/1208-89-0x0000000000442628-mapping.dmpNirsoft
    behavioral1/memory/1208-92-0x0000000000400000-0x0000000000458000-memory.dmpNirsoft
    behavioral1/memory/1208-94-0x0000000000400000-0x0000000000458000-memory.dmpNirsoft
  • Executes dropped EXE
    Windows Update.exeWindows Update.exe

    Reported IOCs

    pidprocess
    968Windows Update.exe
    1076Windows Update.exe
  • Deletes itself
    Windows Update.exe

    Reported IOCs

    pidprocess
    1076Windows Update.exe
  • Loads dropped DLL
    PO9087665788.exeWindows Update.exeWindows Update.exe

    Reported IOCs

    pidprocess
    900PO9087665788.exe
    968Windows Update.exe
    968Windows Update.exe
    968Windows Update.exe
    968Windows Update.exe
    1076Windows Update.exe
    1076Windows Update.exe
    1076Windows Update.exe
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Accesses Microsoft Outlook accounts
    vbc.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accountsvbc.exe
  • Adds Run key to start application
    Windows Update.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"Windows Update.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    3whatismyipaddress.com
    5whatismyipaddress.com
    6whatismyipaddress.com
  • Suspicious use of SetThreadContext
    PO9087665788.exeWindows Update.exeWindows Update.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1172 set thread context of 9001172PO9087665788.exePO9087665788.exe
    PID 968 set thread context of 1076968Windows Update.exeWindows Update.exe
    PID 1076 set thread context of 10721076Windows Update.exevbc.exe
    PID 1076 set thread context of 12081076Windows Update.exevbc.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    PO9087665788.exeWindows Update.exeWindows Update.exe

    Reported IOCs

    pidprocess
    1172PO9087665788.exe
    968Windows Update.exe
    1076Windows Update.exe
  • Suspicious behavior: MapViewOfSection
    PO9087665788.exeWindows Update.exe

    Reported IOCs

    pidprocess
    1172PO9087665788.exe
    968Windows Update.exe
  • Suspicious use of AdjustPrivilegeToken
    Windows Update.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1076Windows Update.exe
  • Suspicious use of SetWindowsHookEx
    Windows Update.exe

    Reported IOCs

    pidprocess
    1076Windows Update.exe
  • Suspicious use of WriteProcessMemory
    PO9087665788.exePO9087665788.exeWindows Update.exeWindows Update.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1172 wrote to memory of 9001172PO9087665788.exePO9087665788.exe
    PID 1172 wrote to memory of 9001172PO9087665788.exePO9087665788.exe
    PID 1172 wrote to memory of 9001172PO9087665788.exePO9087665788.exe
    PID 1172 wrote to memory of 9001172PO9087665788.exePO9087665788.exe
    PID 900 wrote to memory of 968900PO9087665788.exeWindows Update.exe
    PID 900 wrote to memory of 968900PO9087665788.exeWindows Update.exe
    PID 900 wrote to memory of 968900PO9087665788.exeWindows Update.exe
    PID 900 wrote to memory of 968900PO9087665788.exeWindows Update.exe
    PID 900 wrote to memory of 968900PO9087665788.exeWindows Update.exe
    PID 900 wrote to memory of 968900PO9087665788.exeWindows Update.exe
    PID 900 wrote to memory of 968900PO9087665788.exeWindows Update.exe
    PID 968 wrote to memory of 1076968Windows Update.exeWindows Update.exe
    PID 968 wrote to memory of 1076968Windows Update.exeWindows Update.exe
    PID 968 wrote to memory of 1076968Windows Update.exeWindows Update.exe
    PID 968 wrote to memory of 1076968Windows Update.exeWindows Update.exe
    PID 968 wrote to memory of 1076968Windows Update.exeWindows Update.exe
    PID 968 wrote to memory of 1076968Windows Update.exeWindows Update.exe
    PID 968 wrote to memory of 1076968Windows Update.exeWindows Update.exe
    PID 1076 wrote to memory of 10721076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 10721076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 10721076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 10721076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 10721076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 10721076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 10721076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 10721076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 10721076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 10721076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 10721076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 10721076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 10721076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 12081076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 12081076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 12081076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 12081076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 12081076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 12081076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 12081076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 12081076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 12081076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 12081076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 12081076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 12081076Windows Update.exevbc.exe
    PID 1076 wrote to memory of 12081076Windows Update.exevbc.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\PO9087665788.exe
    "C:\Users\Admin\AppData\Local\Temp\PO9087665788.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: MapViewOfSection
    Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Users\Admin\AppData\Local\Temp\PO9087665788.exe
      "C:\Users\Admin\AppData\Local\Temp\PO9087665788.exe"
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:900
      • C:\Users\Admin\AppData\Roaming\Windows Update.exe
        "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        PID:968
        • C:\Users\Admin\AppData\Roaming\Windows Update.exe
          "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
          Executes dropped EXE
          Deletes itself
          Loads dropped DLL
          Adds Run key to start application
          Suspicious use of SetThreadContext
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          Suspicious use of SetWindowsHookEx
          Suspicious use of WriteProcessMemory
          PID:1076
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
            Accesses Microsoft Outlook accounts
            PID:1072
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            PID:1208
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
      Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

                    MD5

                    4cb7017b8a46c8cf56bed39e0a805c19

                    SHA1

                    55a1cd84c133174f0ea4fbde50e7f555fa47465d

                    SHA256

                    a8d5ef39420789e5ebca4be99042f8924fe8b36b12abf003750f7e41a85d1b53

                    SHA512

                    bdda09a54492f7bebcd9461d9179ee4f347be825060b8db13de8e5cca9a0f0f0776a415d43d04c00109c1b329f3773fafc7681136c9d28413e979759df8f96bd

                  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt

                    MD5

                    f3b25701fe362ec84616a93a45ce9998

                    SHA1

                    d62636d8caec13f04e28442a0a6fa1afeb024bbb

                    SHA256

                    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                    SHA512

                    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                  • C:\Users\Admin\AppData\Roaming\Windows Update.exe

                    MD5

                    105cab9441e63917a5c774c36ab801c6

                    SHA1

                    c343476262267c46ebee6cf8683de3620ca938d0

                    SHA256

                    60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

                    SHA512

                    5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

                  • C:\Users\Admin\AppData\Roaming\Windows Update.exe

                    MD5

                    105cab9441e63917a5c774c36ab801c6

                    SHA1

                    c343476262267c46ebee6cf8683de3620ca938d0

                    SHA256

                    60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

                    SHA512

                    5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

                  • C:\Users\Admin\AppData\Roaming\Windows Update.exe

                    MD5

                    105cab9441e63917a5c774c36ab801c6

                    SHA1

                    c343476262267c46ebee6cf8683de3620ca938d0

                    SHA256

                    60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

                    SHA512

                    5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

                  • \Users\Admin\AppData\Roaming\Windows Update.exe

                    MD5

                    105cab9441e63917a5c774c36ab801c6

                    SHA1

                    c343476262267c46ebee6cf8683de3620ca938d0

                    SHA256

                    60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

                    SHA512

                    5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

                  • \Users\Admin\AppData\Roaming\Windows Update.exe

                    MD5

                    105cab9441e63917a5c774c36ab801c6

                    SHA1

                    c343476262267c46ebee6cf8683de3620ca938d0

                    SHA256

                    60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

                    SHA512

                    5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

                  • \Users\Admin\AppData\Roaming\Windows Update.exe

                    MD5

                    105cab9441e63917a5c774c36ab801c6

                    SHA1

                    c343476262267c46ebee6cf8683de3620ca938d0

                    SHA256

                    60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

                    SHA512

                    5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

                  • \Users\Admin\AppData\Roaming\Windows Update.exe

                    MD5

                    105cab9441e63917a5c774c36ab801c6

                    SHA1

                    c343476262267c46ebee6cf8683de3620ca938d0

                    SHA256

                    60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

                    SHA512

                    5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

                  • \Users\Admin\AppData\Roaming\Windows Update.exe

                    MD5

                    105cab9441e63917a5c774c36ab801c6

                    SHA1

                    c343476262267c46ebee6cf8683de3620ca938d0

                    SHA256

                    60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

                    SHA512

                    5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

                  • \Users\Admin\AppData\Roaming\Windows Update.exe

                    MD5

                    105cab9441e63917a5c774c36ab801c6

                    SHA1

                    c343476262267c46ebee6cf8683de3620ca938d0

                    SHA256

                    60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

                    SHA512

                    5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

                  • \Users\Admin\AppData\Roaming\Windows Update.exe

                    MD5

                    105cab9441e63917a5c774c36ab801c6

                    SHA1

                    c343476262267c46ebee6cf8683de3620ca938d0

                    SHA256

                    60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

                    SHA512

                    5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

                  • \Users\Admin\AppData\Roaming\Windows Update.exe

                    MD5

                    105cab9441e63917a5c774c36ab801c6

                    SHA1

                    c343476262267c46ebee6cf8683de3620ca938d0

                    SHA256

                    60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

                    SHA512

                    5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

                  • memory/900-56-0x0000000001ED0000-0x0000000001F58000-memory.dmp

                  • memory/900-55-0x000000000051B520-mapping.dmp

                  • memory/900-60-0x0000000073F30000-0x00000000744DB000-memory.dmp

                  • memory/900-57-0x0000000001ED0000-0x0000000001F58000-memory.dmp

                  • memory/968-62-0x0000000000000000-mapping.dmp

                  • memory/968-78-0x0000000000400000-0x00000000004D5000-memory.dmp

                  • memory/1072-82-0x0000000000411654-mapping.dmp

                  • memory/1072-81-0x0000000000400000-0x000000000041B000-memory.dmp

                  • memory/1072-87-0x0000000000400000-0x000000000041B000-memory.dmp

                  • memory/1072-85-0x0000000000400000-0x000000000041B000-memory.dmp

                  • memory/1076-80-0x0000000073F90000-0x000000007453B000-memory.dmp

                  • memory/1076-76-0x0000000002040000-0x00000000020C8000-memory.dmp

                  • memory/1076-70-0x000000000051B520-mapping.dmp

                  • memory/1076-77-0x0000000002040000-0x00000000020C8000-memory.dmp

                  • memory/1172-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

                  • memory/1172-59-0x0000000000400000-0x00000000004D5000-memory.dmp

                  • memory/1208-89-0x0000000000442628-mapping.dmp

                  • memory/1208-92-0x0000000000400000-0x0000000000458000-memory.dmp

                  • memory/1208-88-0x0000000000400000-0x0000000000458000-memory.dmp

                  • memory/1208-94-0x0000000000400000-0x0000000000458000-memory.dmp