Analysis
-
max time kernel
135s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:50
Static task
static1
Behavioral task
behavioral1
Sample
PO9087665788.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO9087665788.exe
Resource
win10v2004-20220414-en
General
-
Target
PO9087665788.exe
-
Size
825KB
-
MD5
105cab9441e63917a5c774c36ab801c6
-
SHA1
c343476262267c46ebee6cf8683de3620ca938d0
-
SHA256
60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771
-
SHA512
5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3
Malware Config
Extracted
Protocol: smtp- Host:
webmail.tos-thailand.com - Port:
587 - Username:
sudarat.k@tos-thailand.com - Password:
P@ssw0rd
Signatures
-
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1996-131-0x0000000000B70000-0x0000000000BF8000-memory.dmp MailPassView behavioral2/memory/1996-132-0x0000000000B70000-0x0000000000BF8000-memory.dmp MailPassView behavioral2/memory/1832-140-0x0000000000B20000-0x0000000000BA8000-memory.dmp MailPassView behavioral2/memory/1832-141-0x0000000000B20000-0x0000000000BA8000-memory.dmp MailPassView behavioral2/memory/4516-155-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/4516-156-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4516-158-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4516-159-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 8 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1996-131-0x0000000000B70000-0x0000000000BF8000-memory.dmp WebBrowserPassView behavioral2/memory/1996-132-0x0000000000B70000-0x0000000000BF8000-memory.dmp WebBrowserPassView behavioral2/memory/1832-140-0x0000000000B20000-0x0000000000BA8000-memory.dmp WebBrowserPassView behavioral2/memory/1832-141-0x0000000000B20000-0x0000000000BA8000-memory.dmp WebBrowserPassView behavioral2/memory/4788-160-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/4788-161-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4788-163-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4788-164-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 12 IoCs
Processes:
resource yara_rule behavioral2/memory/1996-131-0x0000000000B70000-0x0000000000BF8000-memory.dmp Nirsoft behavioral2/memory/1996-132-0x0000000000B70000-0x0000000000BF8000-memory.dmp Nirsoft behavioral2/memory/1832-140-0x0000000000B20000-0x0000000000BA8000-memory.dmp Nirsoft behavioral2/memory/1832-141-0x0000000000B20000-0x0000000000BA8000-memory.dmp Nirsoft behavioral2/memory/4516-155-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4516-156-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4516-158-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4516-159-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4788-160-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4788-161-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4788-163-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4788-164-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 5004 Windows Update.exe 1832 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PO9087665788.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation PO9087665788.exe -
Uses the VBS compiler for execution 1 TTPs
TTPs:
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
TTPs:
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{823A50CA-4EF7-478C-B0D8-9DA3712827F8}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8E84B1F1-225C-4A1F-96C5-C725AEE671D5}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PO9087665788.exeWindows Update.exeWindows Update.exedescription pid process target process PID 3808 set thread context of 1996 3808 PO9087665788.exe PO9087665788.exe PID 5004 set thread context of 1832 5004 Windows Update.exe Windows Update.exe PID 1832 set thread context of 4516 1832 Windows Update.exe vbc.exe PID 1832 set thread context of 4788 1832 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
PO9087665788.exeWindows Update.exevbc.exeWindows Update.exepid process 3808 PO9087665788.exe 3808 PO9087665788.exe 5004 Windows Update.exe 5004 Windows Update.exe 4788 vbc.exe 4788 vbc.exe 1832 Windows Update.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
PO9087665788.exeWindows Update.exepid process 3808 PO9087665788.exe 5004 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 1832 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 1832 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
PO9087665788.exePO9087665788.exeWindows Update.exeWindows Update.exedescription pid process target process PID 3808 wrote to memory of 1996 3808 PO9087665788.exe PO9087665788.exe PID 3808 wrote to memory of 1996 3808 PO9087665788.exe PO9087665788.exe PID 3808 wrote to memory of 1996 3808 PO9087665788.exe PO9087665788.exe PID 1996 wrote to memory of 5004 1996 PO9087665788.exe Windows Update.exe PID 1996 wrote to memory of 5004 1996 PO9087665788.exe Windows Update.exe PID 1996 wrote to memory of 5004 1996 PO9087665788.exe Windows Update.exe PID 5004 wrote to memory of 1832 5004 Windows Update.exe Windows Update.exe PID 5004 wrote to memory of 1832 5004 Windows Update.exe Windows Update.exe PID 5004 wrote to memory of 1832 5004 Windows Update.exe Windows Update.exe PID 1832 wrote to memory of 4516 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4516 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4516 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4516 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4516 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4516 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4516 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4516 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4516 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4788 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4788 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4788 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4788 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4788 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4788 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4788 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4788 1832 Windows Update.exe vbc.exe PID 1832 wrote to memory of 4788 1832 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO9087665788.exe"C:\Users\Admin\AppData\Local\Temp\PO9087665788.exe"Suspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious behavior: MapViewOfSectionSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO9087665788.exe"C:\Users\Admin\AppData\Local\Temp\PO9087665788.exe"Checks computer location settingsSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious behavior: MapViewOfSectionSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"Executes dropped EXEAdds Run key to start applicationSuspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -pDrops file in System32 directoryChecks processor information in registryEnumerates system info in registry
Network
MITRE ATT&CK Matrix
Collection
Email Collection
1Command and Control
Credential Access
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Registry Run Keys / Startup Folder
1Privilege Escalation
Replay Monitor
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
50B
MD54cb7017b8a46c8cf56bed39e0a805c19
SHA155a1cd84c133174f0ea4fbde50e7f555fa47465d
SHA256a8d5ef39420789e5ebca4be99042f8924fe8b36b12abf003750f7e41a85d1b53
SHA512bdda09a54492f7bebcd9461d9179ee4f347be825060b8db13de8e5cca9a0f0f0776a415d43d04c00109c1b329f3773fafc7681136c9d28413e979759df8f96bd
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
825KB
MD5105cab9441e63917a5c774c36ab801c6
SHA1c343476262267c46ebee6cf8683de3620ca938d0
SHA25660a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771
SHA5125d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
825KB
MD5105cab9441e63917a5c774c36ab801c6
SHA1c343476262267c46ebee6cf8683de3620ca938d0
SHA25660a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771
SHA5125d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
825KB
MD5105cab9441e63917a5c774c36ab801c6
SHA1c343476262267c46ebee6cf8683de3620ca938d0
SHA25660a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771
SHA5125d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3
-
memory/1832-138-0x0000000000000000-mapping.dmp
-
memory/1832-140-0x0000000000B20000-0x0000000000BA8000-memory.dmpFilesize
544KB
-
memory/1832-141-0x0000000000B20000-0x0000000000BA8000-memory.dmpFilesize
544KB
-
memory/1832-153-0x0000000074B80000-0x0000000075131000-memory.dmpFilesize
5MB
-
memory/1996-134-0x0000000074B00000-0x00000000750B1000-memory.dmpFilesize
5MB
-
memory/1996-132-0x0000000000B70000-0x0000000000BF8000-memory.dmpFilesize
544KB
-
memory/1996-131-0x0000000000B70000-0x0000000000BF8000-memory.dmpFilesize
544KB
-
memory/1996-130-0x0000000000000000-mapping.dmp
-
memory/3808-133-0x0000000000400000-0x00000000004D5000-memory.dmpFilesize
852KB
-
memory/4516-159-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4516-155-0x0000000000000000-mapping.dmp
-
memory/4516-156-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4516-158-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4788-160-0x0000000000000000-mapping.dmp
-
memory/4788-161-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4788-163-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4788-164-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/5004-142-0x0000000000400000-0x00000000004D5000-memory.dmpFilesize
852KB
-
memory/5004-135-0x0000000000000000-mapping.dmp