General
Target

PO9087665788.exe

Filesize

825KB

Completed

21-05-2022 18:53

Task

behavioral2

Score
10/10
MD5

105cab9441e63917a5c774c36ab801c6

SHA1

c343476262267c46ebee6cf8683de3620ca938d0

SHA256

60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

SHA256

5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

Malware Config

Extracted

Credentials

Protocol: smtp

Host: webmail.tos-thailand.com

Port: 587

Username: sudarat.k@tos-thailand.com

Password: P@ssw0rd

Signatures 20

Filter: none

Collection
Defense Evasion
Discovery
Persistence
  • HawkEye

    Description

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView

    Description

    Password recovery tool for various email clients

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1996-131-0x0000000000B70000-0x0000000000BF8000-memory.dmpMailPassView
    behavioral2/memory/1996-132-0x0000000000B70000-0x0000000000BF8000-memory.dmpMailPassView
    behavioral2/memory/1832-140-0x0000000000B20000-0x0000000000BA8000-memory.dmpMailPassView
    behavioral2/memory/1832-141-0x0000000000B20000-0x0000000000BA8000-memory.dmpMailPassView
    behavioral2/memory/4516-155-0x0000000000000000-mapping.dmpMailPassView
    behavioral2/memory/4516-156-0x0000000000400000-0x000000000041B000-memory.dmpMailPassView
    behavioral2/memory/4516-158-0x0000000000400000-0x000000000041B000-memory.dmpMailPassView
    behavioral2/memory/4516-159-0x0000000000400000-0x000000000041B000-memory.dmpMailPassView
  • NirSoft WebBrowserPassView

    Description

    Password recovery tool for various web browsers

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1996-131-0x0000000000B70000-0x0000000000BF8000-memory.dmpWebBrowserPassView
    behavioral2/memory/1996-132-0x0000000000B70000-0x0000000000BF8000-memory.dmpWebBrowserPassView
    behavioral2/memory/1832-140-0x0000000000B20000-0x0000000000BA8000-memory.dmpWebBrowserPassView
    behavioral2/memory/1832-141-0x0000000000B20000-0x0000000000BA8000-memory.dmpWebBrowserPassView
    behavioral2/memory/4788-160-0x0000000000000000-mapping.dmpWebBrowserPassView
    behavioral2/memory/4788-161-0x0000000000400000-0x0000000000458000-memory.dmpWebBrowserPassView
    behavioral2/memory/4788-163-0x0000000000400000-0x0000000000458000-memory.dmpWebBrowserPassView
    behavioral2/memory/4788-164-0x0000000000400000-0x0000000000458000-memory.dmpWebBrowserPassView
  • Nirsoft

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1996-131-0x0000000000B70000-0x0000000000BF8000-memory.dmpNirsoft
    behavioral2/memory/1996-132-0x0000000000B70000-0x0000000000BF8000-memory.dmpNirsoft
    behavioral2/memory/1832-140-0x0000000000B20000-0x0000000000BA8000-memory.dmpNirsoft
    behavioral2/memory/1832-141-0x0000000000B20000-0x0000000000BA8000-memory.dmpNirsoft
    behavioral2/memory/4516-155-0x0000000000000000-mapping.dmpNirsoft
    behavioral2/memory/4516-156-0x0000000000400000-0x000000000041B000-memory.dmpNirsoft
    behavioral2/memory/4516-158-0x0000000000400000-0x000000000041B000-memory.dmpNirsoft
    behavioral2/memory/4516-159-0x0000000000400000-0x000000000041B000-memory.dmpNirsoft
    behavioral2/memory/4788-160-0x0000000000000000-mapping.dmpNirsoft
    behavioral2/memory/4788-161-0x0000000000400000-0x0000000000458000-memory.dmpNirsoft
    behavioral2/memory/4788-163-0x0000000000400000-0x0000000000458000-memory.dmpNirsoft
    behavioral2/memory/4788-164-0x0000000000400000-0x0000000000458000-memory.dmpNirsoft
  • Executes dropped EXE
    Windows Update.exeWindows Update.exe

    Reported IOCs

    pidprocess
    5004Windows Update.exe
    1832Windows Update.exe
  • Checks computer location settings
    PO9087665788.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\NationPO9087665788.exe
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Accesses Microsoft Outlook accounts
    vbc.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accountsvbc.exe
  • Adds Run key to start application
    Windows Update.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"Windows Update.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    4whatismyipaddress.com
    6whatismyipaddress.com
  • Drops file in System32 directory
    svchost.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{823A50CA-4EF7-478C-B0D8-9DA3712827F8}.catalogItemsvchost.exe
    File createdC:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8E84B1F1-225C-4A1F-96C5-C725AEE671D5}.catalogItemsvchost.exe
  • Suspicious use of SetThreadContext
    PO9087665788.exeWindows Update.exeWindows Update.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3808 set thread context of 19963808PO9087665788.exePO9087665788.exe
    PID 5004 set thread context of 18325004Windows Update.exeWindows Update.exe
    PID 1832 set thread context of 45161832Windows Update.exevbc.exe
    PID 1832 set thread context of 47881832Windows Update.exevbc.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    svchost.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0svchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzsvchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringsvchost.exe
  • Enumerates system info in registry
    svchost.exe

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSsvchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUsvchost.exe
  • Suspicious behavior: EnumeratesProcesses
    PO9087665788.exeWindows Update.exevbc.exeWindows Update.exe

    Reported IOCs

    pidprocess
    3808PO9087665788.exe
    3808PO9087665788.exe
    5004Windows Update.exe
    5004Windows Update.exe
    4788vbc.exe
    4788vbc.exe
    1832Windows Update.exe
  • Suspicious behavior: MapViewOfSection
    PO9087665788.exeWindows Update.exe

    Reported IOCs

    pidprocess
    3808PO9087665788.exe
    5004Windows Update.exe
  • Suspicious use of AdjustPrivilegeToken
    Windows Update.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1832Windows Update.exe
  • Suspicious use of SetWindowsHookEx
    Windows Update.exe

    Reported IOCs

    pidprocess
    1832Windows Update.exe
  • Suspicious use of WriteProcessMemory
    PO9087665788.exePO9087665788.exeWindows Update.exeWindows Update.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3808 wrote to memory of 19963808PO9087665788.exePO9087665788.exe
    PID 3808 wrote to memory of 19963808PO9087665788.exePO9087665788.exe
    PID 3808 wrote to memory of 19963808PO9087665788.exePO9087665788.exe
    PID 1996 wrote to memory of 50041996PO9087665788.exeWindows Update.exe
    PID 1996 wrote to memory of 50041996PO9087665788.exeWindows Update.exe
    PID 1996 wrote to memory of 50041996PO9087665788.exeWindows Update.exe
    PID 5004 wrote to memory of 18325004Windows Update.exeWindows Update.exe
    PID 5004 wrote to memory of 18325004Windows Update.exeWindows Update.exe
    PID 5004 wrote to memory of 18325004Windows Update.exeWindows Update.exe
    PID 1832 wrote to memory of 45161832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 45161832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 45161832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 45161832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 45161832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 45161832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 45161832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 45161832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 45161832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 47881832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 47881832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 47881832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 47881832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 47881832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 47881832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 47881832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 47881832Windows Update.exevbc.exe
    PID 1832 wrote to memory of 47881832Windows Update.exevbc.exe
Processes 7
  • C:\Users\Admin\AppData\Local\Temp\PO9087665788.exe
    "C:\Users\Admin\AppData\Local\Temp\PO9087665788.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: MapViewOfSection
    Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Users\Admin\AppData\Local\Temp\PO9087665788.exe
      "C:\Users\Admin\AppData\Local\Temp\PO9087665788.exe"
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Users\Admin\AppData\Roaming\Windows Update.exe
        "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Users\Admin\AppData\Roaming\Windows Update.exe
          "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
          Executes dropped EXE
          Adds Run key to start application
          Suspicious use of SetThreadContext
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          Suspicious use of SetWindowsHookEx
          Suspicious use of WriteProcessMemory
          PID:1832
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
            Accesses Microsoft Outlook accounts
            PID:4516
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            Suspicious behavior: EnumeratesProcesses
            PID:4788
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    Drops file in System32 directory
    Checks processor information in registry
    Enumerates system info in registry
    PID:2220
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
      Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

                    MD5

                    4cb7017b8a46c8cf56bed39e0a805c19

                    SHA1

                    55a1cd84c133174f0ea4fbde50e7f555fa47465d

                    SHA256

                    a8d5ef39420789e5ebca4be99042f8924fe8b36b12abf003750f7e41a85d1b53

                    SHA512

                    bdda09a54492f7bebcd9461d9179ee4f347be825060b8db13de8e5cca9a0f0f0776a415d43d04c00109c1b329f3773fafc7681136c9d28413e979759df8f96bd

                  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt

                    MD5

                    f94dc819ca773f1e3cb27abbc9e7fa27

                    SHA1

                    9a7700efadc5ea09ab288544ef1e3cd876255086

                    SHA256

                    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

                    SHA512

                    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

                  • C:\Users\Admin\AppData\Roaming\Windows Update.exe

                    MD5

                    105cab9441e63917a5c774c36ab801c6

                    SHA1

                    c343476262267c46ebee6cf8683de3620ca938d0

                    SHA256

                    60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

                    SHA512

                    5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

                  • C:\Users\Admin\AppData\Roaming\Windows Update.exe

                    MD5

                    105cab9441e63917a5c774c36ab801c6

                    SHA1

                    c343476262267c46ebee6cf8683de3620ca938d0

                    SHA256

                    60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

                    SHA512

                    5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

                  • C:\Users\Admin\AppData\Roaming\Windows Update.exe

                    MD5

                    105cab9441e63917a5c774c36ab801c6

                    SHA1

                    c343476262267c46ebee6cf8683de3620ca938d0

                    SHA256

                    60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

                    SHA512

                    5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

                  • memory/1832-138-0x0000000000000000-mapping.dmp

                  • memory/1832-140-0x0000000000B20000-0x0000000000BA8000-memory.dmp

                  • memory/1832-153-0x0000000074B80000-0x0000000075131000-memory.dmp

                  • memory/1832-141-0x0000000000B20000-0x0000000000BA8000-memory.dmp

                  • memory/1996-131-0x0000000000B70000-0x0000000000BF8000-memory.dmp

                  • memory/1996-132-0x0000000000B70000-0x0000000000BF8000-memory.dmp

                  • memory/1996-134-0x0000000074B00000-0x00000000750B1000-memory.dmp

                  • memory/1996-130-0x0000000000000000-mapping.dmp

                  • memory/3808-133-0x0000000000400000-0x00000000004D5000-memory.dmp

                  • memory/4516-155-0x0000000000000000-mapping.dmp

                  • memory/4516-156-0x0000000000400000-0x000000000041B000-memory.dmp

                  • memory/4516-158-0x0000000000400000-0x000000000041B000-memory.dmp

                  • memory/4516-159-0x0000000000400000-0x000000000041B000-memory.dmp

                  • memory/4788-160-0x0000000000000000-mapping.dmp

                  • memory/4788-161-0x0000000000400000-0x0000000000458000-memory.dmp

                  • memory/4788-163-0x0000000000400000-0x0000000000458000-memory.dmp

                  • memory/4788-164-0x0000000000400000-0x0000000000458000-memory.dmp

                  • memory/5004-135-0x0000000000000000-mapping.dmp

                  • memory/5004-142-0x0000000000400000-0x00000000004D5000-memory.dmp