2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e

General

Target

2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
Size

1.1MB
MD5

070b7563cf4bceee5d78676f26759d65
SHA1

201e444168bb8d0775fe7e74641af03811c7194f
SHA256

2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e
SHA512

099aaa6e310d9574ab57f133a673a4053d8702f796d83efe871037ac216ae2396fdead332bb319ec238ccf3aa123109a5fc7b75076e4b33a37124252d635ef91

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1112-99-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/1112-100-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/1112-95-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1552-84-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1552-80-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1552-85-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1552-84-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/1552-80-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/1552-85-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/1112-99-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/1112-100-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/1112-95-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe

description	pid	process	target process
PID 1376 set thread context of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
PID 1256 set thread context of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 set thread context of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1816 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

1552 vbc.exe

pid	process
1816	schtasks.exe

pid	process
1552	vbc.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe

description	pid	process	target process
PID 1376 wrote to memory of 1816	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	schtasks.exe
PID 1376 wrote to memory of 1816	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	schtasks.exe
PID 1376 wrote to memory of 1816	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	schtasks.exe
PID 1376 wrote to memory of 1816	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	schtasks.exe
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
"C:\Users\Admin\AppData\Local\Temp\2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GANoZxhqS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp85B4.tmp"
2⤵
- Creates scheduled task(s)
PID:1816

C:\Users\Admin\AppData\Local\Temp\2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC0C1.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp653A.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp85B4.tmp

Filesize
1KB

MD5
ce350c97a10105b1c55d979123688101

SHA1
236cda4d26e450a41d4cf3559410b5e213d37466

SHA256
51f0f9f3d5e98f18c8d37ab8089391ae28c185d49ca384f0299873fe4e1a2407

SHA512
c13311afda8eee8ef4ee2022e326ece2d56e677c5e0866ae20bf7bc25b2eecafbf20ee6b86eb9f24df1d0d7393542ce01c220d14c2bf6d14a7e4569fc8c18e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC0C1.tmp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1112-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-88-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-90-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-92-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-93-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-95-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-100-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-99-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-96-0x000000000041211A-mapping.dmp

Download
memory/1256-64-0x000000000048B39E-mapping.dmp

Download
memory/1256-68-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1256-58-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1256-61-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1256-70-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/1256-66-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1256-63-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1256-62-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1256-59-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1376-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1376-55-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-71-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-85-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-72-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-76-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-78-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-80-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-84-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-81-0x0000000000444D30-mapping.dmp

Download
memory/1552-74-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1816-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads