2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e

Analysis

max time kernel
168s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
Size

1.1MB
MD5

070b7563cf4bceee5d78676f26759d65
SHA1

201e444168bb8d0775fe7e74641af03811c7194f
SHA256

2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e
SHA512

099aaa6e310d9574ab57f133a673a4053d8702f796d83efe871037ac216ae2396fdead332bb319ec238ccf3aa123109a5fc7b75076e4b33a37124252d635ef91

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1112-99-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/1112-100-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/1112-95-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1552-84-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1552-80-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1552-85-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral1/memory/1552-84-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/1552-80-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/1552-85-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/1112-99-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/1112-100-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/1112-95-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1376 set thread context of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	30
PID 1256 set thread context of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	32
PID 1256 set thread context of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1552	vbc.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1816	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	29
PID 1376 wrote to memory of 1816	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	29
PID 1376 wrote to memory of 1816	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	29
PID 1376 wrote to memory of 1816	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	29
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	30
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	30
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	30
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	30
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	30
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	30
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	30
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	30
PID 1376 wrote to memory of 1256	1376	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	30
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	32
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	32
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	32
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	32
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	32
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	32
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	32
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	32
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	32
PID 1256 wrote to memory of 1552	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	32
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	34
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	34
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	34
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	34
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	34
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	34
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	34
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	34
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	34
PID 1256 wrote to memory of 1112	1256	2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe	34

C:\Users\Admin\AppData\Local\Temp\2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
"C:\Users\Admin\AppData\Local\Temp\2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GANoZxhqS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp85B4.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\2d35b8ff444ab71d3fdbb9a4285da623a79f498d2b840079e57524eb928d935e.exe
  "{path}"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC0C1.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1552
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp653A.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp85B4.tmp

Filesize
1KB

MD5
ce350c97a10105b1c55d979123688101

SHA1
236cda4d26e450a41d4cf3559410b5e213d37466

SHA256
51f0f9f3d5e98f18c8d37ab8089391ae28c185d49ca384f0299873fe4e1a2407

SHA512
c13311afda8eee8ef4ee2022e326ece2d56e677c5e0866ae20bf7bc25b2eecafbf20ee6b86eb9f24df1d0d7393542ce01c220d14c2bf6d14a7e4569fc8c18e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC0C1.tmp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1112-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-88-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-90-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-92-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-93-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-95-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-100-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1112-99-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1256-68-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1256-58-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1256-61-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1256-70-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/1256-66-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1256-63-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1256-62-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1256-59-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1376-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1376-55-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-71-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-85-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-72-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-76-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-78-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-80-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-84-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-74-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download