Analysis
-
max time kernel
180s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
31-05-2022 04:05
Static task
static1
Behavioral task
behavioral1
Sample
06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe
Resource
win10v2004-20220414-en
General
-
Target
06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe
-
Size
1.3MB
-
MD5
7b38f8ac450bb2982a913cb8039c0179
-
SHA1
d183ba22cc8028abbe23d216225dc56fdba3f5f3
-
SHA256
06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b
-
SHA512
80b448b900665e7ebf2e9170b586b7bab6f52fef9cf835b977eaf42738e3c4de81a447a312363e65f632db80ae1507a3038362eb780780978dbb9acecfc0bdc9
Malware Config
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/320-155-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/320-157-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/320-158-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4940-148-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4940-150-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4940-151-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4940-152-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral2/memory/4940-148-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4940-150-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4940-151-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4940-152-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/320-155-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/320-157-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/320-158-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exeRegAsm.exedescription pid process target process PID 4836 set thread context of 4408 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe RegAsm.exe PID 4408 set thread context of 4940 4408 RegAsm.exe vbc.exe PID 4408 set thread context of 320 4408 RegAsm.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exevbc.exepid process 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe 4940 vbc.exe 4940 vbc.exe 4940 vbc.exe 4940 vbc.exe 4940 vbc.exe 4940 vbc.exe 4940 vbc.exe 4940 vbc.exe 4940 vbc.exe 4940 vbc.exe 4940 vbc.exe 4940 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exedescription pid process Token: SeDebugPrivilege 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exeRegAsm.exedescription pid process target process PID 4836 wrote to memory of 4284 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe schtasks.exe PID 4836 wrote to memory of 4284 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe schtasks.exe PID 4836 wrote to memory of 4284 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe schtasks.exe PID 4836 wrote to memory of 4408 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe RegAsm.exe PID 4836 wrote to memory of 4408 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe RegAsm.exe PID 4836 wrote to memory of 4408 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe RegAsm.exe PID 4836 wrote to memory of 4408 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe RegAsm.exe PID 4836 wrote to memory of 4408 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe RegAsm.exe PID 4836 wrote to memory of 4408 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe RegAsm.exe PID 4836 wrote to memory of 4408 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe RegAsm.exe PID 4836 wrote to memory of 4408 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe RegAsm.exe PID 4408 wrote to memory of 4940 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 4940 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 4940 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 4940 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 4940 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 4940 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 4940 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 4940 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 4940 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 320 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 320 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 320 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 320 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 320 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 320 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 320 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 320 4408 RegAsm.exe vbc.exe PID 4408 wrote to memory of 320 4408 RegAsm.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe"C:\Users\Admin\AppData\Local\Temp\06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YUhjXReg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E1D.tmp"2⤵
- Creates scheduled task(s)
PID:4284 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9769.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4940 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA43B.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fbb08d5b5d84263eef0fc2869ae224d9
SHA1c0ea580a3bfb2b2174aff098baa7bab996f88ee6
SHA2565dfb9f169a4bac3d52a9fd88831e6ac94bc38eaa654cc62a27ecf6d608fd7bd0
SHA51290d371b05c69b2ab4e121d02f7f8a258bdd5d67f94648e2567558e072fb7e21b802629dd80e87337e2f197c553da487f4809b4b530f15fb74e7f6f36cc3813ef
-
Filesize
4KB
MD5a44410c464bc23ac615f732de976447c
SHA1e13bb8bfa077dd78dda795b3c21750f217ba4d36
SHA256a1a6fab77bd9c6713b610b41cb025ba806b8fd64fb80b862e1c44ab2277545a6
SHA51215e8af0f65161d9ffe068f10083bb2aebfa9be89a36ca6816853f05b58dd05ea46c5abd2f306a354b6ce9eeab20f26a900c6cf3233553bacf168dcbefb79e31a