06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b

General

Target

06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe
Size

1.3MB
MD5

7b38f8ac450bb2982a913cb8039c0179
SHA1

d183ba22cc8028abbe23d216225dc56fdba3f5f3
SHA256

06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b
SHA512

80b448b900665e7ebf2e9170b586b7bab6f52fef9cf835b977eaf42738e3c4de81a447a312363e65f632db80ae1507a3038362eb780780978dbb9acecfc0bdc9

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/320-155-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/320-157-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/320-158-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4940-148-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4940-150-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4940-151-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4940-152-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4940-148-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4940-150-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4940-151-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4940-152-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/320-155-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/320-157-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/320-158-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exeRegAsm.exe

description	pid	process	target process
PID 4836 set thread context of 4408	4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe	RegAsm.exe
PID 4408 set thread context of 4940	4408	RegAsm.exe	vbc.exe
PID 4408 set thread context of 320	4408	RegAsm.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4284 schtasks.exe

pid	process
4284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exevbc.exe

pid	process
4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe
4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe
4940	vbc.exe
4940	vbc.exe
4940	vbc.exe
4940	vbc.exe
4940	vbc.exe
4940	vbc.exe
4940	vbc.exe
4940	vbc.exe
4940	vbc.exe
4940	vbc.exe
4940	vbc.exe
4940	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe

description pid process

Token: SeDebugPrivilege 4836 06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe

description	pid	process
Token: SeDebugPrivilege	4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exeRegAsm.exe

description	pid	process	target process
PID 4836 wrote to memory of 4284	4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe	schtasks.exe
PID 4836 wrote to memory of 4284	4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe	schtasks.exe
PID 4836 wrote to memory of 4284	4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe	schtasks.exe
PID 4836 wrote to memory of 4408	4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe	RegAsm.exe
PID 4836 wrote to memory of 4408	4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe	RegAsm.exe
PID 4836 wrote to memory of 4408	4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe	RegAsm.exe
PID 4836 wrote to memory of 4408	4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe	RegAsm.exe
PID 4836 wrote to memory of 4408	4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe	RegAsm.exe
PID 4836 wrote to memory of 4408	4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe	RegAsm.exe
PID 4836 wrote to memory of 4408	4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe	RegAsm.exe
PID 4836 wrote to memory of 4408	4836	06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe	RegAsm.exe
PID 4408 wrote to memory of 4940	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 4940	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 4940	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 4940	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 4940	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 4940	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 4940	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 4940	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 4940	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 320	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 320	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 320	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 320	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 320	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 320	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 320	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 320	4408	RegAsm.exe	vbc.exe
PID 4408 wrote to memory of 320	4408	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe
"C:\Users\Admin\AppData\Local\Temp\06e8f6a437cead2a003924d528382f3cd83c76a87ed0813983cf044ae76acc6b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YUhjXReg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E1D.tmp"
2⤵
- Creates scheduled task(s)
PID:4284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9769.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA43B.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3E1D.tmp

Filesize
1KB

MD5
fbb08d5b5d84263eef0fc2869ae224d9

SHA1
c0ea580a3bfb2b2174aff098baa7bab996f88ee6

SHA256
5dfb9f169a4bac3d52a9fd88831e6ac94bc38eaa654cc62a27ecf6d608fd7bd0

SHA512
90d371b05c69b2ab4e121d02f7f8a258bdd5d67f94648e2567558e072fb7e21b802629dd80e87337e2f197c553da487f4809b4b530f15fb74e7f6f36cc3813ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9769.tmp

Filesize
4KB

MD5
a44410c464bc23ac615f732de976447c

SHA1
e13bb8bfa077dd78dda795b3c21750f217ba4d36

SHA256
a1a6fab77bd9c6713b610b41cb025ba806b8fd64fb80b862e1c44ab2277545a6

SHA512
15e8af0f65161d9ffe068f10083bb2aebfa9be89a36ca6816853f05b58dd05ea46c5abd2f306a354b6ce9eeab20f26a900c6cf3233553bacf168dcbefb79e31a

Download Submit
memory/320-158-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/320-157-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/320-155-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/320-154-0x0000000000000000-mapping.dmp

Download
memory/4284-136-0x0000000000000000-mapping.dmp

Download
memory/4408-143-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/4408-159-0x0000000072FE0000-0x0000000073788000-memory.dmp

Filesize
7.7MB

Download
memory/4408-138-0x0000000000000000-mapping.dmp

Download
memory/4408-146-0x0000000072FE0000-0x0000000073788000-memory.dmp

Filesize
7.7MB

Download
memory/4408-145-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/4408-144-0x0000000073870000-0x0000000074370000-memory.dmp

Filesize
11.0MB

Download
memory/4836-130-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/4836-142-0x0000000073870000-0x0000000074370000-memory.dmp

Filesize
11.0MB

Download
memory/4836-141-0x0000000072FE0000-0x0000000073788000-memory.dmp

Filesize
7.7MB

Download
memory/4836-140-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/4836-134-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/4836-131-0x0000000073870000-0x0000000074370000-memory.dmp

Filesize
11.0MB

Download
memory/4836-132-0x0000000072FE0000-0x0000000073788000-memory.dmp

Filesize
7.7MB

Download
memory/4836-133-0x0000000073870000-0x0000000074370000-memory.dmp

Filesize
11.0MB

Download
memory/4836-135-0x0000000072FE0000-0x0000000073788000-memory.dmp

Filesize
7.7MB

Download
memory/4940-147-0x0000000000000000-mapping.dmp

Download
memory/4940-152-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4940-151-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4940-150-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4940-148-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads