1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2

General

Target

1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe
Size

950KB
MD5

6b3c742e228a064940d52592717aebc1
SHA1

1a2345fa154fbf19ae904e0b8975718395269ef4
SHA256

1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2
SHA512

f9c98aac9e39800d4549d02893c0a7bb1c5ec3401135510a394433b6a86b6c0d108e96ef5f90467de7fd3535e20070cd02847fb614fe8d4fbffcafbe81605859

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4620-148-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4620-150-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4620-151-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4620-152-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/396-141-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/396-143-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/396-144-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/396-145-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/396-141-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/396-143-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/396-144-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/396-145-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4620-148-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4620-150-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4620-151-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4620-152-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 bot.whatismyipaddress.com

flow	ioc
46	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe

description	pid	process	target process
PID 4744 set thread context of 3128	4744	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe
PID 3128 set thread context of 396	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 set thread context of 4620	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2924 schtasks.exe

pid	process
2924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

vbc.exe1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe

pid	process
396	vbc.exe
396	vbc.exe
396	vbc.exe
396	vbc.exe
396	vbc.exe
396	vbc.exe
396	vbc.exe
396	vbc.exe
396	vbc.exe
396	vbc.exe
396	vbc.exe
396	vbc.exe
3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe
3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe

description pid process

Token: SeDebugPrivilege 3128 1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe

pid process

3128 1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe

description	pid	process
Token: SeDebugPrivilege	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe

pid	process
3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe

description	pid	process	target process
PID 4744 wrote to memory of 2924	4744	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	schtasks.exe
PID 4744 wrote to memory of 2924	4744	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	schtasks.exe
PID 4744 wrote to memory of 2924	4744	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	schtasks.exe
PID 4744 wrote to memory of 3128	4744	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe
PID 4744 wrote to memory of 3128	4744	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe
PID 4744 wrote to memory of 3128	4744	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe
PID 4744 wrote to memory of 3128	4744	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe
PID 4744 wrote to memory of 3128	4744	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe
PID 4744 wrote to memory of 3128	4744	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe
PID 4744 wrote to memory of 3128	4744	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe
PID 4744 wrote to memory of 3128	4744	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe
PID 3128 wrote to memory of 396	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 396	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 396	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 396	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 396	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 396	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 396	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 396	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 396	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 4620	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 4620	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 4620	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 4620	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 4620	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 4620	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 4620	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 4620	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe
PID 3128 wrote to memory of 4620	3128	1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe
"C:\Users\Admin\AppData\Local\Temp\1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\btZrhY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE6B6.tmp"
2⤵
- Creates scheduled task(s)
PID:2924

C:\Users\Admin\AppData\Local\Temp\1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe
"C:\Users\Admin\AppData\Local\Temp\1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3A26.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4264.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:4620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\1bce0a4fd09685b7e54576ffd391db45dc0e8092dea9a0628615bac9d40e98d2.exe.log
Filesize
500B

MD5
f3bfbe5958adfc86cc0ea0a8317ea113

SHA1
3bf76848af2edafcacee5f9fb6a06b35a6724015

SHA256
598715cafd950c881e4fe318430b5830e95781f2093baa22f124cfad03320874

SHA512
873fb9861d615ec3298ccba8231ea3f2a22f2050fe68fea1a6948987942c04f6b40f0b92d5e59f6971cdb429b67877ac2e3cfc953949a0140e03c6cdb8a1139d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A26.tmp
Filesize
4KB

MD5
92b3d04dbcf7aa8eabb0096c55624068

SHA1
04a3b14a8f16bdd8a67f1b5d6be8c3db79c766c7

SHA256
84e388e2bbff6a229d99df8d7e0558e46e793106c2f3bb290c6acc06fe31fe9c

SHA512
fbd6a298b66e2117f68028cdf9fa1b3e441f87fa8a052ce1be628ae65116d5b2953cdc8117dce57e86475a75412b1a85f431eb0da6dd788ec5312d34ff71f9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6B6.tmp
Filesize
1KB

MD5
c1c2c6ee468abe901ecafeb10758bcd4

SHA1
336700e8fdf705966970364b708b98620ba1b3e1

SHA256
13724eec6dbd73c10f0f284bc3720a9bb9372bdcb5c5bfbe8625656caa1c015d

SHA512
4c0d22dd9097ecaddc0235e6dc1c3b322d7892f5c0f015375fb535cb0c583b6d9b4d6e20574b9f69734b0999ab7bf55839aeb2069f8766b0b970c34cf8ff6288

Download Submit
memory/396-141-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/396-140-0x0000000000000000-mapping.dmp

Download
memory/396-145-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/396-144-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/396-143-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2924-132-0x0000000000000000-mapping.dmp

Download
memory/3128-139-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3128-134-0x0000000000000000-mapping.dmp

Download
memory/3128-138-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/4620-147-0x0000000000000000-mapping.dmp

Download
memory/4620-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4620-150-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4620-151-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4620-152-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4744-130-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/4744-137-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/4744-131-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads