Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-06-2022 13:51
Static task
static1
Behavioral task
behavioral1
Sample
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe
Resource
win10v2004-20220414-en
General
-
Target
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe
-
Size
502KB
-
MD5
3d04655fff9858e8791c55ae2044a960
-
SHA1
fe8126d174403cb0ee84487497f4bc4bfeb3897c
-
SHA256
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3
-
SHA512
faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4
Malware Config
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView behavioral2/memory/1916-139-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/1916-140-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1916-142-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1916-143-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView behavioral2/memory/1836-144-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/1836-145-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1836-147-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1836-148-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1836-150-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft behavioral2/memory/1916-139-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/1916-140-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1916-142-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1916-143-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1836-144-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/1836-145-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1836-147-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1836-148-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1836-150-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid process 2128 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 39 whatismyipaddress.com 41 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Windows Update.exedescription pid process target process PID 2128 set thread context of 1916 2128 Windows Update.exe vbc.exe PID 2128 set thread context of 1836 2128 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows Update.exepid process 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe 2128 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 2128 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 2128 Windows Update.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exeWindows Update.exedescription pid process target process PID 3100 wrote to memory of 2128 3100 2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe Windows Update.exe PID 3100 wrote to memory of 2128 3100 2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe Windows Update.exe PID 3100 wrote to memory of 2128 3100 2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe Windows Update.exe PID 2128 wrote to memory of 1916 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1916 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1916 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1916 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1916 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1916 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1916 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1916 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1916 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1836 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1836 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1836 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1836 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1836 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1836 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1836 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1836 2128 Windows Update.exe vbc.exe PID 2128 wrote to memory of 1836 2128 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe"C:\Users\Admin\AppData\Local\Temp\2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5bba5457bf72a9f14ca56634a6511ddcf
SHA1930142b04d92f0f3db50b109f02c77e614462fab
SHA25679507aafe39ec8c4b95d8023c542c3e22ad7d349c026cdf47620e5b4c80eb1eb
SHA512b1889ac5ce52095e9427d5d409c88e2e14edbed1ae2e5bc4edc54b4e3fe60d0f7b54a88abc447ad09158560dafc57b7fa61221492b5b462132a3f05074e2c656
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
502KB
MD53d04655fff9858e8791c55ae2044a960
SHA1fe8126d174403cb0ee84487497f4bc4bfeb3897c
SHA2562dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3
SHA512faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
502KB
MD53d04655fff9858e8791c55ae2044a960
SHA1fe8126d174403cb0ee84487497f4bc4bfeb3897c
SHA2562dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3
SHA512faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4
-
memory/1836-144-0x0000000000000000-mapping.dmp
-
memory/1836-150-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1836-148-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1836-147-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1836-145-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1916-140-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1916-142-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1916-143-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1916-139-0x0000000000000000-mapping.dmp
-
memory/2128-132-0x0000000000000000-mapping.dmp
-
memory/2128-137-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/2128-136-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/3100-130-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/3100-131-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/3100-135-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB