Analysis
-
max time kernel
170s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-06-2022 14:32
Static task
static1
Behavioral task
behavioral1
Sample
2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
Resource
win10v2004-20220414-en
General
-
Target
2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
-
Size
604KB
-
MD5
35270318eecbfbda22754799d481e00a
-
SHA1
be1ff8e3ae8a6b4040d7fb156e82b2e29b49a638
-
SHA256
2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8
-
SHA512
d20537b99b01e1589935e5c7640f5264fed5ab26dbbc62b42e4c2d029d69b9f95b6121dd6657a114fbb0be9730605dce870b5472596d2b0873406cf2e416ff3a
Malware Config
Signatures
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4152-132-0x0000000000400000-0x000000000048C000-memory.dmp MailPassView behavioral2/memory/5096-148-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/5096-149-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/5096-151-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/5096-152-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4152-132-0x0000000000400000-0x000000000048C000-memory.dmp WebBrowserPassView behavioral2/memory/4916-153-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/4916-154-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4916-156-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4916-157-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4916-159-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 10 IoCs
Processes:
resource yara_rule behavioral2/memory/4152-132-0x0000000000400000-0x000000000048C000-memory.dmp Nirsoft behavioral2/memory/5096-148-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/5096-149-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/5096-151-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/5096-152-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4916-153-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4916-154-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4916-156-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4916-157-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4916-159-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 772 Windows Update.exe 4388 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1904 set thread context of 4152 1904 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe PID 772 set thread context of 4388 772 Windows Update.exe Windows Update.exe PID 4388 set thread context of 5096 4388 Windows Update.exe vbc.exe PID 4388 set thread context of 4916 4388 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exeWindows Update.exeWindows Update.exepid process 1904 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe 1904 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe 772 Windows Update.exe 772 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe 4388 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exeWindows Update.exeWindows Update.exedescription pid process Token: SeDebugPrivilege 1904 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe Token: SeDebugPrivilege 772 Windows Update.exe Token: SeDebugPrivilege 4388 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 4388 Windows Update.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1904 wrote to memory of 4152 1904 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe PID 1904 wrote to memory of 4152 1904 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe PID 1904 wrote to memory of 4152 1904 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe PID 1904 wrote to memory of 4152 1904 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe PID 1904 wrote to memory of 4152 1904 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe PID 1904 wrote to memory of 4152 1904 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe PID 1904 wrote to memory of 4152 1904 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe PID 1904 wrote to memory of 4152 1904 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe PID 4152 wrote to memory of 772 4152 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe Windows Update.exe PID 4152 wrote to memory of 772 4152 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe Windows Update.exe PID 4152 wrote to memory of 772 4152 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe Windows Update.exe PID 772 wrote to memory of 4388 772 Windows Update.exe Windows Update.exe PID 772 wrote to memory of 4388 772 Windows Update.exe Windows Update.exe PID 772 wrote to memory of 4388 772 Windows Update.exe Windows Update.exe PID 772 wrote to memory of 4388 772 Windows Update.exe Windows Update.exe PID 772 wrote to memory of 4388 772 Windows Update.exe Windows Update.exe PID 772 wrote to memory of 4388 772 Windows Update.exe Windows Update.exe PID 772 wrote to memory of 4388 772 Windows Update.exe Windows Update.exe PID 772 wrote to memory of 4388 772 Windows Update.exe Windows Update.exe PID 4388 wrote to memory of 5096 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 5096 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 5096 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 5096 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 5096 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 5096 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 5096 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 5096 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 5096 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 4916 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 4916 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 4916 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 4916 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 4916 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 4916 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 4916 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 4916 4388 Windows Update.exe vbc.exe PID 4388 wrote to memory of 4916 4388 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe"C:\Users\Admin\AppData\Local\Temp\2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe"C:\Users\Admin\AppData\Local\Temp\2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe.logFilesize
411B
MD539582d3351c79bbe6b34c92b86bb2e15
SHA10a5bc37313778570ffd8b7664fd04380446641f3
SHA256a77ea8a3f342c18bc35e84d0c0255345ae259f80dd9ac4837760e5e4d5f593aa
SHA5124e6acca2e4fd55d3dcdcaba0155364dcf17924113f23bb58c895e0119a79906f4e3fd1950d1dbb405cc02509373a1e2057a46dbc364189779ae96abb19214283
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD510b055e152a5d8080897d8da0edfa6b3
SHA1c66e7484f33d78fb7749ca599ab3f8c7cc7cf738
SHA256246d6455652a5300d1d19e1a8737abdb215dcf22c4e2781e4074723aa5a49287
SHA5123ebda079e5cd1c1cee619bedec3aa5bbacdd15ad36a61cc82c5afee1200934c0deba9bce911daa83a2e52a58c8b4199baaad9758d463ef7a96b8b8668c239107
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
604KB
MD535270318eecbfbda22754799d481e00a
SHA1be1ff8e3ae8a6b4040d7fb156e82b2e29b49a638
SHA2562d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8
SHA512d20537b99b01e1589935e5c7640f5264fed5ab26dbbc62b42e4c2d029d69b9f95b6121dd6657a114fbb0be9730605dce870b5472596d2b0873406cf2e416ff3a
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
604KB
MD535270318eecbfbda22754799d481e00a
SHA1be1ff8e3ae8a6b4040d7fb156e82b2e29b49a638
SHA2562d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8
SHA512d20537b99b01e1589935e5c7640f5264fed5ab26dbbc62b42e4c2d029d69b9f95b6121dd6657a114fbb0be9730605dce870b5472596d2b0873406cf2e416ff3a
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
604KB
MD535270318eecbfbda22754799d481e00a
SHA1be1ff8e3ae8a6b4040d7fb156e82b2e29b49a638
SHA2562d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8
SHA512d20537b99b01e1589935e5c7640f5264fed5ab26dbbc62b42e4c2d029d69b9f95b6121dd6657a114fbb0be9730605dce870b5472596d2b0873406cf2e416ff3a
-
memory/772-140-0x0000000074E00000-0x00000000753B1000-memory.dmpFilesize
5.7MB
-
memory/772-144-0x0000000074E00000-0x00000000753B1000-memory.dmpFilesize
5.7MB
-
memory/772-135-0x0000000000000000-mapping.dmp
-
memory/1904-133-0x0000000074E00000-0x00000000753B1000-memory.dmpFilesize
5.7MB
-
memory/1904-130-0x0000000074E00000-0x00000000753B1000-memory.dmpFilesize
5.7MB
-
memory/4152-132-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/4152-134-0x0000000074E00000-0x00000000753B1000-memory.dmpFilesize
5.7MB
-
memory/4152-139-0x0000000074E00000-0x00000000753B1000-memory.dmpFilesize
5.7MB
-
memory/4152-131-0x0000000000000000-mapping.dmp
-
memory/4388-147-0x0000000074E00000-0x00000000753B1000-memory.dmpFilesize
5.7MB
-
memory/4388-145-0x0000000074E00000-0x00000000753B1000-memory.dmpFilesize
5.7MB
-
memory/4388-141-0x0000000000000000-mapping.dmp
-
memory/4916-153-0x0000000000000000-mapping.dmp
-
memory/4916-154-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4916-156-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4916-157-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4916-159-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/5096-148-0x0000000000000000-mapping.dmp
-
memory/5096-149-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5096-151-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5096-152-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB