e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a

Analysis

max time kernel
126s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25/06/2022, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe
Size

1.0MB
MD5

97a2ab1a919748de874d2420c6d138a1
SHA1

c052e8b275800fa00b1034743c0394ede191c0be
SHA256

e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a
SHA512

b640e83dccbbb0f101898dd6e2599e5cb0d655ecc2d573aa7ed2395c6fb90a45d6582237981678d6a10a1d293eda240c2541bd6eb268553cc949f4a6b500a16f

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2980-148-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/2980-150-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/2980-151-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3648-141-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3648-143-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3648-144-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3648-145-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral2/memory/3648-141-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3648-143-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3648-144-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3648-145-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2980-148-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/2980-150-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/2980-151-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 4252	2508	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	90
PID 4252 set thread context of 3648	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	91
PID 4252 set thread context of 2980	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3648	vbc.exe
3648	vbc.exe
3648	vbc.exe
3648	vbc.exe
3648	vbc.exe
3648	vbc.exe
3648	vbc.exe
3648	vbc.exe
3648	vbc.exe
3648	vbc.exe
3648	vbc.exe
3648	vbc.exe
4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe
4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 4444	2508	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	88
PID 2508 wrote to memory of 4444	2508	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	88
PID 2508 wrote to memory of 4444	2508	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	88
PID 2508 wrote to memory of 4252	2508	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	90
PID 2508 wrote to memory of 4252	2508	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	90
PID 2508 wrote to memory of 4252	2508	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	90
PID 2508 wrote to memory of 4252	2508	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	90
PID 2508 wrote to memory of 4252	2508	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	90
PID 2508 wrote to memory of 4252	2508	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	90
PID 2508 wrote to memory of 4252	2508	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	90
PID 2508 wrote to memory of 4252	2508	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	90
PID 4252 wrote to memory of 3648	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	91
PID 4252 wrote to memory of 3648	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	91
PID 4252 wrote to memory of 3648	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	91
PID 4252 wrote to memory of 3648	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	91
PID 4252 wrote to memory of 3648	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	91
PID 4252 wrote to memory of 3648	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	91
PID 4252 wrote to memory of 3648	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	91
PID 4252 wrote to memory of 3648	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	91
PID 4252 wrote to memory of 3648	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	91
PID 4252 wrote to memory of 2980	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	92
PID 4252 wrote to memory of 2980	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	92
PID 4252 wrote to memory of 2980	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	92
PID 4252 wrote to memory of 2980	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	92
PID 4252 wrote to memory of 2980	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	92
PID 4252 wrote to memory of 2980	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	92
PID 4252 wrote to memory of 2980	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	92
PID 4252 wrote to memory of 2980	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	92
PID 4252 wrote to memory of 2980	4252	e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe	92

C:\Users\Admin\AppData\Local\Temp\e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe
"C:\Users\Admin\AppData\Local\Temp\e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jfXCYR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5CD5.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4444
- C:\Users\Admin\AppData\Local\Temp\e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe
  "C:\Users\Admin\AppData\Local\Temp\e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8CDE.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3648
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp958A.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\e4524474dc0dd7baf4474ec7700268311bda6eb1862a0c41c8e527acd761378a.exe.log

Filesize
500B

MD5
f3bfbe5958adfc86cc0ea0a8317ea113

SHA1
3bf76848af2edafcacee5f9fb6a06b35a6724015

SHA256
598715cafd950c881e4fe318430b5830e95781f2093baa22f124cfad03320874

SHA512
873fb9861d615ec3298ccba8231ea3f2a22f2050fe68fea1a6948987942c04f6b40f0b92d5e59f6971cdb429b67877ac2e3cfc953949a0140e03c6cdb8a1139d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5CD5.tmp

Filesize
1KB

MD5
6eb2d327f444bd155989c07dd59e0421

SHA1
32decc56d8f6100d42923331329546c71eb99402

SHA256
e87a60afe035fb6353d5e8bd38c823f0fdcee1a4d0ed3610c34c5100d526ef9a

SHA512
e3c186857a63b910d620ca557e66541a12d1a22fe3a95fef4b6769a2c821d50ce43d8b61c445c7c6d1f1f9ef169e2c3d73761d5a9c2fb1d60f4812242527e8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8CDE.tmp

Filesize
4KB

MD5
bdf65f70610625cc771c5cc7ce168c7d

SHA1
a8829b1c071ed0521d11925a98468c12a53a03b8

SHA256
b66236dd86f140ca02db0c296e45032b272de2895c4f047a562e73bc8395dba5

SHA512
add2db50b0440b07ecc48a5fde7f0b72e84b76f11ea060944afa28ddd03791e6adb3bfca704254131fb3f591f484b37f7276fab96b0c4776a27cb526bcf5f3a4

Download Submit
memory/2508-137-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/2508-130-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/2508-131-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/2980-151-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2980-150-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2980-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3648-141-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3648-143-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3648-144-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3648-145-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4252-139-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/4252-138-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download