Analysis
-
max time kernel
142s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 09:28
Static task
static1
Behavioral task
behavioral1
Sample
a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe
Resource
win10v2004-20220414-en
General
-
Target
a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe
-
Size
839KB
-
MD5
e6a4c86a07c1a1ee6d19c859a7fbb448
-
SHA1
7feb2ed702d4bdbb747ae09151eef9a6a0e7a2f2
-
SHA256
a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2
-
SHA512
c612db2c8cad151b5ec733e3a0ec53386a366800f9a96f4a69465cd0ed640ab31751d0e4b762d59873e0894aefa43a178ed63df87bb02e6fb6f35abefd663bc6
Malware Config
Signatures
-
NirSoft MailPassView 11 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1712-67-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/1712-68-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/1712-70-0x000000000047EA7E-mapping.dmp MailPassView behavioral1/memory/1712-72-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/1712-73-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/1712-77-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/1712-80-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/1792-83-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1792-84-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1792-87-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1792-89-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 11 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1712-67-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/1712-68-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/1712-70-0x000000000047EA7E-mapping.dmp WebBrowserPassView behavioral1/memory/1712-72-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/1712-73-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/1712-77-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/1712-80-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/1600-90-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1600-91-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1600-94-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1600-95-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 15 IoCs
Processes:
resource yara_rule behavioral1/memory/1712-67-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1712-68-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1712-70-0x000000000047EA7E-mapping.dmp Nirsoft behavioral1/memory/1712-72-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1712-73-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1712-77-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1712-80-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1792-83-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1792-84-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1792-87-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1792-89-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1600-90-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1600-91-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1600-94-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1600-95-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Project772.exeProject772.exepid process 1528 Project772.exe 1712 Project772.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1344 cmd.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Project772.exeProject772.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\Documents\\Project772.exe -boot" Project772.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Project772.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Project772.exeProject772.exedescription pid process target process PID 1528 set thread context of 1712 1528 Project772.exe Project772.exe PID 1712 set thread context of 1792 1712 Project772.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exeProject772.exeProject772.exedescription pid process Token: SeDebugPrivilege 1976 a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe Token: SeDebugPrivilege 1528 Project772.exe Token: SeDebugPrivilege 1712 Project772.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Project772.exepid process 1712 Project772.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.execmd.exeProject772.exeProject772.exedescription pid process target process PID 1976 wrote to memory of 1272 1976 a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe cmd.exe PID 1976 wrote to memory of 1272 1976 a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe cmd.exe PID 1976 wrote to memory of 1272 1976 a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe cmd.exe PID 1976 wrote to memory of 1272 1976 a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe cmd.exe PID 1976 wrote to memory of 1344 1976 a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe cmd.exe PID 1976 wrote to memory of 1344 1976 a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe cmd.exe PID 1976 wrote to memory of 1344 1976 a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe cmd.exe PID 1976 wrote to memory of 1344 1976 a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe cmd.exe PID 1344 wrote to memory of 1528 1344 cmd.exe Project772.exe PID 1344 wrote to memory of 1528 1344 cmd.exe Project772.exe PID 1344 wrote to memory of 1528 1344 cmd.exe Project772.exe PID 1344 wrote to memory of 1528 1344 cmd.exe Project772.exe PID 1528 wrote to memory of 1712 1528 Project772.exe Project772.exe PID 1528 wrote to memory of 1712 1528 Project772.exe Project772.exe PID 1528 wrote to memory of 1712 1528 Project772.exe Project772.exe PID 1528 wrote to memory of 1712 1528 Project772.exe Project772.exe PID 1528 wrote to memory of 1712 1528 Project772.exe Project772.exe PID 1528 wrote to memory of 1712 1528 Project772.exe Project772.exe PID 1528 wrote to memory of 1712 1528 Project772.exe Project772.exe PID 1528 wrote to memory of 1712 1528 Project772.exe Project772.exe PID 1528 wrote to memory of 1712 1528 Project772.exe Project772.exe PID 1712 wrote to memory of 1792 1712 Project772.exe vbc.exe PID 1712 wrote to memory of 1792 1712 Project772.exe vbc.exe PID 1712 wrote to memory of 1792 1712 Project772.exe vbc.exe PID 1712 wrote to memory of 1792 1712 Project772.exe vbc.exe PID 1712 wrote to memory of 1792 1712 Project772.exe vbc.exe PID 1712 wrote to memory of 1792 1712 Project772.exe vbc.exe PID 1712 wrote to memory of 1792 1712 Project772.exe vbc.exe PID 1712 wrote to memory of 1792 1712 Project772.exe vbc.exe PID 1712 wrote to memory of 1792 1712 Project772.exe vbc.exe PID 1712 wrote to memory of 1792 1712 Project772.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe"C:\Users\Admin\AppData\Local\Temp\a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2.exe" "C:\Users\Admin\Documents\Project772.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Documents\Project772.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\Project772.exe"C:\Users\Admin\Documents\Project772.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\Project772.exe"C:\Users\Admin\Documents\Project772.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\Project772.exeFilesize
839KB
MD5e6a4c86a07c1a1ee6d19c859a7fbb448
SHA17feb2ed702d4bdbb747ae09151eef9a6a0e7a2f2
SHA256a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2
SHA512c612db2c8cad151b5ec733e3a0ec53386a366800f9a96f4a69465cd0ed640ab31751d0e4b762d59873e0894aefa43a178ed63df87bb02e6fb6f35abefd663bc6
-
C:\Users\Admin\Documents\Project772.exeFilesize
839KB
MD5e6a4c86a07c1a1ee6d19c859a7fbb448
SHA17feb2ed702d4bdbb747ae09151eef9a6a0e7a2f2
SHA256a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2
SHA512c612db2c8cad151b5ec733e3a0ec53386a366800f9a96f4a69465cd0ed640ab31751d0e4b762d59873e0894aefa43a178ed63df87bb02e6fb6f35abefd663bc6
-
C:\Users\Admin\Documents\Project772.exeFilesize
839KB
MD5e6a4c86a07c1a1ee6d19c859a7fbb448
SHA17feb2ed702d4bdbb747ae09151eef9a6a0e7a2f2
SHA256a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2
SHA512c612db2c8cad151b5ec733e3a0ec53386a366800f9a96f4a69465cd0ed640ab31751d0e4b762d59873e0894aefa43a178ed63df87bb02e6fb6f35abefd663bc6
-
\Users\Admin\Documents\Project772.exeFilesize
839KB
MD5e6a4c86a07c1a1ee6d19c859a7fbb448
SHA17feb2ed702d4bdbb747ae09151eef9a6a0e7a2f2
SHA256a2a648eab1014219484ef6c41803fed6d35ffb6bc585bd0ad56136f1c5e199f2
SHA512c612db2c8cad151b5ec733e3a0ec53386a366800f9a96f4a69465cd0ed640ab31751d0e4b762d59873e0894aefa43a178ed63df87bb02e6fb6f35abefd663bc6
-
memory/1272-57-0x0000000000000000-mapping.dmp
-
memory/1344-58-0x0000000000000000-mapping.dmp
-
memory/1528-61-0x0000000000000000-mapping.dmp
-
memory/1528-63-0x0000000001000000-0x00000000010DA000-memory.dmpFilesize
872KB
-
memory/1600-95-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1600-94-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1600-91-0x0000000000442628-mapping.dmp
-
memory/1600-90-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1712-70-0x000000000047EA7E-mapping.dmp
-
memory/1712-82-0x0000000000B10000-0x0000000000B18000-memory.dmpFilesize
32KB
-
memory/1712-64-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1712-72-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1712-67-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1712-73-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1712-77-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1712-80-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1712-81-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1712-68-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1712-65-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1712-88-0x0000000000655000-0x0000000000666000-memory.dmpFilesize
68KB
-
memory/1792-87-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1792-89-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1792-84-0x0000000000411654-mapping.dmp
-
memory/1792-83-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1976-54-0x0000000000DF0000-0x0000000000ECA000-memory.dmpFilesize
872KB
-
memory/1976-56-0x00000000004C0000-0x00000000004DC000-memory.dmpFilesize
112KB
-
memory/1976-55-0x0000000004B50000-0x0000000004BF6000-memory.dmpFilesize
664KB