Analysis
-
max time kernel
172s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 09:28
Static task
static1
Behavioral task
behavioral1
Sample
a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exe
Resource
win10v2004-20220414-en
General
-
Target
a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exe
-
Size
949KB
-
MD5
9596164a5d9b017918e8ebec60739069
-
SHA1
7ad289bc302be09fcfe3e7846253c584f251d398
-
SHA256
a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7
-
SHA512
0b2f9001e84f68e65cf53334a8b72644d609c99590dfb5a8155ce1fa4d704f6bcec541e3602a191d9769118864812d8e0ec12f4509f69a89f6142cbff5b11b2e
Malware Config
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/3904-141-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral2/memory/1408-145-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/1408-146-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1408-148-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1408-149-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1408-150-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/3904-141-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral2/memory/2188-151-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/2188-152-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
Processes:
resource yara_rule behavioral2/memory/3904-141-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral2/memory/1408-145-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/1408-146-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1408-148-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1408-149-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1408-150-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2188-151-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2188-152-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
product3784.exeproduct3784.exepid process 1060 product3784.exe 3904 product3784.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
product3784.exeproduct3784.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\Desktop\\product3784.exe -boot" product3784.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" product3784.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 48 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
product3784.exeproduct3784.exedescription pid process target process PID 1060 set thread context of 3904 1060 product3784.exe product3784.exe PID 3904 set thread context of 1408 3904 product3784.exe vbc.exe PID 3904 set thread context of 2188 3904 product3784.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exeproduct3784.exeproduct3784.exedescription pid process Token: SeDebugPrivilege 3656 a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exe Token: SeDebugPrivilege 1060 product3784.exe Token: SeDebugPrivilege 3904 product3784.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
product3784.exepid process 3904 product3784.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.execmd.exeproduct3784.exeproduct3784.exedescription pid process target process PID 3656 wrote to memory of 2200 3656 a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exe cmd.exe PID 3656 wrote to memory of 2200 3656 a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exe cmd.exe PID 3656 wrote to memory of 2200 3656 a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exe cmd.exe PID 3656 wrote to memory of 1720 3656 a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exe cmd.exe PID 3656 wrote to memory of 1720 3656 a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exe cmd.exe PID 3656 wrote to memory of 1720 3656 a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exe cmd.exe PID 1720 wrote to memory of 1060 1720 cmd.exe product3784.exe PID 1720 wrote to memory of 1060 1720 cmd.exe product3784.exe PID 1720 wrote to memory of 1060 1720 cmd.exe product3784.exe PID 1060 wrote to memory of 3904 1060 product3784.exe product3784.exe PID 1060 wrote to memory of 3904 1060 product3784.exe product3784.exe PID 1060 wrote to memory of 3904 1060 product3784.exe product3784.exe PID 1060 wrote to memory of 3904 1060 product3784.exe product3784.exe PID 1060 wrote to memory of 3904 1060 product3784.exe product3784.exe PID 1060 wrote to memory of 3904 1060 product3784.exe product3784.exe PID 1060 wrote to memory of 3904 1060 product3784.exe product3784.exe PID 1060 wrote to memory of 3904 1060 product3784.exe product3784.exe PID 3904 wrote to memory of 1408 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 1408 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 1408 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 1408 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 1408 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 1408 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 1408 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 1408 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 1408 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 2188 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 2188 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 2188 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 2188 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 2188 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 2188 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 2188 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 2188 3904 product3784.exe vbc.exe PID 3904 wrote to memory of 2188 3904 product3784.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exe"C:\Users\Admin\AppData\Local\Temp\a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7.exe" "C:\Users\Admin\Desktop\product3784.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Desktop\product3784.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\product3784.exe"C:\Users\Admin\Desktop\product3784.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\product3784.exe"C:\Users\Admin\Desktop\product3784.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\product3784.exeFilesize
949KB
MD59596164a5d9b017918e8ebec60739069
SHA17ad289bc302be09fcfe3e7846253c584f251d398
SHA256a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7
SHA5120b2f9001e84f68e65cf53334a8b72644d609c99590dfb5a8155ce1fa4d704f6bcec541e3602a191d9769118864812d8e0ec12f4509f69a89f6142cbff5b11b2e
-
C:\Users\Admin\Desktop\product3784.exeFilesize
949KB
MD59596164a5d9b017918e8ebec60739069
SHA17ad289bc302be09fcfe3e7846253c584f251d398
SHA256a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7
SHA5120b2f9001e84f68e65cf53334a8b72644d609c99590dfb5a8155ce1fa4d704f6bcec541e3602a191d9769118864812d8e0ec12f4509f69a89f6142cbff5b11b2e
-
C:\Users\Admin\Desktop\product3784.exeFilesize
949KB
MD59596164a5d9b017918e8ebec60739069
SHA17ad289bc302be09fcfe3e7846253c584f251d398
SHA256a00cac3fbd48c43d65837efee960492c4843e8ae76a2745a35206d59287bb7b7
SHA5120b2f9001e84f68e65cf53334a8b72644d609c99590dfb5a8155ce1fa4d704f6bcec541e3602a191d9769118864812d8e0ec12f4509f69a89f6142cbff5b11b2e
-
memory/1060-136-0x0000000000000000-mapping.dmp
-
memory/1060-139-0x0000000005760000-0x00000000057FC000-memory.dmpFilesize
624KB
-
memory/1408-150-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1408-149-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1408-148-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1408-146-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1408-145-0x0000000000000000-mapping.dmp
-
memory/1720-135-0x0000000000000000-mapping.dmp
-
memory/2188-151-0x0000000000000000-mapping.dmp
-
memory/2188-152-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2200-134-0x0000000000000000-mapping.dmp
-
memory/3656-130-0x0000000000A40000-0x0000000000B36000-memory.dmpFilesize
984KB
-
memory/3656-133-0x0000000007BA0000-0x0000000007BAA000-memory.dmpFilesize
40KB
-
memory/3656-132-0x00000000080D0000-0x0000000008674000-memory.dmpFilesize
5.6MB
-
memory/3656-131-0x0000000005490000-0x0000000005522000-memory.dmpFilesize
584KB
-
memory/3904-141-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3904-140-0x0000000000000000-mapping.dmp
-
memory/3904-143-0x0000000005410000-0x0000000005466000-memory.dmpFilesize
344KB
-
memory/3904-144-0x00000000090D0000-0x0000000009136000-memory.dmpFilesize
408KB