a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d

General

Target

a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d.exe
Size

764KB
MD5

d676648ba14480398bb328d1282d32a5
SHA1

a68f335c3df9f10bfd499445ba060512d70b4bc7
SHA256

a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d
SHA512

3c3357aee7f5b7875950682900b4b7e2f70c5451d019b37043b3e9aaa5307b08050e7c258cc84c3f466c4ac34301206d13cdce442e8e0050b8751875c5689350

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/5028-145-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/5028-147-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/5028-148-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3512-138-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral2/memory/3512-140-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral2/memory/3512-141-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral2/memory/3512-142-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3512-138-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/3512-140-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/3512-141-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/3512-142-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/5028-145-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/5028-147-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/5028-148-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 bot.whatismyipaddress.com

flow	ioc
42	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d.exeRegSvcs.exe

description	pid	process	target process
PID 388 set thread context of 4512	388	a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d.exe	RegSvcs.exe
PID 4512 set thread context of 3512	4512	RegSvcs.exe	vbc.exe
PID 4512 set thread context of 5028	4512	RegSvcs.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

vbc.exeRegSvcs.exe

pid process

3512 vbc.exe
3512 vbc.exe
3512 vbc.exe
3512 vbc.exe
4512 RegSvcs.exe
4512 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 4512 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

4512 RegSvcs.exe

pid	process
3512	vbc.exe
3512	vbc.exe
3512	vbc.exe
3512	vbc.exe
4512	RegSvcs.exe
4512	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4512	RegSvcs.exe

pid	process
4512	RegSvcs.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d.exeRegSvcs.exe

description	pid	process	target process
PID 388 wrote to memory of 4512	388	a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d.exe	RegSvcs.exe
PID 388 wrote to memory of 4512	388	a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d.exe	RegSvcs.exe
PID 388 wrote to memory of 4512	388	a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d.exe	RegSvcs.exe
PID 388 wrote to memory of 4512	388	a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d.exe	RegSvcs.exe
PID 388 wrote to memory of 4512	388	a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d.exe	RegSvcs.exe
PID 388 wrote to memory of 4512	388	a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d.exe	RegSvcs.exe
PID 388 wrote to memory of 4512	388	a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d.exe	RegSvcs.exe
PID 388 wrote to memory of 4512	388	a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d.exe	RegSvcs.exe
PID 4512 wrote to memory of 3512	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 3512	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 3512	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 3512	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 3512	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 3512	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 3512	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 3512	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 3512	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 5028	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 5028	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 5028	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 5028	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 5028	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 5028	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 5028	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 5028	4512	RegSvcs.exe	vbc.exe
PID 4512 wrote to memory of 5028	4512	RegSvcs.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d.exe
"C:\Users\Admin\AppData\Local\Temp\a19ef3c8f6c0c6ce70f506b53b53a3a17b42d72fa10153a041e6a5e85ea4277d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8CDE.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3512
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA0E4.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8CDE.tmp

Filesize
4KB

MD5
a44410c464bc23ac615f732de976447c

SHA1
e13bb8bfa077dd78dda795b3c21750f217ba4d36

SHA256
a1a6fab77bd9c6713b610b41cb025ba806b8fd64fb80b862e1c44ab2277545a6

SHA512
15e8af0f65161d9ffe068f10083bb2aebfa9be89a36ca6816853f05b58dd05ea46c5abd2f306a354b6ce9eeab20f26a900c6cf3233553bacf168dcbefb79e31a

Download Submit
memory/388-131-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/388-134-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/388-130-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/3512-141-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3512-142-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3512-137-0x0000000000000000-mapping.dmp

Download
memory/3512-138-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3512-140-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4512-135-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/4512-136-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/4512-132-0x0000000000000000-mapping.dmp

Download
memory/5028-144-0x0000000000000000-mapping.dmp

Download
memory/5028-145-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5028-147-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5028-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads