Analysis
-
max time kernel
150s -
max time network
62s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 05:38
Static task
static1
Behavioral task
behavioral1
Sample
e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe
Resource
win7-20220414-en
General
-
Target
e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe
-
Size
1.6MB
-
MD5
2faef484805c79f64e9d763c0895ee2e
-
SHA1
4eadb9b6a1995c0f37b35e322336ba0cd05ecea6
-
SHA256
e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f
-
SHA512
1cd08134178fbb9cb0bc621953914055f28b2bc61df2a30f28c81db5a5d687ee0ddc817e8f59bec5d973950dcedc68f0f51189ed0b179780e52d15431c1539db
Malware Config
Signatures
-
NirSoft MailPassView 10 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2028-67-0x0000000000970000-0x0000000001970000-memory.dmp MailPassView behavioral1/memory/2028-68-0x00000000009F2F9E-mapping.dmp MailPassView behavioral1/memory/2028-70-0x0000000000970000-0x0000000001970000-memory.dmp MailPassView behavioral1/memory/2028-72-0x0000000000970000-0x0000000001970000-memory.dmp MailPassView behavioral1/memory/2028-73-0x0000000000970000-0x00000000009F8000-memory.dmp MailPassView behavioral1/memory/1080-79-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1080-80-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1080-83-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1080-84-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1080-86-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 9 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/2028-67-0x0000000000970000-0x0000000001970000-memory.dmp WebBrowserPassView behavioral1/memory/2028-68-0x00000000009F2F9E-mapping.dmp WebBrowserPassView behavioral1/memory/2028-70-0x0000000000970000-0x0000000001970000-memory.dmp WebBrowserPassView behavioral1/memory/2028-72-0x0000000000970000-0x0000000001970000-memory.dmp WebBrowserPassView behavioral1/memory/2028-73-0x0000000000970000-0x00000000009F8000-memory.dmp WebBrowserPassView behavioral1/memory/1140-87-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1140-88-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1140-91-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1140-93-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 14 IoCs
Processes:
resource yara_rule behavioral1/memory/2028-67-0x0000000000970000-0x0000000001970000-memory.dmp Nirsoft behavioral1/memory/2028-68-0x00000000009F2F9E-mapping.dmp Nirsoft behavioral1/memory/2028-70-0x0000000000970000-0x0000000001970000-memory.dmp Nirsoft behavioral1/memory/2028-72-0x0000000000970000-0x0000000001970000-memory.dmp Nirsoft behavioral1/memory/2028-73-0x0000000000970000-0x00000000009F8000-memory.dmp Nirsoft behavioral1/memory/1080-79-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1080-80-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1080-83-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1080-84-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1080-86-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1140-87-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1140-88-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1140-91-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1140-93-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
asvcmtnk.exepid process 1324 asvcmtnk.exe -
Loads dropped DLL 1 IoCs
Processes:
WScript.exepid process 1100 WScript.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
asvcmtnk.exeRegSvcs.exedescription pid process target process PID 1324 set thread context of 2028 1324 asvcmtnk.exe RegSvcs.exe PID 2028 set thread context of 1080 2028 RegSvcs.exe vbc.exe PID 2028 set thread context of 1140 2028 RegSvcs.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
asvcmtnk.exeRegSvcs.exepid process 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 2028 RegSvcs.exe 2028 RegSvcs.exe 2028 RegSvcs.exe 2028 RegSvcs.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 2028 RegSvcs.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe 1324 asvcmtnk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2028 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1708 DllHost.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exeWScript.exeasvcmtnk.exeRegSvcs.exedescription pid process target process PID 1800 wrote to memory of 1100 1800 e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe WScript.exe PID 1800 wrote to memory of 1100 1800 e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe WScript.exe PID 1800 wrote to memory of 1100 1800 e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe WScript.exe PID 1800 wrote to memory of 1100 1800 e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe WScript.exe PID 1100 wrote to memory of 1324 1100 WScript.exe asvcmtnk.exe PID 1100 wrote to memory of 1324 1100 WScript.exe asvcmtnk.exe PID 1100 wrote to memory of 1324 1100 WScript.exe asvcmtnk.exe PID 1100 wrote to memory of 1324 1100 WScript.exe asvcmtnk.exe PID 1324 wrote to memory of 2028 1324 asvcmtnk.exe RegSvcs.exe PID 1324 wrote to memory of 2028 1324 asvcmtnk.exe RegSvcs.exe PID 1324 wrote to memory of 2028 1324 asvcmtnk.exe RegSvcs.exe PID 1324 wrote to memory of 2028 1324 asvcmtnk.exe RegSvcs.exe PID 1324 wrote to memory of 2028 1324 asvcmtnk.exe RegSvcs.exe PID 1324 wrote to memory of 2028 1324 asvcmtnk.exe RegSvcs.exe PID 1324 wrote to memory of 2028 1324 asvcmtnk.exe RegSvcs.exe PID 1324 wrote to memory of 2028 1324 asvcmtnk.exe RegSvcs.exe PID 1324 wrote to memory of 2028 1324 asvcmtnk.exe RegSvcs.exe PID 2028 wrote to memory of 1080 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1080 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1080 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1080 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1080 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1080 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1080 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1080 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1080 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1080 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1140 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1140 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1140 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1140 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1140 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1140 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1140 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1140 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1140 2028 RegSvcs.exe vbc.exe PID 2028 wrote to memory of 1140 2028 RegSvcs.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe"C:\Users\Admin\AppData\Local\Temp\e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99285611\mkcuo.vbe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99285611\asvcmtnk.exe"C:\Users\Admin\AppData\Local\Temp\99285611\asvcmtnk.exe" velck.vjh3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\99285611\asvcmtnk.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\AppData\Local\Temp\99285611\asvcmtnk.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\AppData\Local\Temp\99285611\mkcuo.vbeFilesize
36KB
MD5c4aad26cbe2a14e3c1d47217e2461386
SHA1ce43d2e02d8bea1f97d022eac2bc00bfd6274cb1
SHA25685d5e104c32355b8c68c57f16b5a782dd495596e57fdee38c374bcb0c77b0a4c
SHA512eb374e648f384ead466e0a6687bb58719c7751b4054924ae5c0ceb163b2fcf14d181c2f9c0b3f4b2d179f7f87fea38a0a375c9096318881055e0a61a17b15eac
-
C:\Users\Admin\AppData\Local\Temp\99285611\rwjiqfe.logFilesize
1.1MB
MD5e1c258d4ed9433aa03880897dc3823a9
SHA1413037cafa1573e0156c69c554f361fcc7da4424
SHA256696e6984a310c1f261e21beddacaf96b35e80ea6020e123d71545c1405242d1d
SHA512b9ab4ccbc843bd626ce2f8716b87c04277e78dee592049514e9330c52cddd5b2756194213467031055dd9ce4258564ba8fd3450d2bc4b70cc445109744731bbd
-
C:\Users\Admin\AppData\Local\Temp\99285611\velck.vjhFilesize
278.1MB
MD52022bdc583d046cf5f9a4f5d7d15fde8
SHA16a06e9776d6d93765ac4af0e95147aeb2f4ae3d8
SHA256660c236ab606006760430627b97661c5bfb362dc0742bd6933d8a64966ffc247
SHA5122e7f9069876d98f8f305213746395f38268889821e4c20b2bb695600b9604e92ef42d5756ac7e2c0a8e38508e2ecb724b39395b2fb88301a5ba0333c7615ab6d
-
C:\Users\Admin\AppData\Local\Temp\BFile_1.jpgFilesize
5KB
MD5a3149a36f97ff60049de5d4e251fe9d2
SHA147a0082c5aad63eaf042e80b91351caccb8c2116
SHA2564369f2a49e78ae0de64f6f7125fc7ab26a969d8294bd7c7db1a18c5a8499108b
SHA512598523bcfa7b5886be8e9e6913b6c403001bad13bd2ef6c438dee09b07bb2fab343e558c3f490c8354f05b81640575ff515575baa92587878045270207d5fa21
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\Users\Admin\AppData\Local\Temp\99285611\asvcmtnk.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
memory/1080-84-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1080-79-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1080-86-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1080-83-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1080-80-0x0000000000411654-mapping.dmp
-
memory/1100-55-0x0000000000000000-mapping.dmp
-
memory/1140-87-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1140-93-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1140-91-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1140-88-0x0000000000442628-mapping.dmp
-
memory/1324-60-0x0000000000000000-mapping.dmp
-
memory/1800-54-0x0000000075C71000-0x0000000075C73000-memory.dmpFilesize
8KB
-
memory/2028-73-0x0000000000970000-0x00000000009F8000-memory.dmpFilesize
544KB
-
memory/2028-70-0x0000000000970000-0x0000000001970000-memory.dmpFilesize
16.0MB
-
memory/2028-85-0x0000000010075000-0x0000000010086000-memory.dmpFilesize
68KB
-
memory/2028-68-0x00000000009F2F9E-mapping.dmp
-
memory/2028-65-0x0000000000970000-0x0000000001970000-memory.dmpFilesize
16.0MB
-
memory/2028-72-0x0000000000970000-0x0000000001970000-memory.dmpFilesize
16.0MB
-
memory/2028-75-0x0000000010075000-0x0000000010086000-memory.dmpFilesize
68KB
-
memory/2028-67-0x0000000000970000-0x0000000001970000-memory.dmpFilesize
16.0MB
-
memory/2028-78-0x000000000D1A0000-0x000000000D1A8000-memory.dmpFilesize
32KB