Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 05:38
Static task
static1
Behavioral task
behavioral1
Sample
e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe
Resource
win7-20220414-en
General
-
Target
e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe
-
Size
1.6MB
-
MD5
2faef484805c79f64e9d763c0895ee2e
-
SHA1
4eadb9b6a1995c0f37b35e322336ba0cd05ecea6
-
SHA256
e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f
-
SHA512
1cd08134178fbb9cb0bc621953914055f28b2bc61df2a30f28c81db5a5d687ee0ddc817e8f59bec5d973950dcedc68f0f51189ed0b179780e52d15431c1539db
Malware Config
Signatures
-
NirSoft MailPassView 7 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1872-137-0x0000000000F00000-0x0000000001F00000-memory.dmp MailPassView behavioral2/memory/1872-138-0x0000000000F82F9E-mapping.dmp MailPassView behavioral2/memory/1872-139-0x0000000000F00000-0x0000000000F88000-memory.dmp MailPassView behavioral2/memory/2836-146-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/2836-147-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2836-149-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2836-150-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 8 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1872-137-0x0000000000F00000-0x0000000001F00000-memory.dmp WebBrowserPassView behavioral2/memory/1872-138-0x0000000000F82F9E-mapping.dmp WebBrowserPassView behavioral2/memory/1872-139-0x0000000000F00000-0x0000000000F88000-memory.dmp WebBrowserPassView behavioral2/memory/2228-151-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/2228-152-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2228-154-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2228-155-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2228-157-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 12 IoCs
Processes:
resource yara_rule behavioral2/memory/1872-137-0x0000000000F00000-0x0000000001F00000-memory.dmp Nirsoft behavioral2/memory/1872-138-0x0000000000F82F9E-mapping.dmp Nirsoft behavioral2/memory/1872-139-0x0000000000F00000-0x0000000000F88000-memory.dmp Nirsoft behavioral2/memory/2836-146-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2836-147-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2836-149-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2836-150-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2228-151-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2228-152-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2228-154-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2228-155-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2228-157-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
asvcmtnk.exepid process 1420 asvcmtnk.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation WScript.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 whatismyipaddress.com 33 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
asvcmtnk.exeRegSvcs.exedescription pid process target process PID 1420 set thread context of 1872 1420 asvcmtnk.exe RegSvcs.exe PID 1872 set thread context of 2836 1872 RegSvcs.exe vbc.exe PID 1872 set thread context of 2228 1872 RegSvcs.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
asvcmtnk.exeRegSvcs.exevbc.exepid process 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1872 RegSvcs.exe 1872 RegSvcs.exe 1872 RegSvcs.exe 1872 RegSvcs.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 2228 vbc.exe 2228 vbc.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe 1420 asvcmtnk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1872 RegSvcs.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exeWScript.exeasvcmtnk.exeRegSvcs.exedescription pid process target process PID 3744 wrote to memory of 1324 3744 e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe WScript.exe PID 3744 wrote to memory of 1324 3744 e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe WScript.exe PID 3744 wrote to memory of 1324 3744 e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe WScript.exe PID 1324 wrote to memory of 1420 1324 WScript.exe asvcmtnk.exe PID 1324 wrote to memory of 1420 1324 WScript.exe asvcmtnk.exe PID 1324 wrote to memory of 1420 1324 WScript.exe asvcmtnk.exe PID 1420 wrote to memory of 1872 1420 asvcmtnk.exe RegSvcs.exe PID 1420 wrote to memory of 1872 1420 asvcmtnk.exe RegSvcs.exe PID 1420 wrote to memory of 1872 1420 asvcmtnk.exe RegSvcs.exe PID 1420 wrote to memory of 1872 1420 asvcmtnk.exe RegSvcs.exe PID 1420 wrote to memory of 1872 1420 asvcmtnk.exe RegSvcs.exe PID 1872 wrote to memory of 2836 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2836 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2836 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2836 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2836 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2836 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2836 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2836 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2836 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2228 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2228 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2228 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2228 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2228 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2228 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2228 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2228 1872 RegSvcs.exe vbc.exe PID 1872 wrote to memory of 2228 1872 RegSvcs.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe"C:\Users\Admin\AppData\Local\Temp\e20620ebc722953b7f81d859a13249b778331dc59ccdb294190ee289151fcf0f.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99285611\mkcuo.vbe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99285611\asvcmtnk.exe"C:\Users\Admin\AppData\Local\Temp\99285611\asvcmtnk.exe" velck.vjh3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\99285611\asvcmtnk.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\AppData\Local\Temp\99285611\asvcmtnk.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\AppData\Local\Temp\99285611\mkcuo.vbeFilesize
36KB
MD5c4aad26cbe2a14e3c1d47217e2461386
SHA1ce43d2e02d8bea1f97d022eac2bc00bfd6274cb1
SHA25685d5e104c32355b8c68c57f16b5a782dd495596e57fdee38c374bcb0c77b0a4c
SHA512eb374e648f384ead466e0a6687bb58719c7751b4054924ae5c0ceb163b2fcf14d181c2f9c0b3f4b2d179f7f87fea38a0a375c9096318881055e0a61a17b15eac
-
C:\Users\Admin\AppData\Local\Temp\99285611\rwjiqfe.logFilesize
1.1MB
MD5e1c258d4ed9433aa03880897dc3823a9
SHA1413037cafa1573e0156c69c554f361fcc7da4424
SHA256696e6984a310c1f261e21beddacaf96b35e80ea6020e123d71545c1405242d1d
SHA512b9ab4ccbc843bd626ce2f8716b87c04277e78dee592049514e9330c52cddd5b2756194213467031055dd9ce4258564ba8fd3450d2bc4b70cc445109744731bbd
-
C:\Users\Admin\AppData\Local\Temp\99285611\velck.vjhFilesize
278.1MB
MD52022bdc583d046cf5f9a4f5d7d15fde8
SHA16a06e9776d6d93765ac4af0e95147aeb2f4ae3d8
SHA256660c236ab606006760430627b97661c5bfb362dc0742bd6933d8a64966ffc247
SHA5122e7f9069876d98f8f305213746395f38268889821e4c20b2bb695600b9604e92ef42d5756ac7e2c0a8e38508e2ecb724b39395b2fb88301a5ba0333c7615ab6d
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
memory/1324-130-0x0000000000000000-mapping.dmp
-
memory/1420-133-0x0000000000000000-mapping.dmp
-
memory/1872-142-0x000000000E2D0000-0x000000000E362000-memory.dmpFilesize
584KB
-
memory/1872-139-0x0000000000F00000-0x0000000000F88000-memory.dmpFilesize
544KB
-
memory/1872-140-0x000000000E110000-0x000000000E1AC000-memory.dmpFilesize
624KB
-
memory/1872-141-0x000000000E7E0000-0x000000000ED84000-memory.dmpFilesize
5.6MB
-
memory/1872-138-0x0000000000F82F9E-mapping.dmp
-
memory/1872-143-0x000000000E200000-0x000000000E20A000-memory.dmpFilesize
40KB
-
memory/1872-144-0x000000000E460000-0x000000000E4B6000-memory.dmpFilesize
344KB
-
memory/1872-145-0x0000000011610000-0x0000000011676000-memory.dmpFilesize
408KB
-
memory/1872-137-0x0000000000F00000-0x0000000001F00000-memory.dmpFilesize
16.0MB
-
memory/2228-152-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2228-151-0x0000000000000000-mapping.dmp
-
memory/2228-154-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2228-155-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2228-157-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2836-149-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2836-150-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2836-147-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2836-146-0x0000000000000000-mapping.dmp