Analysis
-
max time kernel
125s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 22:34
Static task
static1
Behavioral task
behavioral1
Sample
438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe
Resource
win7-20220414-en
General
-
Target
438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe
-
Size
946KB
-
MD5
21efe3eae8d1d7bd215efe3a1599f562
-
SHA1
d49c95098c0750985a2729c30f050c614ad263c9
-
SHA256
438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76
-
SHA512
1d922c9e5fe1070bd8c2ddb66758e028e7e6a63fdbb5fa89ca857eac72be2050615722491cea3be594cd8f8e8168bb6ffd26660b966afc04337a9369cfc309b3
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
elb3r@yandex.com - Password:
adamssteve
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1408-140-0x00000000023D0000-0x0000000002460000-memory.dmp MailPassView behavioral2/memory/1540-161-0x0000000002930000-0x00000000029C0000-memory.dmp MailPassView behavioral2/memory/3044-167-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/3044-168-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3044-170-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3044-171-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1408-140-0x00000000023D0000-0x0000000002460000-memory.dmp WebBrowserPassView behavioral2/memory/1540-161-0x0000000002930000-0x00000000029C0000-memory.dmp WebBrowserPassView behavioral2/memory/3008-174-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/3008-175-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3008-177-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3008-178-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3008-180-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
Processes:
resource yara_rule behavioral2/memory/1408-140-0x00000000023D0000-0x0000000002460000-memory.dmp Nirsoft behavioral2/memory/1540-161-0x0000000002930000-0x00000000029C0000-memory.dmp Nirsoft behavioral2/memory/3044-167-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3044-168-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3044-170-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3044-171-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3008-174-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3008-175-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3008-177-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3008-178-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3008-180-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 3808 Windows Update.exe 1540 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 48 whatismyipaddress.com 50 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1464 set thread context of 1408 1464 438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe 438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe PID 3808 set thread context of 1540 3808 Windows Update.exe Windows Update.exe PID 1540 set thread context of 3044 1540 Windows Update.exe vbc.exe PID 1540 set thread context of 3008 1540 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 3008 vbc.exe 3008 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 1540 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exeWindows Update.exeWindows Update.exepid process 1464 438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe 3808 Windows Update.exe 1540 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1464 wrote to memory of 1408 1464 438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe 438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe PID 1464 wrote to memory of 1408 1464 438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe 438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe PID 1464 wrote to memory of 1408 1464 438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe 438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe PID 1408 wrote to memory of 3808 1408 438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe Windows Update.exe PID 1408 wrote to memory of 3808 1408 438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe Windows Update.exe PID 1408 wrote to memory of 3808 1408 438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe Windows Update.exe PID 3808 wrote to memory of 1540 3808 Windows Update.exe Windows Update.exe PID 3808 wrote to memory of 1540 3808 Windows Update.exe Windows Update.exe PID 3808 wrote to memory of 1540 3808 Windows Update.exe Windows Update.exe PID 1540 wrote to memory of 3044 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3044 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3044 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3044 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3044 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3044 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3044 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3044 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3044 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3008 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3008 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3008 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3008 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3008 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3008 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3008 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3008 1540 Windows Update.exe vbc.exe PID 1540 wrote to memory of 3008 1540 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe"C:\Users\Admin\AppData\Local\Temp\438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exeC:\Users\Admin\AppData\Local\Temp\438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5495a79982fa048fbf1c6d66d197ed68c
SHA18f13ce9ab990c708ed5b481b9da1a048152136d4
SHA256ed6b8afcc0a2904f522a794d40087c15d1701b6ea5e802f306e0be2e4c1c7a35
SHA512e9488bf8dcdc2d0bbb1bf2f41c5d55b2b9976f0c6abb5061344c7e988aa2e9b4d38630431e363bec6a61fae8538eedfd0636dc23b43e86b78ff73d4e7f1a64a1
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
946KB
MD521efe3eae8d1d7bd215efe3a1599f562
SHA1d49c95098c0750985a2729c30f050c614ad263c9
SHA256438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76
SHA5121d922c9e5fe1070bd8c2ddb66758e028e7e6a63fdbb5fa89ca857eac72be2050615722491cea3be594cd8f8e8168bb6ffd26660b966afc04337a9369cfc309b3
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
946KB
MD521efe3eae8d1d7bd215efe3a1599f562
SHA1d49c95098c0750985a2729c30f050c614ad263c9
SHA256438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76
SHA5121d922c9e5fe1070bd8c2ddb66758e028e7e6a63fdbb5fa89ca857eac72be2050615722491cea3be594cd8f8e8168bb6ffd26660b966afc04337a9369cfc309b3
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
946KB
MD521efe3eae8d1d7bd215efe3a1599f562
SHA1d49c95098c0750985a2729c30f050c614ad263c9
SHA256438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76
SHA5121d922c9e5fe1070bd8c2ddb66758e028e7e6a63fdbb5fa89ca857eac72be2050615722491cea3be594cd8f8e8168bb6ffd26660b966afc04337a9369cfc309b3
-
memory/1408-137-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/1408-144-0x0000000074DA0000-0x0000000075351000-memory.dmpFilesize
5.7MB
-
memory/1408-145-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/1408-143-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/1408-140-0x00000000023D0000-0x0000000002460000-memory.dmpFilesize
576KB
-
memory/1408-150-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/1408-152-0x0000000074DA0000-0x0000000075351000-memory.dmpFilesize
5.7MB
-
memory/1408-133-0x0000000000000000-mapping.dmp
-
memory/1464-134-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/1464-132-0x00000000022F0000-0x00000000022F8000-memory.dmpFilesize
32KB
-
memory/1540-172-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/1540-153-0x0000000000000000-mapping.dmp
-
memory/1540-164-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/1540-165-0x0000000074DA0000-0x0000000075351000-memory.dmpFilesize
5.7MB
-
memory/1540-161-0x0000000002930000-0x00000000029C0000-memory.dmpFilesize
576KB
-
memory/1540-173-0x0000000074DA0000-0x0000000075351000-memory.dmpFilesize
5.7MB
-
memory/3008-177-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3008-174-0x0000000000000000-mapping.dmp
-
memory/3008-175-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3008-178-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3008-180-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3044-170-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3044-171-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3044-168-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3044-167-0x0000000000000000-mapping.dmp
-
memory/3808-155-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/3808-146-0x0000000000000000-mapping.dmp