Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-07-2022 03:21
Static task
static1
Behavioral task
behavioral1
Sample
4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe
Resource
win7-20220414-en
General
-
Target
4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe
-
Size
773KB
-
MD5
919fad47fb64a39ead7e17dfbe4cfc06
-
SHA1
5397ecbfee38cc27ad328c80de850a1da0334734
-
SHA256
4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
-
SHA512
d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005
Malware Config
Signatures
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1456-66-0x00000000000E0000-0x0000000000170000-memory.dmp MailPassView behavioral1/memory/1456-69-0x00000000778E0000-0x0000000077A60000-memory.dmp MailPassView behavioral1/memory/552-99-0x0000000000480000-0x0000000000510000-memory.dmp MailPassView behavioral1/memory/552-98-0x0000000000482000-0x000000000050A000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1456-66-0x00000000000E0000-0x0000000000170000-memory.dmp WebBrowserPassView behavioral1/memory/1456-69-0x00000000778E0000-0x0000000077A60000-memory.dmp WebBrowserPassView behavioral1/memory/552-99-0x0000000000480000-0x0000000000510000-memory.dmp WebBrowserPassView behavioral1/memory/552-98-0x0000000000482000-0x000000000050A000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
resource yara_rule behavioral1/memory/1456-66-0x00000000000E0000-0x0000000000170000-memory.dmp Nirsoft behavioral1/memory/1456-69-0x00000000778E0000-0x0000000077A60000-memory.dmp Nirsoft behavioral1/memory/552-99-0x0000000000480000-0x0000000000510000-memory.dmp Nirsoft behavioral1/memory/552-98-0x0000000000482000-0x000000000050A000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 848 Windows Update.exe 552 Windows Update.exe -
Deletes itself 1 IoCs
pid Process 552 Windows Update.exe -
Loads dropped DLL 8 IoCs
pid Process 1456 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 848 Windows Update.exe 848 Windows Update.exe 848 Windows Update.exe 848 Windows Update.exe 552 Windows Update.exe 552 Windows Update.exe 552 Windows Update.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1948 set thread context of 1456 1948 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 27 PID 848 set thread context of 552 848 Windows Update.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 552 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1948 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 848 Windows Update.exe 552 Windows Update.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1456 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 552 Windows Update.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1948 wrote to memory of 1456 1948 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 27 PID 1948 wrote to memory of 1456 1948 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 27 PID 1948 wrote to memory of 1456 1948 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 27 PID 1948 wrote to memory of 1456 1948 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 27 PID 1456 wrote to memory of 848 1456 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 28 PID 1456 wrote to memory of 848 1456 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 28 PID 1456 wrote to memory of 848 1456 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 28 PID 1456 wrote to memory of 848 1456 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 28 PID 1456 wrote to memory of 848 1456 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 28 PID 1456 wrote to memory of 848 1456 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 28 PID 1456 wrote to memory of 848 1456 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 28 PID 848 wrote to memory of 552 848 Windows Update.exe 29 PID 848 wrote to memory of 552 848 Windows Update.exe 29 PID 848 wrote to memory of 552 848 Windows Update.exe 29 PID 848 wrote to memory of 552 848 Windows Update.exe 29 PID 848 wrote to memory of 552 848 Windows Update.exe 29 PID 848 wrote to memory of 552 848 Windows Update.exe 29 PID 848 wrote to memory of 552 848 Windows Update.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe"C:\Users\Admin\AppData\Local\Temp\4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exeC:\Users\Admin\AppData\Local\Temp\4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe"2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:552
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD51ecd6816a51877ed449c46e97da68163
SHA1ead75fb308c112ddd346330050e5dbcc56cb8246
SHA256aab13006a002ff3b7708c6a90f67752834c25aa4f6822f54531133fa4ea1f481
SHA512b989bd5df9e706adcb51cde8c052fc7e7b7829ffc010377acf2fffd85c3ca282324c26f8557c1cccf1cdd005fdb65ff7252c47769fd5df151c246adecf4cfac8
-
Filesize
773KB
MD5919fad47fb64a39ead7e17dfbe4cfc06
SHA15397ecbfee38cc27ad328c80de850a1da0334734
SHA2564858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
SHA512d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005
-
Filesize
773KB
MD5919fad47fb64a39ead7e17dfbe4cfc06
SHA15397ecbfee38cc27ad328c80de850a1da0334734
SHA2564858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
SHA512d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005
-
Filesize
773KB
MD5919fad47fb64a39ead7e17dfbe4cfc06
SHA15397ecbfee38cc27ad328c80de850a1da0334734
SHA2564858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
SHA512d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005
-
Filesize
773KB
MD5919fad47fb64a39ead7e17dfbe4cfc06
SHA15397ecbfee38cc27ad328c80de850a1da0334734
SHA2564858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
SHA512d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005
-
Filesize
773KB
MD5919fad47fb64a39ead7e17dfbe4cfc06
SHA15397ecbfee38cc27ad328c80de850a1da0334734
SHA2564858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
SHA512d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005
-
Filesize
773KB
MD5919fad47fb64a39ead7e17dfbe4cfc06
SHA15397ecbfee38cc27ad328c80de850a1da0334734
SHA2564858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
SHA512d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005
-
Filesize
773KB
MD5919fad47fb64a39ead7e17dfbe4cfc06
SHA15397ecbfee38cc27ad328c80de850a1da0334734
SHA2564858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
SHA512d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005
-
Filesize
773KB
MD5919fad47fb64a39ead7e17dfbe4cfc06
SHA15397ecbfee38cc27ad328c80de850a1da0334734
SHA2564858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
SHA512d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005
-
Filesize
773KB
MD5919fad47fb64a39ead7e17dfbe4cfc06
SHA15397ecbfee38cc27ad328c80de850a1da0334734
SHA2564858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
SHA512d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005
-
Filesize
773KB
MD5919fad47fb64a39ead7e17dfbe4cfc06
SHA15397ecbfee38cc27ad328c80de850a1da0334734
SHA2564858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
SHA512d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005
-
Filesize
773KB
MD5919fad47fb64a39ead7e17dfbe4cfc06
SHA15397ecbfee38cc27ad328c80de850a1da0334734
SHA2564858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
SHA512d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005