Analysis
-
max time kernel
141s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 03:21
Static task
static1
Behavioral task
behavioral1
Sample
4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe
Resource
win7-20220414-en
General
-
Target
4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe
-
Size
773KB
-
MD5
919fad47fb64a39ead7e17dfbe4cfc06
-
SHA1
5397ecbfee38cc27ad328c80de850a1da0334734
-
SHA256
4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
-
SHA512
d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
prayforme18
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/424-141-0x0000000006AB0000-0x0000000006B40000-memory.dmp MailPassView behavioral2/memory/2624-161-0x0000000006A90000-0x0000000006B20000-memory.dmp MailPassView behavioral2/memory/2388-169-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/2388-170-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2388-172-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2388-173-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/424-141-0x0000000006AB0000-0x0000000006B40000-memory.dmp WebBrowserPassView behavioral2/memory/2624-161-0x0000000006A90000-0x0000000006B20000-memory.dmp WebBrowserPassView behavioral2/memory/3860-176-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/3860-177-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3860-179-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3860-180-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3860-182-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
resource yara_rule behavioral2/memory/424-141-0x0000000006AB0000-0x0000000006B40000-memory.dmp Nirsoft behavioral2/memory/2624-161-0x0000000006A90000-0x0000000006B20000-memory.dmp Nirsoft behavioral2/memory/2388-169-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2388-170-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2388-172-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2388-173-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3860-176-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3860-177-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3860-179-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3860-180-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3860-182-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 1940 Windows Update.exe 2624 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 40 whatismyipaddress.com 42 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4052 set thread context of 424 4052 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 78 PID 1940 set thread context of 2624 1940 Windows Update.exe 84 PID 2624 set thread context of 2388 2624 Windows Update.exe 88 PID 2624 set thread context of 3860 2624 Windows Update.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3860 vbc.exe 3860 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2624 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4052 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 1940 Windows Update.exe 2624 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4052 wrote to memory of 424 4052 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 78 PID 4052 wrote to memory of 424 4052 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 78 PID 4052 wrote to memory of 424 4052 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 78 PID 424 wrote to memory of 1940 424 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 82 PID 424 wrote to memory of 1940 424 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 82 PID 424 wrote to memory of 1940 424 4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe 82 PID 1940 wrote to memory of 2624 1940 Windows Update.exe 84 PID 1940 wrote to memory of 2624 1940 Windows Update.exe 84 PID 1940 wrote to memory of 2624 1940 Windows Update.exe 84 PID 2624 wrote to memory of 2388 2624 Windows Update.exe 88 PID 2624 wrote to memory of 2388 2624 Windows Update.exe 88 PID 2624 wrote to memory of 2388 2624 Windows Update.exe 88 PID 2624 wrote to memory of 2388 2624 Windows Update.exe 88 PID 2624 wrote to memory of 2388 2624 Windows Update.exe 88 PID 2624 wrote to memory of 2388 2624 Windows Update.exe 88 PID 2624 wrote to memory of 2388 2624 Windows Update.exe 88 PID 2624 wrote to memory of 2388 2624 Windows Update.exe 88 PID 2624 wrote to memory of 2388 2624 Windows Update.exe 88 PID 2624 wrote to memory of 3860 2624 Windows Update.exe 91 PID 2624 wrote to memory of 3860 2624 Windows Update.exe 91 PID 2624 wrote to memory of 3860 2624 Windows Update.exe 91 PID 2624 wrote to memory of 3860 2624 Windows Update.exe 91 PID 2624 wrote to memory of 3860 2624 Windows Update.exe 91 PID 2624 wrote to memory of 3860 2624 Windows Update.exe 91 PID 2624 wrote to memory of 3860 2624 Windows Update.exe 91 PID 2624 wrote to memory of 3860 2624 Windows Update.exe 91 PID 2624 wrote to memory of 3860 2624 Windows Update.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe"C:\Users\Admin\AppData\Local\Temp\4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exeC:\Users\Admin\AppData\Local\Temp\4858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
PID:2388
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3860
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD51ecd6816a51877ed449c46e97da68163
SHA1ead75fb308c112ddd346330050e5dbcc56cb8246
SHA256aab13006a002ff3b7708c6a90f67752834c25aa4f6822f54531133fa4ea1f481
SHA512b989bd5df9e706adcb51cde8c052fc7e7b7829ffc010377acf2fffd85c3ca282324c26f8557c1cccf1cdd005fdb65ff7252c47769fd5df151c246adecf4cfac8
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
773KB
MD5919fad47fb64a39ead7e17dfbe4cfc06
SHA15397ecbfee38cc27ad328c80de850a1da0334734
SHA2564858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
SHA512d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005
-
Filesize
773KB
MD5919fad47fb64a39ead7e17dfbe4cfc06
SHA15397ecbfee38cc27ad328c80de850a1da0334734
SHA2564858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
SHA512d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005
-
Filesize
773KB
MD5919fad47fb64a39ead7e17dfbe4cfc06
SHA15397ecbfee38cc27ad328c80de850a1da0334734
SHA2564858c75de20e121e8fea9996ad070ee4759764b46cc247687bf42af3ac08c46c
SHA512d0e0b93b39730a6ba98f1af3af0d10948c4fe036b940fc3520ad7a667a94641c447fdcb66ee0716b632bec2cb588594e884f1ba58a23f8d2eea5de0666775005