Analysis
-
max time kernel
137s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-07-2022 04:19
Static task
static1
Behavioral task
behavioral1
Sample
TT payment/paymentT.exe
Resource
win7-20220414-en
General
-
Target
TT payment/paymentT.exe
-
Size
1.1MB
-
MD5
0259f2101d14d3ba036ea6ddfbf6753b
-
SHA1
454a919827e31b52f4f471f1af4ff2c75a2fa7dd
-
SHA256
35bf61d1b81f4ccb69e666d635f995ecd6d549a8708c4139418a84bfa09f4687
-
SHA512
1d966e2eec88bc95c71815a6f7ac4e4b5276cbf3f43b0634491154589a40005e7975d4d4c8286b64898347d73980067477e535eb60e81ce6db13fb387a7f9386
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
..........***///pakings
Signatures
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/816-57-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/816-58-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/816-61-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/816-63-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/816-64-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1152-65-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1152-66-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1152-69-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1152-70-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1152-73-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 10 IoCs
resource yara_rule behavioral1/memory/816-57-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/816-58-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/816-61-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/816-63-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/816-64-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1152-65-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1152-66-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1152-69-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1152-70-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1152-73-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1880 set thread context of 816 1880 paymentT.exe 27 PID 1880 set thread context of 1152 1880 paymentT.exe 28 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1880 paymentT.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1880 paymentT.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1880 wrote to memory of 816 1880 paymentT.exe 27 PID 1880 wrote to memory of 816 1880 paymentT.exe 27 PID 1880 wrote to memory of 816 1880 paymentT.exe 27 PID 1880 wrote to memory of 816 1880 paymentT.exe 27 PID 1880 wrote to memory of 816 1880 paymentT.exe 27 PID 1880 wrote to memory of 816 1880 paymentT.exe 27 PID 1880 wrote to memory of 816 1880 paymentT.exe 27 PID 1880 wrote to memory of 816 1880 paymentT.exe 27 PID 1880 wrote to memory of 816 1880 paymentT.exe 27 PID 1880 wrote to memory of 816 1880 paymentT.exe 27 PID 1880 wrote to memory of 1152 1880 paymentT.exe 28 PID 1880 wrote to memory of 1152 1880 paymentT.exe 28 PID 1880 wrote to memory of 1152 1880 paymentT.exe 28 PID 1880 wrote to memory of 1152 1880 paymentT.exe 28 PID 1880 wrote to memory of 1152 1880 paymentT.exe 28 PID 1880 wrote to memory of 1152 1880 paymentT.exe 28 PID 1880 wrote to memory of 1152 1880 paymentT.exe 28 PID 1880 wrote to memory of 1152 1880 paymentT.exe 28 PID 1880 wrote to memory of 1152 1880 paymentT.exe 28 PID 1880 wrote to memory of 1152 1880 paymentT.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\TT payment\paymentT.exe"C:\Users\Admin\AppData\Local\Temp\TT payment\paymentT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"2⤵
- Accesses Microsoft Outlook accounts
PID:816
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"2⤵PID:1152
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84