Analysis
-
max time kernel
126s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 04:19
Static task
static1
Behavioral task
behavioral1
Sample
TT payment/paymentT.exe
Resource
win7-20220414-en
General
-
Target
TT payment/paymentT.exe
-
Size
1.1MB
-
MD5
0259f2101d14d3ba036ea6ddfbf6753b
-
SHA1
454a919827e31b52f4f471f1af4ff2c75a2fa7dd
-
SHA256
35bf61d1b81f4ccb69e666d635f995ecd6d549a8708c4139418a84bfa09f4687
-
SHA512
1d966e2eec88bc95c71815a6f7ac4e4b5276cbf3f43b0634491154589a40005e7975d4d4c8286b64898347d73980067477e535eb60e81ce6db13fb387a7f9386
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
..........***///pakings
Signatures
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1724-131-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/1724-132-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1724-134-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1724-135-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1344-138-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1344-137-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/1344-140-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1344-141-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1344-143-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 9 IoCs
resource yara_rule behavioral2/memory/1724-131-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/1724-132-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1724-134-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1724-135-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1344-138-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1344-137-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/1344-140-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1344-141-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1344-143-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 whatismyipaddress.com 18 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2064 set thread context of 1724 2064 paymentT.exe 84 PID 2064 set thread context of 1344 2064 paymentT.exe 91 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1344 vbc.exe 1344 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2064 paymentT.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2064 paymentT.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2064 wrote to memory of 1724 2064 paymentT.exe 84 PID 2064 wrote to memory of 1724 2064 paymentT.exe 84 PID 2064 wrote to memory of 1724 2064 paymentT.exe 84 PID 2064 wrote to memory of 1724 2064 paymentT.exe 84 PID 2064 wrote to memory of 1724 2064 paymentT.exe 84 PID 2064 wrote to memory of 1724 2064 paymentT.exe 84 PID 2064 wrote to memory of 1724 2064 paymentT.exe 84 PID 2064 wrote to memory of 1724 2064 paymentT.exe 84 PID 2064 wrote to memory of 1724 2064 paymentT.exe 84 PID 2064 wrote to memory of 1344 2064 paymentT.exe 91 PID 2064 wrote to memory of 1344 2064 paymentT.exe 91 PID 2064 wrote to memory of 1344 2064 paymentT.exe 91 PID 2064 wrote to memory of 1344 2064 paymentT.exe 91 PID 2064 wrote to memory of 1344 2064 paymentT.exe 91 PID 2064 wrote to memory of 1344 2064 paymentT.exe 91 PID 2064 wrote to memory of 1344 2064 paymentT.exe 91 PID 2064 wrote to memory of 1344 2064 paymentT.exe 91 PID 2064 wrote to memory of 1344 2064 paymentT.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\TT payment\paymentT.exe"C:\Users\Admin\AppData\Local\Temp\TT payment\paymentT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"2⤵
- Accesses Microsoft Outlook accounts
PID:1724
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1344
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196