Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220414-en -
resource tags
arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system -
submitted
17-07-2022 15:07
Static task
static1
Behavioral task
behavioral1
Sample
51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe
Resource
win7-20220414-en
General
-
Target
51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe
-
Size
958KB
-
MD5
1e36889624db92dfefc58f9bb1946f27
-
SHA1
913eb1a83bb89069697488f98678d2f08f4b26d5
-
SHA256
51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
-
SHA512
51ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
jozo2018
Signatures
-
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1988-66-0x0000000001DE0000-0x0000000001E70000-memory.dmp MailPassView behavioral1/memory/1988-69-0x00000000776B0000-0x0000000077830000-memory.dmp MailPassView behavioral1/memory/1868-99-0x0000000002750000-0x00000000027E0000-memory.dmp MailPassView behavioral1/memory/1808-108-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1808-107-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1808-111-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1808-115-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1808-121-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1988-66-0x0000000001DE0000-0x0000000001E70000-memory.dmp WebBrowserPassView behavioral1/memory/1988-69-0x00000000776B0000-0x0000000077830000-memory.dmp WebBrowserPassView behavioral1/memory/1868-99-0x0000000002750000-0x00000000027E0000-memory.dmp WebBrowserPassView behavioral1/memory/1608-120-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1608-119-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1608-124-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1608-127-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 12 IoCs
resource yara_rule behavioral1/memory/1988-66-0x0000000001DE0000-0x0000000001E70000-memory.dmp Nirsoft behavioral1/memory/1988-69-0x00000000776B0000-0x0000000077830000-memory.dmp Nirsoft behavioral1/memory/1868-99-0x0000000002750000-0x00000000027E0000-memory.dmp Nirsoft behavioral1/memory/1808-108-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1808-107-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1808-111-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1808-115-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1608-120-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1608-119-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1808-121-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1608-124-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1608-127-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 948 Windows Update.exe 1868 Windows Update.exe -
Deletes itself 1 IoCs
pid Process 1868 Windows Update.exe -
Loads dropped DLL 8 IoCs
pid Process 1988 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 948 Windows Update.exe 948 Windows Update.exe 948 Windows Update.exe 948 Windows Update.exe 1868 Windows Update.exe 1868 Windows Update.exe 1868 Windows Update.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1732 set thread context of 1988 1732 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 28 PID 948 set thread context of 1868 948 Windows Update.exe 30 PID 1868 set thread context of 1808 1868 Windows Update.exe 32 PID 1868 set thread context of 1608 1868 Windows Update.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1868 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1732 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 948 Windows Update.exe 1868 Windows Update.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1988 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 1868 Windows Update.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1988 1732 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 28 PID 1732 wrote to memory of 1988 1732 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 28 PID 1732 wrote to memory of 1988 1732 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 28 PID 1732 wrote to memory of 1988 1732 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 28 PID 1988 wrote to memory of 948 1988 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 29 PID 1988 wrote to memory of 948 1988 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 29 PID 1988 wrote to memory of 948 1988 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 29 PID 1988 wrote to memory of 948 1988 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 29 PID 1988 wrote to memory of 948 1988 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 29 PID 1988 wrote to memory of 948 1988 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 29 PID 1988 wrote to memory of 948 1988 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 29 PID 948 wrote to memory of 1868 948 Windows Update.exe 30 PID 948 wrote to memory of 1868 948 Windows Update.exe 30 PID 948 wrote to memory of 1868 948 Windows Update.exe 30 PID 948 wrote to memory of 1868 948 Windows Update.exe 30 PID 948 wrote to memory of 1868 948 Windows Update.exe 30 PID 948 wrote to memory of 1868 948 Windows Update.exe 30 PID 948 wrote to memory of 1868 948 Windows Update.exe 30 PID 1868 wrote to memory of 1808 1868 Windows Update.exe 32 PID 1868 wrote to memory of 1808 1868 Windows Update.exe 32 PID 1868 wrote to memory of 1808 1868 Windows Update.exe 32 PID 1868 wrote to memory of 1808 1868 Windows Update.exe 32 PID 1868 wrote to memory of 1808 1868 Windows Update.exe 32 PID 1868 wrote to memory of 1808 1868 Windows Update.exe 32 PID 1868 wrote to memory of 1808 1868 Windows Update.exe 32 PID 1868 wrote to memory of 1808 1868 Windows Update.exe 32 PID 1868 wrote to memory of 1808 1868 Windows Update.exe 32 PID 1868 wrote to memory of 1808 1868 Windows Update.exe 32 PID 1868 wrote to memory of 1808 1868 Windows Update.exe 32 PID 1868 wrote to memory of 1808 1868 Windows Update.exe 32 PID 1868 wrote to memory of 1808 1868 Windows Update.exe 32 PID 1868 wrote to memory of 1608 1868 Windows Update.exe 33 PID 1868 wrote to memory of 1608 1868 Windows Update.exe 33 PID 1868 wrote to memory of 1608 1868 Windows Update.exe 33 PID 1868 wrote to memory of 1608 1868 Windows Update.exe 33 PID 1868 wrote to memory of 1608 1868 Windows Update.exe 33 PID 1868 wrote to memory of 1608 1868 Windows Update.exe 33 PID 1868 wrote to memory of 1608 1868 Windows Update.exe 33 PID 1868 wrote to memory of 1608 1868 Windows Update.exe 33 PID 1868 wrote to memory of 1608 1868 Windows Update.exe 33 PID 1868 wrote to memory of 1608 1868 Windows Update.exe 33 PID 1868 wrote to memory of 1608 1868 Windows Update.exe 33 PID 1868 wrote to memory of 1608 1868 Windows Update.exe 33 PID 1868 wrote to memory of 1608 1868 Windows Update.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe"C:\Users\Admin\AppData\Local\Temp\51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exeC:\Users\Admin\AppData\Local\Temp\51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe"2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
PID:1808
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵PID:1608
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD50511f819df58e36da795e56c4985acf6
SHA1563df302404600543a7823a59a72a34de6158697
SHA256e5f07e6e3132168e1eff0e676c1952eb7a1333453a47955dc988c13db1ed4c7a
SHA512b898a3dfe2976f0eaf9c4f5852cde820300757a8014de1f7accd0dadf4da1ee440004b9d92bb1191f37454dc81f64cd2cd770a3e21db579a32a92f63a6116e8f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
958KB
MD51e36889624db92dfefc58f9bb1946f27
SHA1913eb1a83bb89069697488f98678d2f08f4b26d5
SHA25651cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
SHA51251ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c
-
Filesize
958KB
MD51e36889624db92dfefc58f9bb1946f27
SHA1913eb1a83bb89069697488f98678d2f08f4b26d5
SHA25651cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
SHA51251ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c
-
Filesize
958KB
MD51e36889624db92dfefc58f9bb1946f27
SHA1913eb1a83bb89069697488f98678d2f08f4b26d5
SHA25651cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
SHA51251ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c
-
Filesize
958KB
MD51e36889624db92dfefc58f9bb1946f27
SHA1913eb1a83bb89069697488f98678d2f08f4b26d5
SHA25651cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
SHA51251ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c
-
Filesize
958KB
MD51e36889624db92dfefc58f9bb1946f27
SHA1913eb1a83bb89069697488f98678d2f08f4b26d5
SHA25651cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
SHA51251ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c
-
Filesize
958KB
MD51e36889624db92dfefc58f9bb1946f27
SHA1913eb1a83bb89069697488f98678d2f08f4b26d5
SHA25651cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
SHA51251ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c
-
Filesize
958KB
MD51e36889624db92dfefc58f9bb1946f27
SHA1913eb1a83bb89069697488f98678d2f08f4b26d5
SHA25651cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
SHA51251ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c
-
Filesize
958KB
MD51e36889624db92dfefc58f9bb1946f27
SHA1913eb1a83bb89069697488f98678d2f08f4b26d5
SHA25651cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
SHA51251ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c
-
Filesize
958KB
MD51e36889624db92dfefc58f9bb1946f27
SHA1913eb1a83bb89069697488f98678d2f08f4b26d5
SHA25651cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
SHA51251ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c
-
Filesize
958KB
MD51e36889624db92dfefc58f9bb1946f27
SHA1913eb1a83bb89069697488f98678d2f08f4b26d5
SHA25651cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
SHA51251ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c
-
Filesize
958KB
MD51e36889624db92dfefc58f9bb1946f27
SHA1913eb1a83bb89069697488f98678d2f08f4b26d5
SHA25651cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
SHA51251ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c