Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2022 15:07
Static task
static1
Behavioral task
behavioral1
Sample
51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe
Resource
win7-20220414-en
General
-
Target
51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe
-
Size
958KB
-
MD5
1e36889624db92dfefc58f9bb1946f27
-
SHA1
913eb1a83bb89069697488f98678d2f08f4b26d5
-
SHA256
51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
-
SHA512
51ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c
Malware Config
Signatures
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/5076-140-0x00000000021E0000-0x0000000002270000-memory.dmp MailPassView behavioral2/memory/2348-161-0x0000000006B10000-0x0000000006BA0000-memory.dmp MailPassView behavioral2/memory/4456-167-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/4456-168-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/5076-140-0x00000000021E0000-0x0000000002270000-memory.dmp WebBrowserPassView behavioral2/memory/2348-161-0x0000000006B10000-0x0000000006BA0000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
resource yara_rule behavioral2/memory/5076-140-0x00000000021E0000-0x0000000002270000-memory.dmp Nirsoft behavioral2/memory/2348-161-0x0000000006B10000-0x0000000006BA0000-memory.dmp Nirsoft behavioral2/memory/4456-167-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4456-168-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 1504 Windows Update.exe 2348 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe -
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 68 whatismyipaddress.com 66 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2544 set thread context of 5076 2544 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 82 PID 1504 set thread context of 2348 1504 Windows Update.exe 92 PID 2348 set thread context of 4456 2348 Windows Update.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2348 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2544 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 1504 Windows Update.exe 2348 Windows Update.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2544 wrote to memory of 5076 2544 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 82 PID 2544 wrote to memory of 5076 2544 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 82 PID 2544 wrote to memory of 5076 2544 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 82 PID 5076 wrote to memory of 1504 5076 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 85 PID 5076 wrote to memory of 1504 5076 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 85 PID 5076 wrote to memory of 1504 5076 51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe 85 PID 1504 wrote to memory of 2348 1504 Windows Update.exe 92 PID 1504 wrote to memory of 2348 1504 Windows Update.exe 92 PID 1504 wrote to memory of 2348 1504 Windows Update.exe 92 PID 2348 wrote to memory of 4456 2348 Windows Update.exe 93 PID 2348 wrote to memory of 4456 2348 Windows Update.exe 93 PID 2348 wrote to memory of 4456 2348 Windows Update.exe 93 PID 2348 wrote to memory of 4456 2348 Windows Update.exe 93 PID 2348 wrote to memory of 4456 2348 Windows Update.exe 93 PID 2348 wrote to memory of 4456 2348 Windows Update.exe 93 PID 2348 wrote to memory of 4456 2348 Windows Update.exe 93 PID 2348 wrote to memory of 4456 2348 Windows Update.exe 93 PID 2348 wrote to memory of 4456 2348 Windows Update.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe"C:\Users\Admin\AppData\Local\Temp\51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exeC:\Users\Admin\AppData\Local\Temp\51cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵PID:4456
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD50511f819df58e36da795e56c4985acf6
SHA1563df302404600543a7823a59a72a34de6158697
SHA256e5f07e6e3132168e1eff0e676c1952eb7a1333453a47955dc988c13db1ed4c7a
SHA512b898a3dfe2976f0eaf9c4f5852cde820300757a8014de1f7accd0dadf4da1ee440004b9d92bb1191f37454dc81f64cd2cd770a3e21db579a32a92f63a6116e8f
-
Filesize
958KB
MD51e36889624db92dfefc58f9bb1946f27
SHA1913eb1a83bb89069697488f98678d2f08f4b26d5
SHA25651cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
SHA51251ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c
-
Filesize
958KB
MD51e36889624db92dfefc58f9bb1946f27
SHA1913eb1a83bb89069697488f98678d2f08f4b26d5
SHA25651cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
SHA51251ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c
-
Filesize
958KB
MD51e36889624db92dfefc58f9bb1946f27
SHA1913eb1a83bb89069697488f98678d2f08f4b26d5
SHA25651cdbed80ca92cb74429b01d57e832beb90d4b6ffbcf7639281e3713761d8879
SHA51251ee65fc1a57689e52ad57d63942593727e650c881c24c350a0dc676dc329bd1e4cf30c2faaf5d7a11c2018ec48e0d2351c6a35418a905199915de788f7e4e3c