Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2022 18:28
Static task
static1
Behavioral task
behavioral1
Sample
510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe
Resource
win7-20220718-en
General
-
Target
510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe
-
Size
922KB
-
MD5
7e6095adef252a307789fde2a472da27
-
SHA1
45ea251ad20c3664f2a527b70658a1bd77577d18
-
SHA256
510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
-
SHA512
94473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
kennedey.isaac@yandex.com - Password:
jozo2018
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1240-140-0x0000000002AB0000-0x0000000002B40000-memory.dmp MailPassView behavioral2/memory/1332-162-0x0000000002B40000-0x0000000002BD0000-memory.dmp MailPassView behavioral2/memory/2956-168-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/2956-169-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2956-171-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2956-172-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1240-140-0x0000000002AB0000-0x0000000002B40000-memory.dmp WebBrowserPassView behavioral2/memory/1332-162-0x0000000002B40000-0x0000000002BD0000-memory.dmp WebBrowserPassView behavioral2/memory/3916-175-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/3916-176-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3916-178-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3916-179-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3916-181-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
Processes:
resource yara_rule behavioral2/memory/1240-140-0x0000000002AB0000-0x0000000002B40000-memory.dmp Nirsoft behavioral2/memory/1332-162-0x0000000002B40000-0x0000000002BD0000-memory.dmp Nirsoft behavioral2/memory/2956-168-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2956-169-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2956-171-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2956-172-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3916-175-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3916-176-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3916-178-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3916-179-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3916-181-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 620 Windows Update.exe 1332 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Control Panel\International\Geo\Nation 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 whatismyipaddress.com 16 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exeWindows Update.exeWindows Update.exedescription pid process target process PID 2988 set thread context of 1240 2988 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe PID 620 set thread context of 1332 620 Windows Update.exe Windows Update.exe PID 1332 set thread context of 2956 1332 Windows Update.exe vbc.exe PID 1332 set thread context of 3916 1332 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 3916 vbc.exe 3916 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 1332 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exeWindows Update.exeWindows Update.exepid process 2988 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 620 Windows Update.exe 1332 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exeWindows Update.exeWindows Update.exedescription pid process target process PID 2988 wrote to memory of 1240 2988 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe PID 2988 wrote to memory of 1240 2988 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe PID 2988 wrote to memory of 1240 2988 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe PID 1240 wrote to memory of 620 1240 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe Windows Update.exe PID 1240 wrote to memory of 620 1240 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe Windows Update.exe PID 1240 wrote to memory of 620 1240 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe Windows Update.exe PID 620 wrote to memory of 1332 620 Windows Update.exe Windows Update.exe PID 620 wrote to memory of 1332 620 Windows Update.exe Windows Update.exe PID 620 wrote to memory of 1332 620 Windows Update.exe Windows Update.exe PID 1332 wrote to memory of 2956 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 2956 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 2956 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 2956 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 2956 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 2956 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 2956 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 2956 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 2956 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 3916 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 3916 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 3916 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 3916 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 3916 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 3916 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 3916 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 3916 1332 Windows Update.exe vbc.exe PID 1332 wrote to memory of 3916 1332 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe"C:\Users\Admin\AppData\Local\Temp\510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exeC:\Users\Admin\AppData\Local\Temp\510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5cf5c1671adb88a302d79a6fbe4ec9a4a
SHA1cced67a7921569dab2fcdfdbc3b5ba61587ed675
SHA256ba0d7b9dbbf2342c275335db134321a52817d646d0caf682cef0330ac6ceaba2
SHA512552f8c880b5a05523f7dd85c10a4eb59cf6eb83312214a87f66a2280576db383ad37e9584a741e7c78379c0498564306eef5557d5fb2b5d831028de28a4ddeae
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
memory/620-155-0x0000000077930000-0x0000000077AD3000-memory.dmpFilesize
1.6MB
-
memory/620-146-0x0000000000000000-mapping.dmp
-
memory/1240-137-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/1240-145-0x0000000074FA0000-0x0000000075551000-memory.dmpFilesize
5.7MB
-
memory/1240-144-0x0000000077930000-0x0000000077AD3000-memory.dmpFilesize
1.6MB
-
memory/1240-143-0x0000000077930000-0x0000000077AD3000-memory.dmpFilesize
1.6MB
-
memory/1240-150-0x0000000077930000-0x0000000077AD3000-memory.dmpFilesize
1.6MB
-
memory/1240-152-0x0000000074FA0000-0x0000000075551000-memory.dmpFilesize
5.7MB
-
memory/1240-140-0x0000000002AB0000-0x0000000002B40000-memory.dmpFilesize
576KB
-
memory/1240-133-0x0000000000000000-mapping.dmp
-
memory/1332-157-0x0000000077930000-0x0000000077AD3000-memory.dmpFilesize
1.6MB
-
memory/1332-173-0x0000000077930000-0x0000000077AD3000-memory.dmpFilesize
1.6MB
-
memory/1332-162-0x0000000002B40000-0x0000000002BD0000-memory.dmpFilesize
576KB
-
memory/1332-165-0x0000000077930000-0x0000000077AD3000-memory.dmpFilesize
1.6MB
-
memory/1332-153-0x0000000000000000-mapping.dmp
-
memory/1332-167-0x0000000074FA0000-0x0000000075551000-memory.dmpFilesize
5.7MB
-
memory/1332-174-0x0000000074FA0000-0x0000000075551000-memory.dmpFilesize
5.7MB
-
memory/2956-172-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2956-171-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2956-169-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2956-168-0x0000000000000000-mapping.dmp
-
memory/2988-132-0x0000000002350000-0x0000000002357000-memory.dmpFilesize
28KB
-
memory/2988-134-0x0000000077930000-0x0000000077AD3000-memory.dmpFilesize
1.6MB
-
memory/3916-175-0x0000000000000000-mapping.dmp
-
memory/3916-176-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3916-178-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3916-179-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3916-181-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB