Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2022 18:28
Static task
static1
Behavioral task
behavioral1
Sample
510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe
Resource
win7-20220718-en
General
-
Target
510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe
-
Size
922KB
-
MD5
7e6095adef252a307789fde2a472da27
-
SHA1
45ea251ad20c3664f2a527b70658a1bd77577d18
-
SHA256
510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
-
SHA512
94473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
jozo2018
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1240-140-0x0000000002AB0000-0x0000000002B40000-memory.dmp MailPassView behavioral2/memory/1332-162-0x0000000002B40000-0x0000000002BD0000-memory.dmp MailPassView behavioral2/memory/2956-168-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/2956-169-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2956-171-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2956-172-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1240-140-0x0000000002AB0000-0x0000000002B40000-memory.dmp WebBrowserPassView behavioral2/memory/1332-162-0x0000000002B40000-0x0000000002BD0000-memory.dmp WebBrowserPassView behavioral2/memory/3916-175-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/3916-176-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3916-178-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3916-179-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3916-181-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
resource yara_rule behavioral2/memory/1240-140-0x0000000002AB0000-0x0000000002B40000-memory.dmp Nirsoft behavioral2/memory/1332-162-0x0000000002B40000-0x0000000002BD0000-memory.dmp Nirsoft behavioral2/memory/2956-168-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2956-169-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2956-171-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2956-172-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3916-175-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3916-176-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3916-178-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3916-179-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3916-181-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 620 Windows Update.exe 1332 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Control Panel\International\Geo\Nation 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 whatismyipaddress.com 16 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2988 set thread context of 1240 2988 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 78 PID 620 set thread context of 1332 620 Windows Update.exe 80 PID 1332 set thread context of 2956 1332 Windows Update.exe 82 PID 1332 set thread context of 3916 1332 Windows Update.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3916 vbc.exe 3916 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1332 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2988 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 620 Windows Update.exe 1332 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2988 wrote to memory of 1240 2988 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 78 PID 2988 wrote to memory of 1240 2988 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 78 PID 2988 wrote to memory of 1240 2988 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 78 PID 1240 wrote to memory of 620 1240 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 79 PID 1240 wrote to memory of 620 1240 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 79 PID 1240 wrote to memory of 620 1240 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 79 PID 620 wrote to memory of 1332 620 Windows Update.exe 80 PID 620 wrote to memory of 1332 620 Windows Update.exe 80 PID 620 wrote to memory of 1332 620 Windows Update.exe 80 PID 1332 wrote to memory of 2956 1332 Windows Update.exe 82 PID 1332 wrote to memory of 2956 1332 Windows Update.exe 82 PID 1332 wrote to memory of 2956 1332 Windows Update.exe 82 PID 1332 wrote to memory of 2956 1332 Windows Update.exe 82 PID 1332 wrote to memory of 2956 1332 Windows Update.exe 82 PID 1332 wrote to memory of 2956 1332 Windows Update.exe 82 PID 1332 wrote to memory of 2956 1332 Windows Update.exe 82 PID 1332 wrote to memory of 2956 1332 Windows Update.exe 82 PID 1332 wrote to memory of 2956 1332 Windows Update.exe 82 PID 1332 wrote to memory of 3916 1332 Windows Update.exe 83 PID 1332 wrote to memory of 3916 1332 Windows Update.exe 83 PID 1332 wrote to memory of 3916 1332 Windows Update.exe 83 PID 1332 wrote to memory of 3916 1332 Windows Update.exe 83 PID 1332 wrote to memory of 3916 1332 Windows Update.exe 83 PID 1332 wrote to memory of 3916 1332 Windows Update.exe 83 PID 1332 wrote to memory of 3916 1332 Windows Update.exe 83 PID 1332 wrote to memory of 3916 1332 Windows Update.exe 83 PID 1332 wrote to memory of 3916 1332 Windows Update.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe"C:\Users\Admin\AppData\Local\Temp\510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exeC:\Users\Admin\AppData\Local\Temp\510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
PID:2956
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3916
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5cf5c1671adb88a302d79a6fbe4ec9a4a
SHA1cced67a7921569dab2fcdfdbc3b5ba61587ed675
SHA256ba0d7b9dbbf2342c275335db134321a52817d646d0caf682cef0330ac6ceaba2
SHA512552f8c880b5a05523f7dd85c10a4eb59cf6eb83312214a87f66a2280576db383ad37e9584a741e7c78379c0498564306eef5557d5fb2b5d831028de28a4ddeae
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
Filesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
Filesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974