Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
19-07-2022 20:20
Static task
static1
Behavioral task
behavioral1
Sample
4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe
Resource
win7-20220715-en
General
-
Target
4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe
-
Size
970KB
-
MD5
7368657baf850ecfd5d70e1f8e2a0fcd
-
SHA1
70ec9d06ecd975708e1589da9900a75c8846e843
-
SHA256
4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792
-
SHA512
a54bf8e35f1209b4a6f22eccbda4ff95071791c870c7b5b88f7c511f66b4c3e2055ee9b6dfebe02154898e494244eb3614927a1144537b9e7d890915301ded8a
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
alibaba1234
Signatures
-
NirSoft MailPassView 7 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/984-66-0x0000000002620000-0x00000000026B0000-memory.dmp MailPassView behavioral1/memory/1316-102-0x00000000025A0000-0x0000000002630000-memory.dmp MailPassView behavioral1/memory/1960-112-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1960-113-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1960-116-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1960-119-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1960-122-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/984-66-0x0000000002620000-0x00000000026B0000-memory.dmp WebBrowserPassView behavioral1/memory/1316-102-0x00000000025A0000-0x0000000002630000-memory.dmp WebBrowserPassView behavioral1/memory/1604-123-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1604-124-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1604-127-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1604-129-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1604-131-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 12 IoCs
resource yara_rule behavioral1/memory/984-66-0x0000000002620000-0x00000000026B0000-memory.dmp Nirsoft behavioral1/memory/1316-102-0x00000000025A0000-0x0000000002630000-memory.dmp Nirsoft behavioral1/memory/1960-112-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1960-113-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1960-116-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1960-119-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1960-122-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1604-123-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1604-124-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1604-127-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1604-129-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1604-131-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 1552 Windows Update.exe 1316 Windows Update.exe -
Deletes itself 1 IoCs
pid Process 1316 Windows Update.exe -
Loads dropped DLL 8 IoCs
pid Process 984 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 1552 Windows Update.exe 1552 Windows Update.exe 1552 Windows Update.exe 1552 Windows Update.exe 1316 Windows Update.exe 1316 Windows Update.exe 1316 Windows Update.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1132 set thread context of 984 1132 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 27 PID 1552 set thread context of 1316 1552 Windows Update.exe 29 PID 1316 set thread context of 1960 1316 Windows Update.exe 31 PID 1316 set thread context of 1604 1316 Windows Update.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1316 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1132 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 1552 Windows Update.exe 1316 Windows Update.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 984 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 1316 Windows Update.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1132 wrote to memory of 984 1132 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 27 PID 1132 wrote to memory of 984 1132 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 27 PID 1132 wrote to memory of 984 1132 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 27 PID 1132 wrote to memory of 984 1132 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 27 PID 984 wrote to memory of 1552 984 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 28 PID 984 wrote to memory of 1552 984 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 28 PID 984 wrote to memory of 1552 984 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 28 PID 984 wrote to memory of 1552 984 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 28 PID 984 wrote to memory of 1552 984 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 28 PID 984 wrote to memory of 1552 984 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 28 PID 984 wrote to memory of 1552 984 4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe 28 PID 1552 wrote to memory of 1316 1552 Windows Update.exe 29 PID 1552 wrote to memory of 1316 1552 Windows Update.exe 29 PID 1552 wrote to memory of 1316 1552 Windows Update.exe 29 PID 1552 wrote to memory of 1316 1552 Windows Update.exe 29 PID 1552 wrote to memory of 1316 1552 Windows Update.exe 29 PID 1552 wrote to memory of 1316 1552 Windows Update.exe 29 PID 1552 wrote to memory of 1316 1552 Windows Update.exe 29 PID 1316 wrote to memory of 1960 1316 Windows Update.exe 31 PID 1316 wrote to memory of 1960 1316 Windows Update.exe 31 PID 1316 wrote to memory of 1960 1316 Windows Update.exe 31 PID 1316 wrote to memory of 1960 1316 Windows Update.exe 31 PID 1316 wrote to memory of 1960 1316 Windows Update.exe 31 PID 1316 wrote to memory of 1960 1316 Windows Update.exe 31 PID 1316 wrote to memory of 1960 1316 Windows Update.exe 31 PID 1316 wrote to memory of 1960 1316 Windows Update.exe 31 PID 1316 wrote to memory of 1960 1316 Windows Update.exe 31 PID 1316 wrote to memory of 1960 1316 Windows Update.exe 31 PID 1316 wrote to memory of 1960 1316 Windows Update.exe 31 PID 1316 wrote to memory of 1960 1316 Windows Update.exe 31 PID 1316 wrote to memory of 1960 1316 Windows Update.exe 31 PID 1316 wrote to memory of 1604 1316 Windows Update.exe 32 PID 1316 wrote to memory of 1604 1316 Windows Update.exe 32 PID 1316 wrote to memory of 1604 1316 Windows Update.exe 32 PID 1316 wrote to memory of 1604 1316 Windows Update.exe 32 PID 1316 wrote to memory of 1604 1316 Windows Update.exe 32 PID 1316 wrote to memory of 1604 1316 Windows Update.exe 32 PID 1316 wrote to memory of 1604 1316 Windows Update.exe 32 PID 1316 wrote to memory of 1604 1316 Windows Update.exe 32 PID 1316 wrote to memory of 1604 1316 Windows Update.exe 32 PID 1316 wrote to memory of 1604 1316 Windows Update.exe 32 PID 1316 wrote to memory of 1604 1316 Windows Update.exe 32 PID 1316 wrote to memory of 1604 1316 Windows Update.exe 32 PID 1316 wrote to memory of 1604 1316 Windows Update.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe"C:\Users\Admin\AppData\Local\Temp\4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exeC:\Users\Admin\AppData\Local\Temp\4fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792.exe"2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
PID:1960
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵PID:1604
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5789604969bcc4a6b979d79fef4470935
SHA1d29d62732533dec35a81559259de1b4e7c2cfe9e
SHA256172c35024fde99fd313b733a569270c0648f9f366e8d03370d11ff5cfe0bd1cb
SHA512a971a46171714fab7ff4ed02ae12a1b2320fbd9faf90ea49f428ec5d1368cbf947bdd3bdd97fa16217b5de491dcb660f132896724139494377f3ae1ed74217ef
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
970KB
MD57368657baf850ecfd5d70e1f8e2a0fcd
SHA170ec9d06ecd975708e1589da9900a75c8846e843
SHA2564fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792
SHA512a54bf8e35f1209b4a6f22eccbda4ff95071791c870c7b5b88f7c511f66b4c3e2055ee9b6dfebe02154898e494244eb3614927a1144537b9e7d890915301ded8a
-
Filesize
970KB
MD57368657baf850ecfd5d70e1f8e2a0fcd
SHA170ec9d06ecd975708e1589da9900a75c8846e843
SHA2564fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792
SHA512a54bf8e35f1209b4a6f22eccbda4ff95071791c870c7b5b88f7c511f66b4c3e2055ee9b6dfebe02154898e494244eb3614927a1144537b9e7d890915301ded8a
-
Filesize
970KB
MD57368657baf850ecfd5d70e1f8e2a0fcd
SHA170ec9d06ecd975708e1589da9900a75c8846e843
SHA2564fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792
SHA512a54bf8e35f1209b4a6f22eccbda4ff95071791c870c7b5b88f7c511f66b4c3e2055ee9b6dfebe02154898e494244eb3614927a1144537b9e7d890915301ded8a
-
Filesize
970KB
MD57368657baf850ecfd5d70e1f8e2a0fcd
SHA170ec9d06ecd975708e1589da9900a75c8846e843
SHA2564fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792
SHA512a54bf8e35f1209b4a6f22eccbda4ff95071791c870c7b5b88f7c511f66b4c3e2055ee9b6dfebe02154898e494244eb3614927a1144537b9e7d890915301ded8a
-
Filesize
970KB
MD57368657baf850ecfd5d70e1f8e2a0fcd
SHA170ec9d06ecd975708e1589da9900a75c8846e843
SHA2564fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792
SHA512a54bf8e35f1209b4a6f22eccbda4ff95071791c870c7b5b88f7c511f66b4c3e2055ee9b6dfebe02154898e494244eb3614927a1144537b9e7d890915301ded8a
-
Filesize
970KB
MD57368657baf850ecfd5d70e1f8e2a0fcd
SHA170ec9d06ecd975708e1589da9900a75c8846e843
SHA2564fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792
SHA512a54bf8e35f1209b4a6f22eccbda4ff95071791c870c7b5b88f7c511f66b4c3e2055ee9b6dfebe02154898e494244eb3614927a1144537b9e7d890915301ded8a
-
Filesize
970KB
MD57368657baf850ecfd5d70e1f8e2a0fcd
SHA170ec9d06ecd975708e1589da9900a75c8846e843
SHA2564fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792
SHA512a54bf8e35f1209b4a6f22eccbda4ff95071791c870c7b5b88f7c511f66b4c3e2055ee9b6dfebe02154898e494244eb3614927a1144537b9e7d890915301ded8a
-
Filesize
970KB
MD57368657baf850ecfd5d70e1f8e2a0fcd
SHA170ec9d06ecd975708e1589da9900a75c8846e843
SHA2564fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792
SHA512a54bf8e35f1209b4a6f22eccbda4ff95071791c870c7b5b88f7c511f66b4c3e2055ee9b6dfebe02154898e494244eb3614927a1144537b9e7d890915301ded8a
-
Filesize
970KB
MD57368657baf850ecfd5d70e1f8e2a0fcd
SHA170ec9d06ecd975708e1589da9900a75c8846e843
SHA2564fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792
SHA512a54bf8e35f1209b4a6f22eccbda4ff95071791c870c7b5b88f7c511f66b4c3e2055ee9b6dfebe02154898e494244eb3614927a1144537b9e7d890915301ded8a
-
Filesize
970KB
MD57368657baf850ecfd5d70e1f8e2a0fcd
SHA170ec9d06ecd975708e1589da9900a75c8846e843
SHA2564fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792
SHA512a54bf8e35f1209b4a6f22eccbda4ff95071791c870c7b5b88f7c511f66b4c3e2055ee9b6dfebe02154898e494244eb3614927a1144537b9e7d890915301ded8a
-
Filesize
970KB
MD57368657baf850ecfd5d70e1f8e2a0fcd
SHA170ec9d06ecd975708e1589da9900a75c8846e843
SHA2564fcf6a0b40b045b1ce5c37c912989ad0f8a26f5eb18dde467ab5565c09b90792
SHA512a54bf8e35f1209b4a6f22eccbda4ff95071791c870c7b5b88f7c511f66b4c3e2055ee9b6dfebe02154898e494244eb3614927a1144537b9e7d890915301ded8a