Overview

overview

9

Static

static

4fc3963ea1...84.exe

windows7-x64

9

4fc3963ea1...84.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    48s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2022 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe

  • Size

    959KB

  • MD5

    2a87dd72470b2d643a93f13d133b786c

  • SHA1

    b5e148e73c7238b475ccfd15906ca4696f06c095

  • SHA256

    4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84

  • SHA512

    e0e59ddf5b2d94dea69fbdbca383293600a27189bb789d81e3302c5161449ab01680bd35bee1658aa80f33f31da6af140c5cac0eb9bf8938368c3a26cfd04264

Score
9/10
collectionpersistence

Malware Config

Signatures

  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe
    "C:\Users\Admin\AppData\Local\Temp\4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cHgEQbiUWZERdZeGDFdEa.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cHgEQbiUWZERdZeGDFdEa.exe WVNLIfYERIFHFSMTOQJ
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        - CmdLine Args
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Mail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:740
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Web.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WVNLIfYERIFHFSMTOQJ
    Filesize

    38KB

    MD5

    583a62d5d924962728fa0b4b860c208d

    SHA1

    b25b54d92a6622817f722c910efa1832526e9307

    SHA256

    10abe1ad01ce4fc9e9a46ca31bef3f02998deafba2f3a2b5d797f773e40005cb

    SHA512

    b9f83c2af6dc370f27fdf4e374edc5dbb2e5f2dffbbd669a98afe2b0ca9c5eaa5047d014357ebfebd561595ad5941ffeafa5c3db8e918c01802e56d52fbc4396

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cHgEQbiUWZERdZeGDFdEa.exe
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cHgEQbiUWZERdZeGDFdEa.exe
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hIDGfhDhIPWC
    Filesize

    474KB

    MD5

    9e07743fdb2c33512972b7f0c66c2bf7

    SHA1

    d89479a61d01b30f38ca07ac4302f80771f61485

    SHA256

    0d27ebe5936dc6f6c69de504620887015d04837dc0c40389251f8e45c3b87d9d

    SHA512

    c63a7f8a2b18868dadf30b0bfdafba1ce74bc274b32e75a295cc1eb92d56c0d106fb9414866698eebab6d81a006a8c3a9d2d40fe9c18b465481109ca9e2a9704

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Web.txt
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\cHgEQbiUWZERdZeGDFdEa.exe
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit
  • \Users\Admin\AppData\Roaming\cHgEQbiUWZERdZeGDFdEa.exe
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit
  • memory/740-89-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/740-88-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/740-87-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/740-84-0x0000000000411790-mapping.dmp
    Download
  • memory/740-83-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/740-78-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/740-81-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/740-80-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/740-75-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/740-76-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1368-93-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/1368-99-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/1368-106-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/1368-104-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/1368-103-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/1368-100-0x00000000004439CC-mapping.dmp
    Download
  • memory/1368-97-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/1368-95-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/1368-90-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/1368-91-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/1708-61-0x0000000000400000-0x000000000047C000-memory.dmp
    Filesize

    496KB

    Download
  • memory/1708-63-0x0000000000400000-0x000000000047C000-memory.dmp
    Filesize

    496KB

    Download
  • memory/1708-74-0x0000000073960000-0x0000000073F0B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1708-68-0x000000000047516E-mapping.dmp
    Download
  • memory/1708-69-0x0000000000400000-0x000000000047C000-memory.dmp
    Filesize

    496KB

    Download
  • memory/1708-70-0x0000000000400000-0x000000000047C000-memory.dmp
    Filesize

    496KB

    Download
  • memory/1708-73-0x0000000073960000-0x0000000073F0B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1948-57-0x0000000075CC1000-0x0000000075CC3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1948-55-0x0000000000000000-mapping.dmp
    Download