Analysis
-
max time kernel
48s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
19-07-2022 20:44
Static task
static1
Behavioral task
behavioral1
Sample
4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe
Resource
win10v2004-20220718-en
General
-
Target
4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe
-
Size
959KB
-
MD5
2a87dd72470b2d643a93f13d133b786c
-
SHA1
b5e148e73c7238b475ccfd15906ca4696f06c095
-
SHA256
4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84
-
SHA512
e0e59ddf5b2d94dea69fbdbca383293600a27189bb789d81e3302c5161449ab01680bd35bee1658aa80f33f31da6af140c5cac0eb9bf8938368c3a26cfd04264
Malware Config
Signatures
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/740-83-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/740-84-0x0000000000411790-mapping.dmp MailPassView behavioral1/memory/740-87-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/740-88-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/740-89-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1368-99-0x0000000000400000-0x000000000045A000-memory.dmp WebBrowserPassView behavioral1/memory/1368-100-0x00000000004439CC-mapping.dmp WebBrowserPassView behavioral1/memory/1368-103-0x0000000000400000-0x000000000045A000-memory.dmp WebBrowserPassView behavioral1/memory/1368-104-0x0000000000400000-0x000000000045A000-memory.dmp WebBrowserPassView behavioral1/memory/1368-106-0x0000000000400000-0x000000000045A000-memory.dmp WebBrowserPassView -
Nirsoft 10 IoCs
Processes:
resource yara_rule behavioral1/memory/740-83-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/740-84-0x0000000000411790-mapping.dmp Nirsoft behavioral1/memory/740-87-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/740-88-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/740-89-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1368-99-0x0000000000400000-0x000000000045A000-memory.dmp Nirsoft behavioral1/memory/1368-100-0x00000000004439CC-mapping.dmp Nirsoft behavioral1/memory/1368-103-0x0000000000400000-0x000000000045A000-memory.dmp Nirsoft behavioral1/memory/1368-104-0x0000000000400000-0x000000000045A000-memory.dmp Nirsoft behavioral1/memory/1368-106-0x0000000000400000-0x000000000045A000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
cHgEQbiUWZERdZeGDFdEa.exepid process 1948 cHgEQbiUWZERdZeGDFdEa.exe -
Drops startup file 1 IoCs
Processes:
cHgEQbiUWZERdZeGDFdEa.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hIDGfhDhIPWCMITi.lnk cHgEQbiUWZERdZeGDFdEa.exe -
Loads dropped DLL 2 IoCs
Processes:
4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.execHgEQbiUWZERdZeGDFdEa.exepid process 1892 4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe 1948 cHgEQbiUWZERdZeGDFdEa.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Suspicious use of SetThreadContext 3 IoCs
Processes:
cHgEQbiUWZERdZeGDFdEa.exeRegAsm.exedescription pid process target process PID 1948 set thread context of 1708 1948 cHgEQbiUWZERdZeGDFdEa.exe RegAsm.exe PID 1708 set thread context of 740 1708 RegAsm.exe vbc.exe PID 1708 set thread context of 1368 1708 RegAsm.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exepid process 1368 vbc.exe 1368 vbc.exe 1368 vbc.exe 1368 vbc.exe 1368 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 1708 RegAsm.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.execHgEQbiUWZERdZeGDFdEa.exeRegAsm.exedescription pid process target process PID 1892 wrote to memory of 1948 1892 4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe cHgEQbiUWZERdZeGDFdEa.exe PID 1892 wrote to memory of 1948 1892 4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe cHgEQbiUWZERdZeGDFdEa.exe PID 1892 wrote to memory of 1948 1892 4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe cHgEQbiUWZERdZeGDFdEa.exe PID 1892 wrote to memory of 1948 1892 4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe cHgEQbiUWZERdZeGDFdEa.exe PID 1948 wrote to memory of 1708 1948 cHgEQbiUWZERdZeGDFdEa.exe RegAsm.exe PID 1948 wrote to memory of 1708 1948 cHgEQbiUWZERdZeGDFdEa.exe RegAsm.exe PID 1948 wrote to memory of 1708 1948 cHgEQbiUWZERdZeGDFdEa.exe RegAsm.exe PID 1948 wrote to memory of 1708 1948 cHgEQbiUWZERdZeGDFdEa.exe RegAsm.exe PID 1948 wrote to memory of 1708 1948 cHgEQbiUWZERdZeGDFdEa.exe RegAsm.exe PID 1948 wrote to memory of 1708 1948 cHgEQbiUWZERdZeGDFdEa.exe RegAsm.exe PID 1948 wrote to memory of 1708 1948 cHgEQbiUWZERdZeGDFdEa.exe RegAsm.exe PID 1948 wrote to memory of 1708 1948 cHgEQbiUWZERdZeGDFdEa.exe RegAsm.exe PID 1948 wrote to memory of 1708 1948 cHgEQbiUWZERdZeGDFdEa.exe RegAsm.exe PID 1708 wrote to memory of 740 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 740 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 740 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 740 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 740 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 740 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 740 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 740 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 740 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 740 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 1368 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 1368 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 1368 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 1368 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 1368 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 1368 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 1368 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 1368 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 1368 1708 RegAsm.exe vbc.exe PID 1708 wrote to memory of 1368 1708 RegAsm.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe"C:\Users\Admin\AppData\Local\Temp\4fc3963ea12b1638b7480f1278c6332249cf759f8d961e7c8eebd07ac8281b84.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cHgEQbiUWZERdZeGDFdEa.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cHgEQbiUWZERdZeGDFdEa.exe WVNLIfYERIFHFSMTOQJ2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe- CmdLine Args3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Mail.txt"4⤵
- Accesses Microsoft Outlook accounts
PID:740 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Web.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5583a62d5d924962728fa0b4b860c208d
SHA1b25b54d92a6622817f722c910efa1832526e9307
SHA25610abe1ad01ce4fc9e9a46ca31bef3f02998deafba2f3a2b5d797f773e40005cb
SHA512b9f83c2af6dc370f27fdf4e374edc5dbb2e5f2dffbbd669a98afe2b0ca9c5eaa5047d014357ebfebd561595ad5941ffeafa5c3db8e918c01802e56d52fbc4396
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
474KB
MD59e07743fdb2c33512972b7f0c66c2bf7
SHA1d89479a61d01b30f38ca07ac4302f80771f61485
SHA2560d27ebe5936dc6f6c69de504620887015d04837dc0c40389251f8e45c3b87d9d
SHA512c63a7f8a2b18868dadf30b0bfdafba1ce74bc274b32e75a295cc1eb92d56c0d106fb9414866698eebab6d81a006a8c3a9d2d40fe9c18b465481109ca9e2a9704
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59