Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 02:06
Static task
static1
Behavioral task
behavioral1
Sample
4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe
Resource
win7-20220718-en
General
-
Target
4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe
-
Size
958KB
-
MD5
ad5dc6ea0f64a5a16fe225a011c2a023
-
SHA1
ccaa2ede5a16f03cf7982250d934c521c08042c4
-
SHA256
4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
-
SHA512
b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109
Malware Config
Signatures
-
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1728-67-0x0000000002420000-0x00000000024B0000-memory.dmp MailPassView behavioral1/memory/1728-70-0x0000000077C60000-0x0000000077DE0000-memory.dmp MailPassView behavioral1/memory/1004-98-0x0000000002680000-0x0000000002710000-memory.dmp MailPassView behavioral1/memory/1004-101-0x0000000077C60000-0x0000000077DE0000-memory.dmp MailPassView behavioral1/memory/1676-105-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1676-106-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1676-109-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1676-112-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1728-67-0x0000000002420000-0x00000000024B0000-memory.dmp WebBrowserPassView behavioral1/memory/1728-70-0x0000000077C60000-0x0000000077DE0000-memory.dmp WebBrowserPassView behavioral1/memory/1004-98-0x0000000002680000-0x0000000002710000-memory.dmp WebBrowserPassView behavioral1/memory/1004-101-0x0000000077C60000-0x0000000077DE0000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral1/memory/1728-67-0x0000000002420000-0x00000000024B0000-memory.dmp Nirsoft behavioral1/memory/1728-70-0x0000000077C60000-0x0000000077DE0000-memory.dmp Nirsoft behavioral1/memory/1004-98-0x0000000002680000-0x0000000002710000-memory.dmp Nirsoft behavioral1/memory/1004-101-0x0000000077C60000-0x0000000077DE0000-memory.dmp Nirsoft behavioral1/memory/1676-105-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1676-106-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1676-109-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1676-112-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 1760 Windows Update.exe 1004 Windows Update.exe -
Deletes itself 1 IoCs
pid Process 1004 Windows Update.exe -
Loads dropped DLL 8 IoCs
pid Process 1728 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 1760 Windows Update.exe 1760 Windows Update.exe 1760 Windows Update.exe 1760 Windows Update.exe 1004 Windows Update.exe 1004 Windows Update.exe 1004 Windows Update.exe -
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1696 set thread context of 1728 1696 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 27 PID 1760 set thread context of 1004 1760 Windows Update.exe 29 PID 1004 set thread context of 1676 1004 Windows Update.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1004 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1696 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 1760 Windows Update.exe 1004 Windows Update.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1728 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 1004 Windows Update.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1696 wrote to memory of 1728 1696 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 27 PID 1696 wrote to memory of 1728 1696 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 27 PID 1696 wrote to memory of 1728 1696 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 27 PID 1696 wrote to memory of 1728 1696 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 27 PID 1728 wrote to memory of 1760 1728 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 28 PID 1728 wrote to memory of 1760 1728 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 28 PID 1728 wrote to memory of 1760 1728 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 28 PID 1728 wrote to memory of 1760 1728 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 28 PID 1728 wrote to memory of 1760 1728 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 28 PID 1728 wrote to memory of 1760 1728 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 28 PID 1728 wrote to memory of 1760 1728 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 28 PID 1760 wrote to memory of 1004 1760 Windows Update.exe 29 PID 1760 wrote to memory of 1004 1760 Windows Update.exe 29 PID 1760 wrote to memory of 1004 1760 Windows Update.exe 29 PID 1760 wrote to memory of 1004 1760 Windows Update.exe 29 PID 1760 wrote to memory of 1004 1760 Windows Update.exe 29 PID 1760 wrote to memory of 1004 1760 Windows Update.exe 29 PID 1760 wrote to memory of 1004 1760 Windows Update.exe 29 PID 1004 wrote to memory of 1676 1004 Windows Update.exe 31 PID 1004 wrote to memory of 1676 1004 Windows Update.exe 31 PID 1004 wrote to memory of 1676 1004 Windows Update.exe 31 PID 1004 wrote to memory of 1676 1004 Windows Update.exe 31 PID 1004 wrote to memory of 1676 1004 Windows Update.exe 31 PID 1004 wrote to memory of 1676 1004 Windows Update.exe 31 PID 1004 wrote to memory of 1676 1004 Windows Update.exe 31 PID 1004 wrote to memory of 1676 1004 Windows Update.exe 31 PID 1004 wrote to memory of 1676 1004 Windows Update.exe 31 PID 1004 wrote to memory of 1676 1004 Windows Update.exe 31 PID 1004 wrote to memory of 1676 1004 Windows Update.exe 31 PID 1004 wrote to memory of 1676 1004 Windows Update.exe 31 PID 1004 wrote to memory of 1676 1004 Windows Update.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe"C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exeC:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe"2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵PID:1676
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5ab77ce8f3f627cc26d8d39590db498ea
SHA10e4f5991102ad8e45513fac5ab8099664ec913ed
SHA256675468643dceea5dc5d5f9b927fd7f97442d591ad1723f8d3865cd69bee6cd7a
SHA5121487ca588e8bc990f1c53d9241071aa3998f78158765297782f0c47d104526eab00ccb7b64e305cb22744651476308d9f4bd5ac8ec0f025b297038d3b54a16bc
-
Filesize
958KB
MD5ad5dc6ea0f64a5a16fe225a011c2a023
SHA1ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA2564f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109
-
Filesize
958KB
MD5ad5dc6ea0f64a5a16fe225a011c2a023
SHA1ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA2564f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109
-
Filesize
958KB
MD5ad5dc6ea0f64a5a16fe225a011c2a023
SHA1ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA2564f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109
-
Filesize
958KB
MD5ad5dc6ea0f64a5a16fe225a011c2a023
SHA1ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA2564f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109
-
Filesize
958KB
MD5ad5dc6ea0f64a5a16fe225a011c2a023
SHA1ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA2564f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109
-
Filesize
958KB
MD5ad5dc6ea0f64a5a16fe225a011c2a023
SHA1ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA2564f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109
-
Filesize
958KB
MD5ad5dc6ea0f64a5a16fe225a011c2a023
SHA1ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA2564f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109
-
Filesize
958KB
MD5ad5dc6ea0f64a5a16fe225a011c2a023
SHA1ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA2564f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109
-
Filesize
958KB
MD5ad5dc6ea0f64a5a16fe225a011c2a023
SHA1ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA2564f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109
-
Filesize
958KB
MD5ad5dc6ea0f64a5a16fe225a011c2a023
SHA1ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA2564f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109
-
Filesize
958KB
MD5ad5dc6ea0f64a5a16fe225a011c2a023
SHA1ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA2564f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109