Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 02:06
Static task
static1
Behavioral task
behavioral1
Sample
4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe
Resource
win7-20220718-en
General
-
Target
4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe
-
Size
958KB
-
MD5
ad5dc6ea0f64a5a16fe225a011c2a023
-
SHA1
ccaa2ede5a16f03cf7982250d934c521c08042c4
-
SHA256
4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
-
SHA512
b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109
Malware Config
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2864-141-0x0000000002140000-0x00000000021D0000-memory.dmp MailPassView behavioral2/memory/2908-161-0x0000000006AE0000-0x0000000006B70000-memory.dmp MailPassView behavioral2/memory/3660-171-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3660-170-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/3660-173-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3660-174-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2864-141-0x0000000002140000-0x00000000021D0000-memory.dmp WebBrowserPassView behavioral2/memory/2908-161-0x0000000006AE0000-0x0000000006B70000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/memory/2864-141-0x0000000002140000-0x00000000021D0000-memory.dmp Nirsoft behavioral2/memory/2908-161-0x0000000006AE0000-0x0000000006B70000-memory.dmp Nirsoft behavioral2/memory/3660-171-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3660-170-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3660-173-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3660-174-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 376 Windows Update.exe 2908 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Control Panel\International\Geo\Nation 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 whatismyipaddress.com 17 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2988 set thread context of 2864 2988 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 78 PID 376 set thread context of 2908 376 Windows Update.exe 80 PID 2908 set thread context of 3660 2908 Windows Update.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2908 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2988 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 376 Windows Update.exe 2908 Windows Update.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2864 2988 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 78 PID 2988 wrote to memory of 2864 2988 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 78 PID 2988 wrote to memory of 2864 2988 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 78 PID 2864 wrote to memory of 376 2864 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 79 PID 2864 wrote to memory of 376 2864 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 79 PID 2864 wrote to memory of 376 2864 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe 79 PID 376 wrote to memory of 2908 376 Windows Update.exe 80 PID 376 wrote to memory of 2908 376 Windows Update.exe 80 PID 376 wrote to memory of 2908 376 Windows Update.exe 80 PID 2908 wrote to memory of 3660 2908 Windows Update.exe 82 PID 2908 wrote to memory of 3660 2908 Windows Update.exe 82 PID 2908 wrote to memory of 3660 2908 Windows Update.exe 82 PID 2908 wrote to memory of 3660 2908 Windows Update.exe 82 PID 2908 wrote to memory of 3660 2908 Windows Update.exe 82 PID 2908 wrote to memory of 3660 2908 Windows Update.exe 82 PID 2908 wrote to memory of 3660 2908 Windows Update.exe 82 PID 2908 wrote to memory of 3660 2908 Windows Update.exe 82 PID 2908 wrote to memory of 3660 2908 Windows Update.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe"C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exeC:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
PID:3660
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5ab77ce8f3f627cc26d8d39590db498ea
SHA10e4f5991102ad8e45513fac5ab8099664ec913ed
SHA256675468643dceea5dc5d5f9b927fd7f97442d591ad1723f8d3865cd69bee6cd7a
SHA5121487ca588e8bc990f1c53d9241071aa3998f78158765297782f0c47d104526eab00ccb7b64e305cb22744651476308d9f4bd5ac8ec0f025b297038d3b54a16bc
-
Filesize
958KB
MD5ad5dc6ea0f64a5a16fe225a011c2a023
SHA1ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA2564f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109
-
Filesize
958KB
MD5ad5dc6ea0f64a5a16fe225a011c2a023
SHA1ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA2564f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109
-
Filesize
958KB
MD5ad5dc6ea0f64a5a16fe225a011c2a023
SHA1ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA2564f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109