Analysis
-
max time kernel
112s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 02:43
Static task
static1
Behavioral task
behavioral1
Sample
59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe
Resource
win7-20220718-en
General
-
Target
59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe
-
Size
946KB
-
MD5
fc4ff9d8c0e05abacfb2d51035a1b6e1
-
SHA1
7b11509844d29755649282f439e88fa554a05cfd
-
SHA256
59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
-
SHA512
770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
mistaspaz@89
Signatures
-
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1668-66-0x00000000066C0000-0x0000000006750000-memory.dmp MailPassView behavioral1/memory/1668-69-0x0000000077670000-0x00000000777F0000-memory.dmp MailPassView behavioral1/memory/1748-99-0x00000000067B0000-0x0000000006840000-memory.dmp MailPassView behavioral1/memory/1020-109-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1020-108-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1020-112-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1020-115-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1020-119-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1668-66-0x00000000066C0000-0x0000000006750000-memory.dmp WebBrowserPassView behavioral1/memory/1668-69-0x0000000077670000-0x00000000777F0000-memory.dmp WebBrowserPassView behavioral1/memory/1748-99-0x00000000067B0000-0x0000000006840000-memory.dmp WebBrowserPassView behavioral1/memory/976-120-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/976-121-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/976-122-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
resource yara_rule behavioral1/memory/1668-66-0x00000000066C0000-0x0000000006750000-memory.dmp Nirsoft behavioral1/memory/1668-69-0x0000000077670000-0x00000000777F0000-memory.dmp Nirsoft behavioral1/memory/1748-99-0x00000000067B0000-0x0000000006840000-memory.dmp Nirsoft behavioral1/memory/1020-109-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1020-108-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1020-112-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1020-115-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1020-119-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/976-120-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/976-121-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/976-122-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 2032 Windows Update.exe 1748 Windows Update.exe -
Deletes itself 1 IoCs
pid Process 1748 Windows Update.exe -
Loads dropped DLL 8 IoCs
pid Process 1668 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 2032 Windows Update.exe 2032 Windows Update.exe 2032 Windows Update.exe 2032 Windows Update.exe 1748 Windows Update.exe 1748 Windows Update.exe 1748 Windows Update.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 whatismyipaddress.com 4 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1096 set thread context of 1668 1096 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 27 PID 2032 set thread context of 1748 2032 Windows Update.exe 29 PID 1748 set thread context of 1020 1748 Windows Update.exe 31 PID 1748 set thread context of 976 1748 Windows Update.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1748 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1096 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 2032 Windows Update.exe 1748 Windows Update.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1668 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 1748 Windows Update.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1096 wrote to memory of 1668 1096 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 27 PID 1096 wrote to memory of 1668 1096 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 27 PID 1096 wrote to memory of 1668 1096 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 27 PID 1096 wrote to memory of 1668 1096 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 27 PID 1668 wrote to memory of 2032 1668 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 28 PID 1668 wrote to memory of 2032 1668 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 28 PID 1668 wrote to memory of 2032 1668 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 28 PID 1668 wrote to memory of 2032 1668 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 28 PID 1668 wrote to memory of 2032 1668 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 28 PID 1668 wrote to memory of 2032 1668 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 28 PID 1668 wrote to memory of 2032 1668 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 28 PID 2032 wrote to memory of 1748 2032 Windows Update.exe 29 PID 2032 wrote to memory of 1748 2032 Windows Update.exe 29 PID 2032 wrote to memory of 1748 2032 Windows Update.exe 29 PID 2032 wrote to memory of 1748 2032 Windows Update.exe 29 PID 2032 wrote to memory of 1748 2032 Windows Update.exe 29 PID 2032 wrote to memory of 1748 2032 Windows Update.exe 29 PID 2032 wrote to memory of 1748 2032 Windows Update.exe 29 PID 1748 wrote to memory of 1020 1748 Windows Update.exe 31 PID 1748 wrote to memory of 1020 1748 Windows Update.exe 31 PID 1748 wrote to memory of 1020 1748 Windows Update.exe 31 PID 1748 wrote to memory of 1020 1748 Windows Update.exe 31 PID 1748 wrote to memory of 1020 1748 Windows Update.exe 31 PID 1748 wrote to memory of 1020 1748 Windows Update.exe 31 PID 1748 wrote to memory of 1020 1748 Windows Update.exe 31 PID 1748 wrote to memory of 1020 1748 Windows Update.exe 31 PID 1748 wrote to memory of 1020 1748 Windows Update.exe 31 PID 1748 wrote to memory of 1020 1748 Windows Update.exe 31 PID 1748 wrote to memory of 1020 1748 Windows Update.exe 31 PID 1748 wrote to memory of 1020 1748 Windows Update.exe 31 PID 1748 wrote to memory of 1020 1748 Windows Update.exe 31 PID 1748 wrote to memory of 976 1748 Windows Update.exe 32 PID 1748 wrote to memory of 976 1748 Windows Update.exe 32 PID 1748 wrote to memory of 976 1748 Windows Update.exe 32 PID 1748 wrote to memory of 976 1748 Windows Update.exe 32 PID 1748 wrote to memory of 976 1748 Windows Update.exe 32 PID 1748 wrote to memory of 976 1748 Windows Update.exe 32 PID 1748 wrote to memory of 976 1748 Windows Update.exe 32 PID 1748 wrote to memory of 976 1748 Windows Update.exe 32 PID 1748 wrote to memory of 976 1748 Windows Update.exe 32 PID 1748 wrote to memory of 976 1748 Windows Update.exe 32 PID 1748 wrote to memory of 976 1748 Windows Update.exe 32 PID 1748 wrote to memory of 976 1748 Windows Update.exe 32 PID 1748 wrote to memory of 976 1748 Windows Update.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe"C:\Users\Admin\AppData\Local\Temp\59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exeC:\Users\Admin\AppData\Local\Temp\59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe"2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
PID:1020
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵PID:976
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD587668ad827f145022854c5ed18b135a0
SHA16f5bb495015544531c966ea0383e9d990d4ad5f0
SHA2563b6b4b602a81e0b9ad545e4bf19c6a5fb850200a9f2d7a3541f9b4482279168d
SHA512e805ae599a9e790b63c2f0a5c768d69d747a4e86e0e9a1f95c7aaae0abe07e0b40d63345d0797393f514bdd9154ccd73d181cbffbd3b23bb756366015d3fb248
-
Filesize
946KB
MD5fc4ff9d8c0e05abacfb2d51035a1b6e1
SHA17b11509844d29755649282f439e88fa554a05cfd
SHA25659d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
SHA512770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84
-
Filesize
946KB
MD5fc4ff9d8c0e05abacfb2d51035a1b6e1
SHA17b11509844d29755649282f439e88fa554a05cfd
SHA25659d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
SHA512770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84
-
Filesize
946KB
MD5fc4ff9d8c0e05abacfb2d51035a1b6e1
SHA17b11509844d29755649282f439e88fa554a05cfd
SHA25659d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
SHA512770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84
-
Filesize
946KB
MD5fc4ff9d8c0e05abacfb2d51035a1b6e1
SHA17b11509844d29755649282f439e88fa554a05cfd
SHA25659d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
SHA512770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84
-
Filesize
946KB
MD5fc4ff9d8c0e05abacfb2d51035a1b6e1
SHA17b11509844d29755649282f439e88fa554a05cfd
SHA25659d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
SHA512770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84
-
Filesize
946KB
MD5fc4ff9d8c0e05abacfb2d51035a1b6e1
SHA17b11509844d29755649282f439e88fa554a05cfd
SHA25659d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
SHA512770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84
-
Filesize
946KB
MD5fc4ff9d8c0e05abacfb2d51035a1b6e1
SHA17b11509844d29755649282f439e88fa554a05cfd
SHA25659d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
SHA512770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84
-
Filesize
946KB
MD5fc4ff9d8c0e05abacfb2d51035a1b6e1
SHA17b11509844d29755649282f439e88fa554a05cfd
SHA25659d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
SHA512770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84
-
Filesize
946KB
MD5fc4ff9d8c0e05abacfb2d51035a1b6e1
SHA17b11509844d29755649282f439e88fa554a05cfd
SHA25659d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
SHA512770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84
-
Filesize
946KB
MD5fc4ff9d8c0e05abacfb2d51035a1b6e1
SHA17b11509844d29755649282f439e88fa554a05cfd
SHA25659d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
SHA512770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84
-
Filesize
946KB
MD5fc4ff9d8c0e05abacfb2d51035a1b6e1
SHA17b11509844d29755649282f439e88fa554a05cfd
SHA25659d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
SHA512770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84