Analysis
-
max time kernel
100s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 02:43
Static task
static1
Behavioral task
behavioral1
Sample
59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe
Resource
win7-20220718-en
General
-
Target
59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe
-
Size
946KB
-
MD5
fc4ff9d8c0e05abacfb2d51035a1b6e1
-
SHA1
7b11509844d29755649282f439e88fa554a05cfd
-
SHA256
59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
-
SHA512
770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
mistaspaz@89
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2544-140-0x0000000006AC0000-0x0000000006B50000-memory.dmp MailPassView behavioral2/memory/4268-161-0x0000000006AD0000-0x0000000006B60000-memory.dmp MailPassView behavioral2/memory/1168-167-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/1168-168-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1168-170-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1168-171-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2544-140-0x0000000006AC0000-0x0000000006B50000-memory.dmp WebBrowserPassView behavioral2/memory/4268-161-0x0000000006AD0000-0x0000000006B60000-memory.dmp WebBrowserPassView behavioral2/memory/3364-174-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/3364-175-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3364-177-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3364-178-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3364-180-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
resource yara_rule behavioral2/memory/2544-140-0x0000000006AC0000-0x0000000006B50000-memory.dmp Nirsoft behavioral2/memory/4268-161-0x0000000006AD0000-0x0000000006B60000-memory.dmp Nirsoft behavioral2/memory/1168-167-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/1168-168-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1168-170-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1168-171-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3364-174-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3364-175-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3364-177-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3364-178-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3364-180-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 3012 Windows Update.exe 4268 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 whatismyipaddress.com 11 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1644 set thread context of 2544 1644 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 77 PID 3012 set thread context of 4268 3012 Windows Update.exe 79 PID 4268 set thread context of 1168 4268 Windows Update.exe 81 PID 4268 set thread context of 3364 4268 Windows Update.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3364 vbc.exe 3364 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4268 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1644 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 3012 Windows Update.exe 4268 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2544 1644 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 77 PID 1644 wrote to memory of 2544 1644 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 77 PID 1644 wrote to memory of 2544 1644 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 77 PID 2544 wrote to memory of 3012 2544 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 78 PID 2544 wrote to memory of 3012 2544 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 78 PID 2544 wrote to memory of 3012 2544 59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe 78 PID 3012 wrote to memory of 4268 3012 Windows Update.exe 79 PID 3012 wrote to memory of 4268 3012 Windows Update.exe 79 PID 3012 wrote to memory of 4268 3012 Windows Update.exe 79 PID 4268 wrote to memory of 1168 4268 Windows Update.exe 81 PID 4268 wrote to memory of 1168 4268 Windows Update.exe 81 PID 4268 wrote to memory of 1168 4268 Windows Update.exe 81 PID 4268 wrote to memory of 1168 4268 Windows Update.exe 81 PID 4268 wrote to memory of 1168 4268 Windows Update.exe 81 PID 4268 wrote to memory of 1168 4268 Windows Update.exe 81 PID 4268 wrote to memory of 1168 4268 Windows Update.exe 81 PID 4268 wrote to memory of 1168 4268 Windows Update.exe 81 PID 4268 wrote to memory of 1168 4268 Windows Update.exe 81 PID 4268 wrote to memory of 3364 4268 Windows Update.exe 82 PID 4268 wrote to memory of 3364 4268 Windows Update.exe 82 PID 4268 wrote to memory of 3364 4268 Windows Update.exe 82 PID 4268 wrote to memory of 3364 4268 Windows Update.exe 82 PID 4268 wrote to memory of 3364 4268 Windows Update.exe 82 PID 4268 wrote to memory of 3364 4268 Windows Update.exe 82 PID 4268 wrote to memory of 3364 4268 Windows Update.exe 82 PID 4268 wrote to memory of 3364 4268 Windows Update.exe 82 PID 4268 wrote to memory of 3364 4268 Windows Update.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe"C:\Users\Admin\AppData\Local\Temp\59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exeC:\Users\Admin\AppData\Local\Temp\59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
PID:1168
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3364
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD587668ad827f145022854c5ed18b135a0
SHA16f5bb495015544531c966ea0383e9d990d4ad5f0
SHA2563b6b4b602a81e0b9ad545e4bf19c6a5fb850200a9f2d7a3541f9b4482279168d
SHA512e805ae599a9e790b63c2f0a5c768d69d747a4e86e0e9a1f95c7aaae0abe07e0b40d63345d0797393f514bdd9154ccd73d181cbffbd3b23bb756366015d3fb248
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
946KB
MD5fc4ff9d8c0e05abacfb2d51035a1b6e1
SHA17b11509844d29755649282f439e88fa554a05cfd
SHA25659d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
SHA512770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84
-
Filesize
946KB
MD5fc4ff9d8c0e05abacfb2d51035a1b6e1
SHA17b11509844d29755649282f439e88fa554a05cfd
SHA25659d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
SHA512770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84
-
Filesize
946KB
MD5fc4ff9d8c0e05abacfb2d51035a1b6e1
SHA17b11509844d29755649282f439e88fa554a05cfd
SHA25659d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253
SHA512770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84