Analysis
-
max time kernel
100s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 06:34
Behavioral task
behavioral1
Sample
58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe
Resource
win7-20220718-en
General
-
Target
58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe
-
Size
5.6MB
-
MD5
80a0a3da2f9717c0532cc760b1e7f746
-
SHA1
999e1bd2c3947f898d21572c2c360de72232ef09
-
SHA256
58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
-
SHA512
4edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5
Malware Config
Extracted
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
[email protected] - Password:
nAMkXP8FUGvSc3wjPCKF
Signatures
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/340-149-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/340-150-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/340-152-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/340-153-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/3012-155-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/3012-156-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3012-158-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3012-159-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3012-161-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 9 IoCs
resource yara_rule behavioral2/memory/340-149-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/340-150-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/340-152-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/340-153-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3012-155-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3012-156-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3012-158-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3012-159-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3012-161-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
pid Process 2672 Windows Update.exe -
resource yara_rule behavioral2/memory/4300-130-0x0000000000400000-0x0000000000D6C000-memory.dmp vmprotect behavioral2/memory/4300-133-0x0000000000400000-0x0000000000D6C000-memory.dmp vmprotect behavioral2/files/0x000b000000022eaa-137.dat vmprotect behavioral2/files/0x000b000000022eaa-138.dat vmprotect behavioral2/memory/2672-140-0x0000000000400000-0x0000000000D6C000-memory.dmp vmprotect behavioral2/memory/2672-143-0x0000000000400000-0x0000000000D6C000-memory.dmp vmprotect behavioral2/memory/2672-145-0x0000000000400000-0x0000000000D6C000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe File opened for modification C:\Windows\assembly\Desktop.ini 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 whatismyipaddress.com 24 whatismyipaddress.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4300 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 2672 Windows Update.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2672 set thread context of 340 2672 Windows Update.exe 83 PID 2672 set thread context of 3012 2672 Windows Update.exe 84 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe File created C:\Windows\assembly\Desktop.ini 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe File opened for modification C:\Windows\assembly\Desktop.ini 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4300 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 4300 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 4300 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 4300 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 2672 Windows Update.exe 2672 Windows Update.exe 2672 Windows Update.exe 2672 Windows Update.exe 3012 vbc.exe 3012 vbc.exe 2672 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4300 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe Token: SeDebugPrivilege 2672 Windows Update.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4300 wrote to memory of 2672 4300 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 81 PID 4300 wrote to memory of 2672 4300 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 81 PID 4300 wrote to memory of 2672 4300 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 81 PID 2672 wrote to memory of 340 2672 Windows Update.exe 83 PID 2672 wrote to memory of 340 2672 Windows Update.exe 83 PID 2672 wrote to memory of 340 2672 Windows Update.exe 83 PID 2672 wrote to memory of 340 2672 Windows Update.exe 83 PID 2672 wrote to memory of 340 2672 Windows Update.exe 83 PID 2672 wrote to memory of 340 2672 Windows Update.exe 83 PID 2672 wrote to memory of 340 2672 Windows Update.exe 83 PID 2672 wrote to memory of 340 2672 Windows Update.exe 83 PID 2672 wrote to memory of 340 2672 Windows Update.exe 83 PID 2672 wrote to memory of 3012 2672 Windows Update.exe 84 PID 2672 wrote to memory of 3012 2672 Windows Update.exe 84 PID 2672 wrote to memory of 3012 2672 Windows Update.exe 84 PID 2672 wrote to memory of 3012 2672 Windows Update.exe 84 PID 2672 wrote to memory of 3012 2672 Windows Update.exe 84 PID 2672 wrote to memory of 3012 2672 Windows Update.exe 84 PID 2672 wrote to memory of 3012 2672 Windows Update.exe 84 PID 2672 wrote to memory of 3012 2672 Windows Update.exe 84 PID 2672 wrote to memory of 3012 2672 Windows Update.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe"C:\Users\Admin\AppData\Local\Temp\58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
PID:340
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3012
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5d158de25d5b1a2d6699f1b6f572b7561
SHA1f88bb5ae47e97c1a475831b368a93787241e362c
SHA25619af143d58d5d194461e8fe97ac35779917cb4b4389aa609f98ba3f86619d32e
SHA5123d2ba0546123957ec515b8ab95b13c7dbb6944d376515e1f8e476b64e65e2d3b5c4a6fc4f926a87683d4d17c53dbfdc4b8533f4908145a4f42ec44ad17500640
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
5.6MB
MD580a0a3da2f9717c0532cc760b1e7f746
SHA1999e1bd2c3947f898d21572c2c360de72232ef09
SHA25658c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
SHA5124edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5
-
Filesize
5.6MB
MD580a0a3da2f9717c0532cc760b1e7f746
SHA1999e1bd2c3947f898d21572c2c360de72232ef09
SHA25658c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
SHA5124edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5