c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21

Analysis

max time kernel
136s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe
Size

986KB
MD5

bed6f2b8bafe032b960236c89f41a550
SHA1

a525078808532982d705dec0f4cf45575c0806c2
SHA256

c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21
SHA512

1db1a5dc53002e35bb32c7635eaea60546c5df09f44ea42f4b249c01798254d18a421ac9d3e337bd5e922bf7a03eb18478df003bdfc6d6fc53ad87b0ef68081c

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3412-148-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3412-150-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3412-151-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2712-140-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2712-142-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2712-144-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2712-145-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral2/memory/2712-140-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2712-142-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2712-144-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2712-145-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3412-148-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3412-150-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3412-151-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 4804	2088	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	85
PID 4804 set thread context of 2712	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	86
PID 4804 set thread context of 3412	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2712	vbc.exe
2712	vbc.exe
2712	vbc.exe
2712	vbc.exe
2712	vbc.exe
2712	vbc.exe
2712	vbc.exe
2712	vbc.exe
2712	vbc.exe
2712	vbc.exe
2712	vbc.exe
2712	vbc.exe
4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe
4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 4020	2088	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	83
PID 2088 wrote to memory of 4020	2088	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	83
PID 2088 wrote to memory of 4020	2088	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	83
PID 2088 wrote to memory of 4804	2088	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	85
PID 2088 wrote to memory of 4804	2088	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	85
PID 2088 wrote to memory of 4804	2088	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	85
PID 2088 wrote to memory of 4804	2088	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	85
PID 2088 wrote to memory of 4804	2088	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	85
PID 2088 wrote to memory of 4804	2088	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	85
PID 2088 wrote to memory of 4804	2088	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	85
PID 2088 wrote to memory of 4804	2088	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	85
PID 4804 wrote to memory of 2712	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	86
PID 4804 wrote to memory of 2712	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	86
PID 4804 wrote to memory of 2712	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	86
PID 4804 wrote to memory of 2712	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	86
PID 4804 wrote to memory of 2712	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	86
PID 4804 wrote to memory of 2712	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	86
PID 4804 wrote to memory of 2712	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	86
PID 4804 wrote to memory of 2712	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	86
PID 4804 wrote to memory of 2712	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	86
PID 4804 wrote to memory of 3412	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	87
PID 4804 wrote to memory of 3412	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	87
PID 4804 wrote to memory of 3412	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	87
PID 4804 wrote to memory of 3412	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	87
PID 4804 wrote to memory of 3412	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	87
PID 4804 wrote to memory of 3412	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	87
PID 4804 wrote to memory of 3412	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	87
PID 4804 wrote to memory of 3412	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	87
PID 4804 wrote to memory of 3412	4804	c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe	87

C:\Users\Admin\AppData\Local\Temp\c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe
"C:\Users\Admin\AppData\Local\Temp\c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mpyqjbreTDGRch" /XML "C:\Users\Admin\AppData\Local\Temp\tmp686E.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4020
- C:\Users\Admin\AppData\Local\Temp\c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe
  "C:\Users\Admin\AppData\Local\Temp\c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9579.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2712
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9991.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:3412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe.log

Filesize
500B

MD5
f3bfbe5958adfc86cc0ea0a8317ea113

SHA1
3bf76848af2edafcacee5f9fb6a06b35a6724015

SHA256
598715cafd950c881e4fe318430b5830e95781f2093baa22f124cfad03320874

SHA512
873fb9861d615ec3298ccba8231ea3f2a22f2050fe68fea1a6948987942c04f6b40f0b92d5e59f6971cdb429b67877ac2e3cfc953949a0140e03c6cdb8a1139d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp686E.tmp

Filesize
1KB

MD5
7f505e98d413c4ec12f381897231ae31

SHA1
35ae25353d36c332b374e8a7c3ec2044161f3a53

SHA256
036de86ca06b90c354e29ef6b197b6cf187f034e81a03671fb3681cf302a7b8a

SHA512
e8b6351139dd9bd8d78b79ba8b0419e5abcfca5cffb0cc758fb2d5b20b01caca5db54a40da197819500cf10ef9aaf06d9710b6cd981eb911fe69496034b9ec57

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9579.tmp

Filesize
4KB

MD5
a64ef19cb7924d0ef7b27699e0237041

SHA1
b6392aa8451f0721fcadff793808f8630182e66e

SHA256
66635dcdbf3439d7e09ac3f043c0ff6792f1ec281070fea4618d9b5fb287cb56

SHA512
66f6ae0b27227cfaf57a28e8f592a899375f763d0dc1e4f0199444b52e026f04243761bb20af127a7815a5c59db3c9fe1c1ff2a3ef069b8eccff3eef68da284b

Download Submit
memory/2088-137-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/2088-131-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/2088-130-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/2712-144-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2712-140-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2712-142-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2712-145-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3412-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3412-150-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3412-151-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4804-138-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/4804-143-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download