Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 16:08
Static task
static1
Behavioral task
behavioral1
Sample
5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe
Resource
win7-20220715-en
General
-
Target
5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe
-
Size
883KB
-
MD5
621bbd51e44db9b507a911ceba8c6e4d
-
SHA1
524a771f04ee76bddc16d5a6c0d59ac4f97b3398
-
SHA256
5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
-
SHA512
b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8
Malware Config
Signatures
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2036-66-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/2036-67-0x000000000047EA7E-mapping.dmp MailPassView behavioral1/memory/2036-70-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/2036-72-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/2036-66-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/2036-67-0x000000000047EA7E-mapping.dmp WebBrowserPassView behavioral1/memory/2036-70-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/2036-72-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2036-66-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/2036-67-0x000000000047EA7E-mapping.dmp Nirsoft behavioral1/memory/2036-70-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/2036-72-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Project224.exeProject224.exepid process 1788 Project224.exe 2036 Project224.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1256 cmd.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Project224.exeProject224.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\Documents\\Project224.exe -boot" Project224.exe Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Project224.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Project224.exedescription pid process target process PID 1788 set thread context of 2036 1788 Project224.exe Project224.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exeProject224.exeProject224.exedescription pid process Token: SeDebugPrivilege 640 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe Token: SeDebugPrivilege 1788 Project224.exe Token: SeDebugPrivilege 2036 Project224.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Project224.exepid process 2036 Project224.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.execmd.exeProject224.exedescription pid process target process PID 640 wrote to memory of 1444 640 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe cmd.exe PID 640 wrote to memory of 1444 640 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe cmd.exe PID 640 wrote to memory of 1444 640 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe cmd.exe PID 640 wrote to memory of 1444 640 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe cmd.exe PID 640 wrote to memory of 1256 640 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe cmd.exe PID 640 wrote to memory of 1256 640 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe cmd.exe PID 640 wrote to memory of 1256 640 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe cmd.exe PID 640 wrote to memory of 1256 640 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe cmd.exe PID 1256 wrote to memory of 1788 1256 cmd.exe Project224.exe PID 1256 wrote to memory of 1788 1256 cmd.exe Project224.exe PID 1256 wrote to memory of 1788 1256 cmd.exe Project224.exe PID 1256 wrote to memory of 1788 1256 cmd.exe Project224.exe PID 1788 wrote to memory of 2036 1788 Project224.exe Project224.exe PID 1788 wrote to memory of 2036 1788 Project224.exe Project224.exe PID 1788 wrote to memory of 2036 1788 Project224.exe Project224.exe PID 1788 wrote to memory of 2036 1788 Project224.exe Project224.exe PID 1788 wrote to memory of 2036 1788 Project224.exe Project224.exe PID 1788 wrote to memory of 2036 1788 Project224.exe Project224.exe PID 1788 wrote to memory of 2036 1788 Project224.exe Project224.exe PID 1788 wrote to memory of 2036 1788 Project224.exe Project224.exe PID 1788 wrote to memory of 2036 1788 Project224.exe Project224.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe"C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe" "C:\Users\Admin\Documents\Project224.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Documents\Project224.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\Project224.exe"C:\Users\Admin\Documents\Project224.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\Project224.exe"C:\Users\Admin\Documents\Project224.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\Project224.exeFilesize
883KB
MD5621bbd51e44db9b507a911ceba8c6e4d
SHA1524a771f04ee76bddc16d5a6c0d59ac4f97b3398
SHA2565568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
SHA512b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8
-
C:\Users\Admin\Documents\Project224.exeFilesize
883KB
MD5621bbd51e44db9b507a911ceba8c6e4d
SHA1524a771f04ee76bddc16d5a6c0d59ac4f97b3398
SHA2565568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
SHA512b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8
-
C:\Users\Admin\Documents\Project224.exeFilesize
883KB
MD5621bbd51e44db9b507a911ceba8c6e4d
SHA1524a771f04ee76bddc16d5a6c0d59ac4f97b3398
SHA2565568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
SHA512b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8
-
\Users\Admin\Documents\Project224.exeFilesize
883KB
MD5621bbd51e44db9b507a911ceba8c6e4d
SHA1524a771f04ee76bddc16d5a6c0d59ac4f97b3398
SHA2565568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
SHA512b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8
-
memory/640-55-0x0000000004BC0000-0x0000000004C70000-memory.dmpFilesize
704KB
-
memory/640-56-0x0000000000250000-0x000000000026E000-memory.dmpFilesize
120KB
-
memory/640-57-0x0000000075CD1000-0x0000000075CD3000-memory.dmpFilesize
8KB
-
memory/640-54-0x0000000000E00000-0x0000000000EE6000-memory.dmpFilesize
920KB
-
memory/1256-59-0x0000000000000000-mapping.dmp
-
memory/1444-58-0x0000000000000000-mapping.dmp
-
memory/1788-62-0x0000000000000000-mapping.dmp
-
memory/1788-64-0x00000000002D0000-0x00000000003B6000-memory.dmpFilesize
920KB
-
memory/2036-66-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/2036-67-0x000000000047EA7E-mapping.dmp
-
memory/2036-70-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/2036-72-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/2036-74-0x00000000007A0000-0x00000000007A8000-memory.dmpFilesize
32KB