549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75

General

Target

549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75.exe
Size

608KB
MD5

41ef837433847acf45cee2c98b32afb4
SHA1

538892e2ee5b53da1ec8410889aec16f7cba98be
SHA256

549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75
SHA512

c01904daec1f8ca4114e3ed6daddbe45a891ec3f88568bc875dd6c85a910b20749262f31eb8ffb910e25947e06499d808c8c5a674ef5e5989260949e84c2509b

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1448-81-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1448-82-0x0000000000411790-mapping.dmp	MailPassView
behavioral1/memory/1448-85-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1448-86-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1448-88-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/792-98-0x0000000000400000-0x000000000045A000-memory.dmp	WebBrowserPassView
behavioral1/memory/792-99-0x00000000004439CC-mapping.dmp	WebBrowserPassView
behavioral1/memory/792-102-0x0000000000400000-0x000000000045A000-memory.dmp	WebBrowserPassView
behavioral1/memory/792-104-0x0000000000400000-0x000000000045A000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1448-81-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1448-82-0x0000000000411790-mapping.dmp	Nirsoft
behavioral1/memory/1448-85-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1448-86-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1448-88-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/792-98-0x0000000000400000-0x000000000045A000-memory.dmp	Nirsoft
behavioral1/memory/792-99-0x00000000004439CC-mapping.dmp	Nirsoft
behavioral1/memory/792-102-0x0000000000400000-0x000000000045A000-memory.dmp	Nirsoft
behavioral1/memory/792-104-0x0000000000400000-0x000000000045A000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

files.exefiles.exe

pid process

2016 files.exe
1860 files.exe
Loads dropped DLL 1 IoCs

Processes:

549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75.exe

pid process

272 549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2016	files.exe
1860	files.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 checkip.dyndns.org

flow	ioc
3	checkip.dyndns.org

Suspicious use of SetThreadContext 3 IoCs

Processes:

files.exefiles.exe

description	pid	process	target process
PID 2016 set thread context of 1860	2016	files.exe	files.exe
PID 1860 set thread context of 1448	1860	files.exe	vbc.exe
PID 1860 set thread context of 792	1860	files.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75.exefiles.exevbc.exe

pid	process
272	549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75.exe
2016	files.exe
2016	files.exe
792	vbc.exe
792	vbc.exe
792	vbc.exe
792	vbc.exe
792	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75.exefiles.exe

description	pid	process
Token: SeDebugPrivilege	272	549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75.exe
Token: SeDebugPrivilege	2016	files.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

files.exe

pid process

1860 files.exe

pid	process
1860	files.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75.exefiles.exefiles.exe

description	pid	process	target process
PID 272 wrote to memory of 2016	272	549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75.exe	files.exe
PID 272 wrote to memory of 2016	272	549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75.exe	files.exe
PID 272 wrote to memory of 2016	272	549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75.exe	files.exe
PID 272 wrote to memory of 2016	272	549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75.exe	files.exe
PID 2016 wrote to memory of 1860	2016	files.exe	files.exe
PID 2016 wrote to memory of 1860	2016	files.exe	files.exe
PID 2016 wrote to memory of 1860	2016	files.exe	files.exe
PID 2016 wrote to memory of 1860	2016	files.exe	files.exe
PID 2016 wrote to memory of 1860	2016	files.exe	files.exe
PID 2016 wrote to memory of 1860	2016	files.exe	files.exe
PID 2016 wrote to memory of 1860	2016	files.exe	files.exe
PID 2016 wrote to memory of 1860	2016	files.exe	files.exe
PID 2016 wrote to memory of 1860	2016	files.exe	files.exe
PID 1860 wrote to memory of 1448	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 1448	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 1448	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 1448	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 1448	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 1448	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 1448	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 1448	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 1448	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 1448	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 792	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 792	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 792	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 792	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 792	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 792	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 792	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 792	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 792	1860	files.exe	vbc.exe
PID 1860 wrote to memory of 792	1860	files.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75.exe
"C:\Users\Admin\AppData\Local\Temp\549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272

C:\Users\Admin\Documents\files.exe
"C:\Users\Admin\Documents\files.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\Documents\files.exe
"C:\Users\Admin\Documents\files.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Mail.txt"
4⤵
- Accesses Microsoft Outlook accounts
PID:1448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Web.txt"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Web.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\New text document.txt
Filesize
32B

MD5
23333eed06d0565364f6b827d5f60520

SHA1
8b161f2f9a2bf2dcef181d76b932c6a22a88b8d7

SHA256
c09ee462f8a6285b8dceac49cf75a8a3e63b8425a5b2abca9a8dc58744942173

SHA512
3e3239176c98c18ec700e96de68f4c9f7b17b90eb578f159f6be5d92366c8d01ff8a509193689f7e7a94e1bfce01ef9ceeadc94ae2c81a27f718a19b149111f8

Download Submit
C:\Users\Admin\Documents\files.exe
Filesize
608KB

MD5
41ef837433847acf45cee2c98b32afb4

SHA1
538892e2ee5b53da1ec8410889aec16f7cba98be

SHA256
549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75

SHA512
c01904daec1f8ca4114e3ed6daddbe45a891ec3f88568bc875dd6c85a910b20749262f31eb8ffb910e25947e06499d808c8c5a674ef5e5989260949e84c2509b

Download Submit
C:\Users\Admin\Documents\files.exe
Filesize
608KB

MD5
41ef837433847acf45cee2c98b32afb4

SHA1
538892e2ee5b53da1ec8410889aec16f7cba98be

SHA256
549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75

SHA512
c01904daec1f8ca4114e3ed6daddbe45a891ec3f88568bc875dd6c85a910b20749262f31eb8ffb910e25947e06499d808c8c5a674ef5e5989260949e84c2509b

Download Submit
C:\Users\Admin\Documents\files.exe
Filesize
608KB

MD5
41ef837433847acf45cee2c98b32afb4

SHA1
538892e2ee5b53da1ec8410889aec16f7cba98be

SHA256
549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75

SHA512
c01904daec1f8ca4114e3ed6daddbe45a891ec3f88568bc875dd6c85a910b20749262f31eb8ffb910e25947e06499d808c8c5a674ef5e5989260949e84c2509b

Download Submit
\Users\Admin\Documents\files.exe
Filesize
608KB

MD5
41ef837433847acf45cee2c98b32afb4

SHA1
538892e2ee5b53da1ec8410889aec16f7cba98be

SHA256
549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75

SHA512
c01904daec1f8ca4114e3ed6daddbe45a891ec3f88568bc875dd6c85a910b20749262f31eb8ffb910e25947e06499d808c8c5a674ef5e5989260949e84c2509b

Download Submit
memory/272-61-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/272-54-0x0000000075DC1000-0x0000000075DC3000-memory.dmp

Filesize
8KB

Download
memory/272-55-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/792-104-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/792-102-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/792-99-0x00000000004439CC-mapping.dmp

Download
memory/792-98-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/792-96-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/792-94-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/792-92-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/792-90-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/792-89-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1448-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-74-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-82-0x0000000000411790-mapping.dmp

Download
memory/1448-85-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-79-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1860-87-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/1860-72-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/1860-70-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1860-68-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1860-64-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2016-67-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-63-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads