Analysis
-
max time kernel
128s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
30-07-2022 22:16
Static task
static1
Behavioral task
behavioral1
Sample
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
Resource
win10v2004-20220721-en
General
-
Target
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
-
Size
737KB
-
MD5
1761d36ee0dd421415d880c6051dff4c
-
SHA1
49d19aab6814703768384c2f3f38f9a497764962
-
SHA256
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b
-
SHA512
1ddab5d31d79ee727a465392cd2c9004a2d86a529af298a5c78113a164a8adcb241bb741e142c28e06334366673af12f42ec41cd1a60c4113cd202f564cb1abd
Malware Config
Signatures
-
NirSoft MailPassView 14 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\tmp.exe MailPassView C:\Users\Admin\AppData\Local\Temp\tmp.exe MailPassView C:\Users\Admin\AppData\Local\Temp\tmp.exe MailPassView behavioral1/memory/1328-65-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/1328-67-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/1328-68-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/1328-69-0x0000000000480BEE-mapping.dmp MailPassView behavioral1/memory/1328-71-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/1328-73-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/1704-80-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1704-81-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1704-84-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1704-86-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1704-87-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 14 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\tmp.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\tmp.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\tmp.exe WebBrowserPassView behavioral1/memory/1328-65-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/1328-67-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/1328-68-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/1328-69-0x0000000000480BEE-mapping.dmp WebBrowserPassView behavioral1/memory/1328-71-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/1328-73-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/1036-88-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1036-89-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1036-92-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1036-93-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1036-95-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 19 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\tmp.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\tmp.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\tmp.exe Nirsoft behavioral1/memory/1328-65-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/1328-67-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/1328-68-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/1328-69-0x0000000000480BEE-mapping.dmp Nirsoft behavioral1/memory/1328-71-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/1328-73-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/1704-80-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1704-81-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1704-84-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1704-86-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1704-87-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1036-88-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1036-89-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1036-92-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1036-93-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1036-95-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
tmp.exepid process 1108 tmp.exe -
Loads dropped DLL 1 IoCs
Processes:
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exepid process 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" tmp.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 whatismyipaddress.com 7 whatismyipaddress.com 8 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exetmp.exedescription pid process target process PID 964 set thread context of 1328 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 1108 set thread context of 1704 1108 tmp.exe vbc.exe PID 1108 set thread context of 1036 1108 tmp.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exetmp.exepid process 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 1108 tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exetmp.exedescription pid process Token: SeDebugPrivilege 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe Token: SeDebugPrivilege 1108 tmp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
tmp.exepid process 1108 tmp.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exetmp.exedescription pid process target process PID 964 wrote to memory of 1108 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe tmp.exe PID 964 wrote to memory of 1108 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe tmp.exe PID 964 wrote to memory of 1108 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe tmp.exe PID 964 wrote to memory of 1108 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe tmp.exe PID 964 wrote to memory of 1328 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 964 wrote to memory of 1328 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 964 wrote to memory of 1328 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 964 wrote to memory of 1328 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 964 wrote to memory of 1328 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 964 wrote to memory of 1328 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 964 wrote to memory of 1328 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 964 wrote to memory of 1328 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 964 wrote to memory of 1328 964 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 1108 wrote to memory of 1704 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1704 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1704 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1704 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1704 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1704 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1704 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1704 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1704 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1704 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1036 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1036 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1036 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1036 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1036 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1036 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1036 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1036 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1036 1108 tmp.exe vbc.exe PID 1108 wrote to memory of 1036 1108 tmp.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe"C:\Users\Admin\AppData\Local\Temp\6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
-
C:\Users\Admin\AppData\Local\Temp\6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe"C:\Users\Admin\AppData\Local\Temp\6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
520KB
MD59c2b62407b2ed9680066a998d6772d18
SHA1e2601164d04673a035241702f2849cf400d16286
SHA2566d7e3ea5be4fc6079904b9e3aa757718e34708a00e419588d47e35502820698d
SHA512f008248f14d5aa9f8a222a2e1986b6a5afb5dc0f1d601b819518b50baa2c99cd98f137bcf31a0e931c015dcfc98257944d955f16c2232472a0064278587d6bb1
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
520KB
MD59c2b62407b2ed9680066a998d6772d18
SHA1e2601164d04673a035241702f2849cf400d16286
SHA2566d7e3ea5be4fc6079904b9e3aa757718e34708a00e419588d47e35502820698d
SHA512f008248f14d5aa9f8a222a2e1986b6a5afb5dc0f1d601b819518b50baa2c99cd98f137bcf31a0e931c015dcfc98257944d955f16c2232472a0064278587d6bb1
-
\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
520KB
MD59c2b62407b2ed9680066a998d6772d18
SHA1e2601164d04673a035241702f2849cf400d16286
SHA2566d7e3ea5be4fc6079904b9e3aa757718e34708a00e419588d47e35502820698d
SHA512f008248f14d5aa9f8a222a2e1986b6a5afb5dc0f1d601b819518b50baa2c99cd98f137bcf31a0e931c015dcfc98257944d955f16c2232472a0064278587d6bb1
-
memory/964-78-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/964-55-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/964-56-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/964-54-0x0000000076211000-0x0000000076213000-memory.dmpFilesize
8KB
-
memory/1036-95-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1036-93-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1036-92-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1036-89-0x0000000000442628-mapping.dmp
-
memory/1036-88-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1108-96-0x0000000001F15000-0x0000000001F26000-memory.dmpFilesize
68KB
-
memory/1108-85-0x0000000001F15000-0x0000000001F26000-memory.dmpFilesize
68KB
-
memory/1108-75-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/1108-58-0x0000000000000000-mapping.dmp
-
memory/1108-79-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/1328-76-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/1328-68-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/1328-62-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/1328-63-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/1328-77-0x00000000748B0000-0x0000000074E5B000-memory.dmpFilesize
5.7MB
-
memory/1328-73-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/1328-65-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/1328-67-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/1328-71-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/1328-69-0x0000000000480BEE-mapping.dmp
-
memory/1704-84-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1704-87-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1704-86-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1704-81-0x0000000000411654-mapping.dmp
-
memory/1704-80-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB