Analysis
-
max time kernel
148s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2022 22:16
Static task
static1
Behavioral task
behavioral1
Sample
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
Resource
win10v2004-20220721-en
General
-
Target
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
-
Size
737KB
-
MD5
1761d36ee0dd421415d880c6051dff4c
-
SHA1
49d19aab6814703768384c2f3f38f9a497764962
-
SHA256
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b
-
SHA512
1ddab5d31d79ee727a465392cd2c9004a2d86a529af298a5c78113a164a8adcb241bb741e142c28e06334366673af12f42ec41cd1a60c4113cd202f564cb1abd
Malware Config
Extracted
Protocol: smtp- Host:
ns7.hadara.ps - Port:
587 - Username:
box@alnasserstone.com - Password:
qazxswqazxsw@123
Signatures
-
NirSoft MailPassView 7 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp.exe MailPassView C:\Users\Admin\AppData\Local\Temp\tmp.exe MailPassView behavioral2/memory/868-135-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral2/memory/4664-139-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/4664-140-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4664-142-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4664-143-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\tmp.exe WebBrowserPassView behavioral2/memory/868-135-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral2/memory/2456-148-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2456-147-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/2456-150-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2456-152-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\tmp.exe Nirsoft behavioral2/memory/868-135-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral2/memory/4664-139-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4664-140-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4664-142-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4664-143-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2456-148-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2456-147-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2456-150-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2456-152-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
tmp.exepid process 3448 tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe File opened for modification C:\Windows\assembly\Desktop.ini 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 whatismyipaddress.com 24 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exedescription pid process target process PID 4324 set thread context of 868 4324 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 868 set thread context of 4664 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 set thread context of 2456 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe -
Drops file in Windows directory 3 IoCs
Processes:
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exedescription ioc process File opened for modification C:\Windows\assembly 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe File created C:\Windows\assembly\Desktop.ini 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe File opened for modification C:\Windows\assembly\Desktop.ini 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exevbc.exe6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exepid process 4324 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 2456 vbc.exe 2456 vbc.exe 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exedescription pid process Token: SeDebugPrivilege 4324 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe Token: SeDebugPrivilege 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exepid process 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exedescription pid process target process PID 4324 wrote to memory of 3448 4324 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe tmp.exe PID 4324 wrote to memory of 3448 4324 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe tmp.exe PID 4324 wrote to memory of 3448 4324 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe tmp.exe PID 4324 wrote to memory of 868 4324 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 4324 wrote to memory of 868 4324 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 4324 wrote to memory of 868 4324 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 4324 wrote to memory of 868 4324 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 4324 wrote to memory of 868 4324 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 4324 wrote to memory of 868 4324 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 4324 wrote to memory of 868 4324 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 4324 wrote to memory of 868 4324 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe PID 868 wrote to memory of 4664 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 4664 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 4664 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 4664 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 4664 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 4664 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 4664 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 4664 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 4664 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 2456 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 2456 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 2456 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 2456 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 2456 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 2456 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 2456 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 2456 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe PID 868 wrote to memory of 2456 868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe"C:\Users\Admin\AppData\Local\Temp\6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe"C:\Users\Admin\AppData\Local\Temp\6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
520KB
MD59c2b62407b2ed9680066a998d6772d18
SHA1e2601164d04673a035241702f2849cf400d16286
SHA2566d7e3ea5be4fc6079904b9e3aa757718e34708a00e419588d47e35502820698d
SHA512f008248f14d5aa9f8a222a2e1986b6a5afb5dc0f1d601b819518b50baa2c99cd98f137bcf31a0e931c015dcfc98257944d955f16c2232472a0064278587d6bb1
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
520KB
MD59c2b62407b2ed9680066a998d6772d18
SHA1e2601164d04673a035241702f2849cf400d16286
SHA2566d7e3ea5be4fc6079904b9e3aa757718e34708a00e419588d47e35502820698d
SHA512f008248f14d5aa9f8a222a2e1986b6a5afb5dc0f1d601b819518b50baa2c99cd98f137bcf31a0e931c015dcfc98257944d955f16c2232472a0064278587d6bb1
-
memory/868-146-0x0000000075560000-0x0000000075B11000-memory.dmpFilesize
5.7MB
-
memory/868-135-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/868-137-0x0000000075560000-0x0000000075B11000-memory.dmpFilesize
5.7MB
-
memory/868-134-0x0000000000000000-mapping.dmp
-
memory/2456-148-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2456-152-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2456-150-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2456-147-0x0000000000000000-mapping.dmp
-
memory/3448-138-0x0000000075560000-0x0000000075B11000-memory.dmpFilesize
5.7MB
-
memory/3448-131-0x0000000000000000-mapping.dmp
-
memory/3448-136-0x0000000075560000-0x0000000075B11000-memory.dmpFilesize
5.7MB
-
memory/4324-144-0x0000000075560000-0x0000000075B11000-memory.dmpFilesize
5.7MB
-
memory/4324-145-0x0000000075560000-0x0000000075B11000-memory.dmpFilesize
5.7MB
-
memory/4324-130-0x0000000075560000-0x0000000075B11000-memory.dmpFilesize
5.7MB
-
memory/4664-143-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4664-142-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4664-140-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4664-139-0x0000000000000000-mapping.dmp