Analysis
-
max time kernel
137s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 21:43
Static task
static1
Behavioral task
behavioral1
Sample
5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe
Resource
win7-20220718-en
General
-
Target
5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe
-
Size
970KB
-
MD5
e6350b9f4608bae0aab1347846407674
-
SHA1
08b77622b00a125e54f2c718eacc1c8f57b40b73
-
SHA256
5e033870891778609ff43626f637530e93531956256f914396417616058f1641
-
SHA512
009ec32793d3a7b3849f5b3e4da7e0343a3350cf83a79bd4d388e22d0f37fb3793734fb6d0ec6f2406ef1e2b823c5a353c09ae53ac05f3ac943236e577bc215a
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
shijumike@yandex.com - Password:
mikeaboyland
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1848-141-0x0000000006B30000-0x0000000006BC0000-memory.dmp MailPassView behavioral2/memory/1484-161-0x0000000006AB0000-0x0000000006B40000-memory.dmp MailPassView behavioral2/memory/4780-167-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/4780-168-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4780-170-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4780-171-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1848-141-0x0000000006B30000-0x0000000006BC0000-memory.dmp WebBrowserPassView behavioral2/memory/1484-161-0x0000000006AB0000-0x0000000006B40000-memory.dmp WebBrowserPassView behavioral2/memory/1884-174-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/1884-175-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1884-177-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1884-178-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1884-180-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
Processes:
resource yara_rule behavioral2/memory/1848-141-0x0000000006B30000-0x0000000006BC0000-memory.dmp Nirsoft behavioral2/memory/1484-161-0x0000000006AB0000-0x0000000006B40000-memory.dmp Nirsoft behavioral2/memory/4780-167-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4780-168-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4780-170-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4780-171-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1884-174-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/1884-175-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1884-177-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1884-178-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1884-180-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 2628 Windows Update.exe 1484 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation 5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 68 whatismyipaddress.com 70 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exeWindows Update.exeWindows Update.exedescription pid process target process PID 2060 set thread context of 1848 2060 5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe 5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe PID 2628 set thread context of 1484 2628 Windows Update.exe Windows Update.exe PID 1484 set thread context of 4780 1484 Windows Update.exe vbc.exe PID 1484 set thread context of 1884 1484 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1884 vbc.exe 1884 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 1484 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exeWindows Update.exeWindows Update.exepid process 2060 5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe 2628 Windows Update.exe 1484 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exeWindows Update.exeWindows Update.exedescription pid process target process PID 2060 wrote to memory of 1848 2060 5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe 5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe PID 2060 wrote to memory of 1848 2060 5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe 5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe PID 2060 wrote to memory of 1848 2060 5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe 5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe PID 1848 wrote to memory of 2628 1848 5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe Windows Update.exe PID 1848 wrote to memory of 2628 1848 5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe Windows Update.exe PID 1848 wrote to memory of 2628 1848 5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe Windows Update.exe PID 2628 wrote to memory of 1484 2628 Windows Update.exe Windows Update.exe PID 2628 wrote to memory of 1484 2628 Windows Update.exe Windows Update.exe PID 2628 wrote to memory of 1484 2628 Windows Update.exe Windows Update.exe PID 1484 wrote to memory of 4780 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 4780 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 4780 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 4780 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 4780 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 4780 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 4780 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 4780 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 4780 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 1884 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 1884 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 1884 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 1884 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 1884 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 1884 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 1884 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 1884 1484 Windows Update.exe vbc.exe PID 1484 wrote to memory of 1884 1484 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe"C:\Users\Admin\AppData\Local\Temp\5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exeC:\Users\Admin\AppData\Local\Temp\5e033870891778609ff43626f637530e93531956256f914396417616058f1641.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD525cdf976d80f34323c6a3bf8da3a2615
SHA1c98ea23df04334af9967bcae6a82128c70538da6
SHA2567dd8663d42227c110aea7418a5a8c5dd91904aacb18ab19151020dc396d0f848
SHA5120c0acc0902d2584f96f771456964359fe0bb40810c1dabb1c5f2f33bff83d49101c4d88445ec5496aad7c40d1e172c6f79549a9183268bb383ca3ad90e27cfdd
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
970KB
MD5e6350b9f4608bae0aab1347846407674
SHA108b77622b00a125e54f2c718eacc1c8f57b40b73
SHA2565e033870891778609ff43626f637530e93531956256f914396417616058f1641
SHA512009ec32793d3a7b3849f5b3e4da7e0343a3350cf83a79bd4d388e22d0f37fb3793734fb6d0ec6f2406ef1e2b823c5a353c09ae53ac05f3ac943236e577bc215a
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
970KB
MD5e6350b9f4608bae0aab1347846407674
SHA108b77622b00a125e54f2c718eacc1c8f57b40b73
SHA2565e033870891778609ff43626f637530e93531956256f914396417616058f1641
SHA512009ec32793d3a7b3849f5b3e4da7e0343a3350cf83a79bd4d388e22d0f37fb3793734fb6d0ec6f2406ef1e2b823c5a353c09ae53ac05f3ac943236e577bc215a
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
970KB
MD5e6350b9f4608bae0aab1347846407674
SHA108b77622b00a125e54f2c718eacc1c8f57b40b73
SHA2565e033870891778609ff43626f637530e93531956256f914396417616058f1641
SHA512009ec32793d3a7b3849f5b3e4da7e0343a3350cf83a79bd4d388e22d0f37fb3793734fb6d0ec6f2406ef1e2b823c5a353c09ae53ac05f3ac943236e577bc215a
-
memory/1484-172-0x00000000772F0000-0x0000000077493000-memory.dmpFilesize
1.6MB
-
memory/1484-153-0x0000000000000000-mapping.dmp
-
memory/1484-173-0x0000000074960000-0x0000000074F11000-memory.dmpFilesize
5.7MB
-
memory/1484-165-0x0000000074960000-0x0000000074F11000-memory.dmpFilesize
5.7MB
-
memory/1484-164-0x00000000772F0000-0x0000000077493000-memory.dmpFilesize
1.6MB
-
memory/1484-161-0x0000000006AB0000-0x0000000006B40000-memory.dmpFilesize
576KB
-
memory/1848-151-0x0000000074960000-0x0000000074F11000-memory.dmpFilesize
5.7MB
-
memory/1848-145-0x0000000074960000-0x0000000074F11000-memory.dmpFilesize
5.7MB
-
memory/1848-137-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/1848-133-0x0000000000000000-mapping.dmp
-
memory/1848-149-0x00000000772F0000-0x0000000077493000-memory.dmpFilesize
1.6MB
-
memory/1848-140-0x00000000772F0000-0x0000000077493000-memory.dmpFilesize
1.6MB
-
memory/1848-141-0x0000000006B30000-0x0000000006BC0000-memory.dmpFilesize
576KB
-
memory/1848-144-0x00000000772F0000-0x0000000077493000-memory.dmpFilesize
1.6MB
-
memory/1884-175-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1884-174-0x0000000000000000-mapping.dmp
-
memory/1884-177-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1884-178-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1884-180-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2060-132-0x00000000022B0000-0x00000000022B7000-memory.dmpFilesize
28KB
-
memory/2060-134-0x00000000772F0000-0x0000000077493000-memory.dmpFilesize
1.6MB
-
memory/2628-146-0x0000000000000000-mapping.dmp
-
memory/2628-155-0x00000000772F0000-0x0000000077493000-memory.dmpFilesize
1.6MB
-
memory/4780-167-0x0000000000000000-mapping.dmp
-
memory/4780-168-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4780-170-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4780-171-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB