Analysis

  • max time kernel
    200s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 05:15

General

  • Target

    bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe

  • Size

    1.1MB

  • MD5

    df42c439132933e840bb989440b0db6d

  • SHA1

    80e66df85a64d4b88083fcfcd6a280a07ddbaa41

  • SHA256

    bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da

  • SHA512

    15a80ca61db62f5c2c24ad1c87d1baae3a8ec247f66df64b03fe8ca3c154d5fd9fdc11db57675bfc56f3d194b16e75c5af1bd5d54b189e87605808d969bc3f6e

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    bhavnatutor.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Onyeoba111

Signatures

  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 5 IoCs
  • Program crash 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
    "C:\Users\Admin\AppData\Local\Temp\bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      PID:4932
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1480
        3⤵
        • Program crash
        PID:1824
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      PID:2160
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1480
        3⤵
        • Program crash
        PID:3384
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      PID:5016
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1484
        3⤵
        • Program crash
        PID:3720
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      PID:4560
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1480
        3⤵
        • Program crash
        PID:3084
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:760
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4932 -ip 4932
    1⤵
      PID:4948
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2160 -ip 2160
      1⤵
        PID:3648
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5016 -ip 5016
        1⤵
          PID:4968
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4560 -ip 4560
          1⤵
            PID:4088

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/760-161-0x0000000007040000-0x000000000704A000-memory.dmp

            Filesize

            40KB

          • memory/760-160-0x0000000007060000-0x00000000070F2000-memory.dmp

            Filesize

            584KB

          • memory/760-159-0x0000000006770000-0x00000000067D6000-memory.dmp

            Filesize

            408KB

          • memory/2160-142-0x0000000000420000-0x0000000000444000-memory.dmp

            Filesize

            144KB

          • memory/2160-141-0x0000000000422000-0x0000000000441000-memory.dmp

            Filesize

            124KB

          • memory/2272-130-0x0000000002660000-0x0000000002680000-memory.dmp

            Filesize

            128KB

          • memory/4932-138-0x0000000006290000-0x0000000006452000-memory.dmp

            Filesize

            1.8MB

          • memory/4932-137-0x0000000005640000-0x00000000056DC000-memory.dmp

            Filesize

            624KB

          • memory/4932-136-0x0000000005B10000-0x00000000060B4000-memory.dmp

            Filesize

            5.6MB

          • memory/4932-132-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/5016-145-0x00000000003A0000-0x00000000003C4000-memory.dmp

            Filesize

            144KB