Analysis
-
max time kernel
102s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2022 15:26
Static task
static1
Behavioral task
behavioral1
Sample
5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe
Resource
win7-20220715-en
General
-
Target
5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe
-
Size
930KB
-
MD5
4e74a3354afe8632e63645f79f34bc4c
-
SHA1
9392b8b4ee598a6b0de4651344f7e3513719fa8e
-
SHA256
5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0
-
SHA512
a70106f24f304360bac9c6ad2f974821a3d39f233d763f1ae10ac4cec638edadbe509f2c2ce4bcccc662453565b150a7b1b98bb5811dfc31b5af28dc4212f51f
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
kennedey.isaac@yandex.com - Password:
jozo2018
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/308-140-0x00000000023B0000-0x0000000002440000-memory.dmp MailPassView behavioral2/memory/1580-161-0x0000000006B90000-0x0000000006C20000-memory.dmp MailPassView behavioral2/memory/1252-168-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/1252-169-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1252-171-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1252-172-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/308-140-0x00000000023B0000-0x0000000002440000-memory.dmp WebBrowserPassView behavioral2/memory/1580-161-0x0000000006B90000-0x0000000006C20000-memory.dmp WebBrowserPassView behavioral2/memory/796-175-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/796-176-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/796-178-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/796-180-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 10 IoCs
Processes:
resource yara_rule behavioral2/memory/308-140-0x00000000023B0000-0x0000000002440000-memory.dmp Nirsoft behavioral2/memory/1580-161-0x0000000006B90000-0x0000000006C20000-memory.dmp Nirsoft behavioral2/memory/1252-168-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/1252-169-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1252-171-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1252-172-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/796-175-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/796-176-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/796-178-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/796-180-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 3736 Windows Update.exe 1580 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 58 whatismyipaddress.com 60 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exeWindows Update.exeWindows Update.exedescription pid process target process PID 440 set thread context of 308 440 5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe 5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe PID 3736 set thread context of 1580 3736 Windows Update.exe Windows Update.exe PID 1580 set thread context of 1252 1580 Windows Update.exe vbc.exe PID 1580 set thread context of 796 1580 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 796 vbc.exe 796 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 1580 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exeWindows Update.exeWindows Update.exepid process 440 5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe 3736 Windows Update.exe 1580 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exeWindows Update.exeWindows Update.exedescription pid process target process PID 440 wrote to memory of 308 440 5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe 5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe PID 440 wrote to memory of 308 440 5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe 5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe PID 440 wrote to memory of 308 440 5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe 5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe PID 308 wrote to memory of 3736 308 5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe Windows Update.exe PID 308 wrote to memory of 3736 308 5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe Windows Update.exe PID 308 wrote to memory of 3736 308 5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe Windows Update.exe PID 3736 wrote to memory of 1580 3736 Windows Update.exe Windows Update.exe PID 3736 wrote to memory of 1580 3736 Windows Update.exe Windows Update.exe PID 3736 wrote to memory of 1580 3736 Windows Update.exe Windows Update.exe PID 1580 wrote to memory of 1252 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1252 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1252 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1252 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1252 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1252 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1252 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1252 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1252 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 796 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 796 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 796 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 796 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 796 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 796 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 796 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 796 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 796 1580 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe"C:\Users\Admin\AppData\Local\Temp\5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exeC:\Users\Admin\AppData\Local\Temp\5c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD519fcb3530d732ac8d6bca1f95c3e6db1
SHA13ef4bf93397c7ec7f19a8aa6ea689fad1d0e98ad
SHA2563c15262be7fc33b6477b057c9851580f5a7b30febf22791a8bae1cf49509c5fc
SHA5129faa002d20dd3a24a47e788da2fc341581c59242528af003c56c0ece3ff2df78c12fb93c8bc2968a561dffc31084048248faabd6901cc9eb91f98d75cb43d01c
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
930KB
MD54e74a3354afe8632e63645f79f34bc4c
SHA19392b8b4ee598a6b0de4651344f7e3513719fa8e
SHA2565c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0
SHA512a70106f24f304360bac9c6ad2f974821a3d39f233d763f1ae10ac4cec638edadbe509f2c2ce4bcccc662453565b150a7b1b98bb5811dfc31b5af28dc4212f51f
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
930KB
MD54e74a3354afe8632e63645f79f34bc4c
SHA19392b8b4ee598a6b0de4651344f7e3513719fa8e
SHA2565c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0
SHA512a70106f24f304360bac9c6ad2f974821a3d39f233d763f1ae10ac4cec638edadbe509f2c2ce4bcccc662453565b150a7b1b98bb5811dfc31b5af28dc4212f51f
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
930KB
MD54e74a3354afe8632e63645f79f34bc4c
SHA19392b8b4ee598a6b0de4651344f7e3513719fa8e
SHA2565c2da372c8776532c200452f366d1de8c55cc861a6c450168468b3413df173d0
SHA512a70106f24f304360bac9c6ad2f974821a3d39f233d763f1ae10ac4cec638edadbe509f2c2ce4bcccc662453565b150a7b1b98bb5811dfc31b5af28dc4212f51f
-
memory/308-140-0x00000000023B0000-0x0000000002440000-memory.dmpFilesize
576KB
-
memory/308-145-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/308-143-0x0000000077A60000-0x0000000077C03000-memory.dmpFilesize
1.6MB
-
memory/308-144-0x0000000077A60000-0x0000000077C03000-memory.dmpFilesize
1.6MB
-
memory/308-137-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/308-151-0x0000000077A60000-0x0000000077C03000-memory.dmpFilesize
1.6MB
-
memory/308-152-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/308-133-0x0000000000000000-mapping.dmp
-
memory/440-132-0x00000000022D0000-0x00000000022D7000-memory.dmpFilesize
28KB
-
memory/440-134-0x0000000077A60000-0x0000000077C03000-memory.dmpFilesize
1.6MB
-
memory/796-180-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/796-176-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/796-175-0x0000000000000000-mapping.dmp
-
memory/796-178-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1252-172-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1252-168-0x0000000000000000-mapping.dmp
-
memory/1252-169-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1252-171-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1580-166-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/1580-165-0x0000000077A60000-0x0000000077C03000-memory.dmpFilesize
1.6MB
-
memory/1580-173-0x0000000077A60000-0x0000000077C03000-memory.dmpFilesize
1.6MB
-
memory/1580-174-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/1580-164-0x0000000077A60000-0x0000000077C03000-memory.dmpFilesize
1.6MB
-
memory/1580-161-0x0000000006B90000-0x0000000006C20000-memory.dmpFilesize
576KB
-
memory/1580-153-0x0000000000000000-mapping.dmp
-
memory/3736-155-0x0000000077A60000-0x0000000077C03000-memory.dmpFilesize
1.6MB
-
memory/3736-146-0x0000000000000000-mapping.dmp