8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
Size

278KB
MD5

0856e2af71f334dc0267069df4d75910
SHA1

089cfa55221724250c6faabc84cfb8a20867bb43
SHA256

8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d
SHA512

e18f13bae4eb23fddfb69511cfe76bd47397fc88e4c6a6202d127221453c5cbf371c9b77a4a68f125bad3e7c3ac867c8b16c82b7eb586250df124fe6f3cce7d2
SSDEEP

6144:5p1xR++UT/dwskMi1TQ+yBuFzQgqj2NHez2TfUXJ/8DCcqWiKYv:5zxR9UTVNi1U+yOsgqj2lC2I18DfqWdg

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1100-124-0x00000000004102B0-mapping.dmp	MailPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral1/memory/1776-74-0x0000000000410622-mapping.dmp	Nirsoft
behavioral1/memory/1776-72-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/1776-76-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/1164-105-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft
behavioral1/memory/1164-107-0x000000000040B78A-mapping.dmp	Nirsoft
behavioral1/memory/1164-109-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft
behavioral1/memory/1100-124-0x00000000004102B0-mapping.dmp	Nirsoft
behavioral1/memory/1060-158-0x0000000000406A5C-mapping.dmp	Nirsoft
behavioral1/memory/1848-174-0x00000000004075AF-mapping.dmp	Nirsoft

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 1492 set thread context of 1776	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	27
PID 1492 set thread context of 540	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	28
PID 1492 set thread context of 1164	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	29
PID 1492 set thread context of 1100	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	30
PID 1492 set thread context of 1896	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	31
PID 1492 set thread context of 1060	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	32
PID 1492 set thread context of 1848	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	33

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
Token: SeDebugPrivilege	1164	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1776	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	27
PID 1492 wrote to memory of 1776	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	27
PID 1492 wrote to memory of 1776	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	27
PID 1492 wrote to memory of 1776	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	27
PID 1492 wrote to memory of 1776	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	27
PID 1492 wrote to memory of 1776	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	27
PID 1492 wrote to memory of 1776	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	27
PID 1492 wrote to memory of 1776	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	27
PID 1492 wrote to memory of 1776	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	27
PID 1492 wrote to memory of 1776	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	27
PID 1492 wrote to memory of 540	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	28
PID 1492 wrote to memory of 540	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	28
PID 1492 wrote to memory of 540	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	28
PID 1492 wrote to memory of 540	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	28
PID 1492 wrote to memory of 540	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	28
PID 1492 wrote to memory of 540	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	28
PID 1492 wrote to memory of 540	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	28
PID 1492 wrote to memory of 540	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	28
PID 1492 wrote to memory of 540	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	28
PID 1492 wrote to memory of 540	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	28
PID 1492 wrote to memory of 1164	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	29
PID 1492 wrote to memory of 1164	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	29
PID 1492 wrote to memory of 1164	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	29
PID 1492 wrote to memory of 1164	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	29
PID 1492 wrote to memory of 1164	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	29
PID 1492 wrote to memory of 1164	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	29
PID 1492 wrote to memory of 1164	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	29
PID 1492 wrote to memory of 1164	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	29
PID 1492 wrote to memory of 1164	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	29
PID 1492 wrote to memory of 1164	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	29
PID 1492 wrote to memory of 1100	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	30
PID 1492 wrote to memory of 1100	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	30
PID 1492 wrote to memory of 1100	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	30
PID 1492 wrote to memory of 1100	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	30
PID 1492 wrote to memory of 1100	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	30
PID 1492 wrote to memory of 1100	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	30
PID 1492 wrote to memory of 1100	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	30
PID 1492 wrote to memory of 1100	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	30
PID 1492 wrote to memory of 1100	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	30
PID 1492 wrote to memory of 1100	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	30
PID 1492 wrote to memory of 1896	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	31
PID 1492 wrote to memory of 1896	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	31
PID 1492 wrote to memory of 1896	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	31
PID 1492 wrote to memory of 1896	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	31
PID 1492 wrote to memory of 1896	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	31
PID 1492 wrote to memory of 1896	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	31
PID 1492 wrote to memory of 1896	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	31
PID 1492 wrote to memory of 1896	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	31
PID 1492 wrote to memory of 1896	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	31
PID 1492 wrote to memory of 1896	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	31
PID 1492 wrote to memory of 1060	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	32
PID 1492 wrote to memory of 1060	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	32
PID 1492 wrote to memory of 1060	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	32
PID 1492 wrote to memory of 1060	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	32
PID 1492 wrote to memory of 1060	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	32
PID 1492 wrote to memory of 1060	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	32
PID 1492 wrote to memory of 1060	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	32
PID 1492 wrote to memory of 1060	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	32
PID 1492 wrote to memory of 1060	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	32
PID 1492 wrote to memory of 1060	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	32
PID 1492 wrote to memory of 1848	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	33
PID 1492 wrote to memory of 1848	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	33
PID 1492 wrote to memory of 1848	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	33
PID 1492 wrote to memory of 1848	1492	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	33

C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
"C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  PID:540
- C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - Accesses Microsoft Outlook accounts
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  PID:1060
- C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  PID:1848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
33B

MD5
fec8656dbc9772ee24163ae3d57f41d9

SHA1
4e82071ada9bdc0002decba8b18b22a6dfdd127d

SHA256
7a3295b2c8c4797b8e5b4616bcc19bca30266371a54666855cbc67d443a3e4f4

SHA512
7c5965e41515a34db05c442587607bb51b6a3a8662df39513474f0d12c1236d882989d8c8bc99d24be27531c0e0df76af8c4beaf45e041767ab6ba2c72fc9326

Download Submit
memory/540-88-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/540-93-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/540-92-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/540-77-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/540-78-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/540-83-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/540-86-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/540-80-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1100-110-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1100-111-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1100-119-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1100-116-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1100-113-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1164-105-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-109-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-94-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-95-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-97-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-100-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-102-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1492-54-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/1776-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1776-76-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1776-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1776-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1776-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1776-75-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1776-60-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1776-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1896-142-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download