8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d

Analysis

max time kernel
77s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
Size

278KB
MD5

0856e2af71f334dc0267069df4d75910
SHA1

089cfa55221724250c6faabc84cfb8a20867bb43
SHA256

8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d
SHA512

e18f13bae4eb23fddfb69511cfe76bd47397fc88e4c6a6202d127221453c5cbf371c9b77a4a68f125bad3e7c3ac867c8b16c82b7eb586250df124fe6f3cce7d2
SSDEEP

6144:5p1xR++UT/dwskMi1TQ+yBuFzQgqj2NHez2TfUXJ/8DCcqWiKYv:5zxR9UTVNi1U+yOsgqj2lC2I18DfqWdg

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/224-165-0x0000000000400000-0x000000000041A000-memory.dmp	MailPassView
behavioral2/memory/224-167-0x0000000000400000-0x000000000041A000-memory.dmp	MailPassView

Nirsoft 10 IoCs

resource	yara_rule
behavioral2/memory/4356-142-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral2/memory/4356-144-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral2/memory/1524-158-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft
behavioral2/memory/1524-160-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft
behavioral2/memory/224-165-0x0000000000400000-0x000000000041A000-memory.dmp	Nirsoft
behavioral2/memory/224-167-0x0000000000400000-0x000000000041A000-memory.dmp	Nirsoft
behavioral2/memory/520-182-0x0000000000400000-0x0000000000417000-memory.dmp	Nirsoft
behavioral2/memory/520-184-0x0000000000400000-0x0000000000417000-memory.dmp	Nirsoft
behavioral2/memory/1360-189-0x0000000000400000-0x0000000000410000-memory.dmp	Nirsoft
behavioral2/memory/1360-191-0x0000000000400000-0x0000000000410000-memory.dmp	Nirsoft

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 4756 set thread context of 4356	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	83
PID 4756 set thread context of 1008	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	84
PID 4756 set thread context of 1524	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	86
PID 4756 set thread context of 224	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	87
PID 4756 set thread context of 3464	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	88
PID 4756 set thread context of 520	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	91
PID 4756 set thread context of 1360	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4356	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
4356	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
Token: SeDebugPrivilege	1524	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 4356	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	83
PID 4756 wrote to memory of 4356	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	83
PID 4756 wrote to memory of 4356	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	83
PID 4756 wrote to memory of 4356	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	83
PID 4756 wrote to memory of 4356	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	83
PID 4756 wrote to memory of 4356	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	83
PID 4756 wrote to memory of 4356	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	83
PID 4756 wrote to memory of 4356	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	83
PID 4756 wrote to memory of 4356	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	83
PID 4756 wrote to memory of 1008	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	84
PID 4756 wrote to memory of 1008	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	84
PID 4756 wrote to memory of 1008	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	84
PID 4756 wrote to memory of 1008	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	84
PID 4756 wrote to memory of 1008	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	84
PID 4756 wrote to memory of 1008	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	84
PID 4756 wrote to memory of 1008	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	84
PID 4756 wrote to memory of 1008	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	84
PID 4756 wrote to memory of 1008	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	84
PID 4756 wrote to memory of 1524	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	86
PID 4756 wrote to memory of 1524	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	86
PID 4756 wrote to memory of 1524	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	86
PID 4756 wrote to memory of 1524	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	86
PID 4756 wrote to memory of 1524	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	86
PID 4756 wrote to memory of 1524	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	86
PID 4756 wrote to memory of 1524	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	86
PID 4756 wrote to memory of 1524	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	86
PID 4756 wrote to memory of 1524	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	86
PID 4756 wrote to memory of 224	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	87
PID 4756 wrote to memory of 224	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	87
PID 4756 wrote to memory of 224	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	87
PID 4756 wrote to memory of 224	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	87
PID 4756 wrote to memory of 224	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	87
PID 4756 wrote to memory of 224	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	87
PID 4756 wrote to memory of 224	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	87
PID 4756 wrote to memory of 224	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	87
PID 4756 wrote to memory of 224	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	87
PID 4756 wrote to memory of 3464	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	88
PID 4756 wrote to memory of 3464	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	88
PID 4756 wrote to memory of 3464	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	88
PID 4756 wrote to memory of 3464	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	88
PID 4756 wrote to memory of 3464	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	88
PID 4756 wrote to memory of 3464	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	88
PID 4756 wrote to memory of 3464	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	88
PID 4756 wrote to memory of 3464	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	88
PID 4756 wrote to memory of 3464	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	88
PID 4756 wrote to memory of 520	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	91
PID 4756 wrote to memory of 520	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	91
PID 4756 wrote to memory of 520	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	91
PID 4756 wrote to memory of 520	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	91
PID 4756 wrote to memory of 520	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	91
PID 4756 wrote to memory of 520	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	91
PID 4756 wrote to memory of 520	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	91
PID 4756 wrote to memory of 520	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	91
PID 4756 wrote to memory of 520	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	91
PID 4756 wrote to memory of 1360	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	93
PID 4756 wrote to memory of 1360	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	93
PID 4756 wrote to memory of 1360	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	93
PID 4756 wrote to memory of 1360	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	93
PID 4756 wrote to memory of 1360	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	93
PID 4756 wrote to memory of 1360	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	93
PID 4756 wrote to memory of 1360	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	93
PID 4756 wrote to memory of 1360	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	93
PID 4756 wrote to memory of 1360	4756	8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe	93

C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
"C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - Accesses Microsoft Outlook accounts
  PID:224
- C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  PID:3464
- C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  PID:520
- C:\Users\Admin\AppData\Local\Temp\8f78d6965c04c05d61092128a5bc462b7dd6cdb90fe346445aef193bd28db45d.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
33B

MD5
fec8656dbc9772ee24163ae3d57f41d9

SHA1
4e82071ada9bdc0002decba8b18b22a6dfdd127d

SHA256
7a3295b2c8c4797b8e5b4616bcc19bca30266371a54666855cbc67d443a3e4f4

SHA512
7c5965e41515a34db05c442587607bb51b6a3a8662df39513474f0d12c1236d882989d8c8bc99d24be27531c0e0df76af8c4beaf45e041767ab6ba2c72fc9326

Download Submit
memory/224-167-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/224-165-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/224-164-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/224-163-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/224-162-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/520-180-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/520-179-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/520-182-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/520-181-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/520-184-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1008-146-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1008-153-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1008-152-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1008-149-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1008-148-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1008-147-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1360-191-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1360-189-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1360-188-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1360-187-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1360-186-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1524-158-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1524-160-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1524-155-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1524-156-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1524-157-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3464-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3464-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3464-170-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3464-172-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3464-171-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3464-175-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4356-144-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4356-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4356-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4356-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4756-132-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download
memory/4756-192-0x00000000007E0000-0x00000000007E8000-memory.dmp

Filesize
32KB

Download
memory/4756-197-0x0000000002640000-0x0000000002647000-memory.dmp

Filesize
28KB

Download