5b6e351b4b59e8610f11768159151fe3f6f95cb457295a2f4914443b915fc21b

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2022 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b6e351b4b59e8610f11768159151fe3f6f95cb457295a2f4914443b915fc21b.exe
Size

783KB
MD5

6f30619bb076002a7f436962ff01e0f0
SHA1

1ea31fee95acd27ab1dcf1af5bc3a916f65a5c36
SHA256

5b6e351b4b59e8610f11768159151fe3f6f95cb457295a2f4914443b915fc21b
SHA512

3d68d75169a7727c3ed98a4fe0ad7e2dfdc933e34bb8ac3d7cbf607c341ba5510a7220d3a4aeca31189b9b88a51206dda928171dcc88cadb59c6b67d7d67f00d
SSDEEP

24576:oJiYUYi1iXJF85GZaCR8al35ZkvXAccdESkWPhDsujwl5SA:oJindeF85GZa48APkf3uwWPhfjwl5P

Score

9^/10

Malware Config

Signatures

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/files/0x0002000000022de0-133.dat	MailPassView
behavioral2/files/0x0002000000022de0-134.dat	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/files/0x0002000000022de0-133.dat	WebBrowserPassView
behavioral2/files/0x0002000000022de0-134.dat	WebBrowserPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022de0-133.dat	Nirsoft
behavioral2/files/0x0002000000022de0-134.dat	Nirsoft

Executes dropped EXE 1 IoCs

pid	Process
3972	PMO WallHack v4.2.6.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5b6e351b4b59e8610f11768159151fe3f6f95cb457295a2f4914443b915fc21b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 3972	1900	5b6e351b4b59e8610f11768159151fe3f6f95cb457295a2f4914443b915fc21b.exe	84
PID 1900 wrote to memory of 3972	1900	5b6e351b4b59e8610f11768159151fe3f6f95cb457295a2f4914443b915fc21b.exe	84
PID 1900 wrote to memory of 3972	1900	5b6e351b4b59e8610f11768159151fe3f6f95cb457295a2f4914443b915fc21b.exe	84

C:\Users\Admin\AppData\Local\Temp\5b6e351b4b59e8610f11768159151fe3f6f95cb457295a2f4914443b915fc21b.exe
"C:\Users\Admin\AppData\Local\Temp\5b6e351b4b59e8610f11768159151fe3f6f95cb457295a2f4914443b915fc21b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\PMO WallHack v4.2.6.exe
  "C:\Users\Admin\AppData\Local\Temp\PMO WallHack v4.2.6.exe"
  2⤵
  - Executes dropped EXE
  PID:3972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PMO WallHack v4.2.6.exe

Filesize
521KB

MD5
920612ac244a18f29b8eefa994b82ebd

SHA1
c2650eff9709874d4875a41e9d40093f4fd08834

SHA256
3e23809c8f13fb823831bde5d531b635f25215d80694872ac0fc0fe32fccf34a

SHA512
803bf9fc942e662c5688d3be9ce64a7e8b69c8546ee67ef1256a07d0b552f699c0653550b5a8def989ecae22a9c4151f102dea026c71902763c2fb9bf3f60c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMO WallHack v4.2.6.exe

Filesize
521KB

MD5
920612ac244a18f29b8eefa994b82ebd

SHA1
c2650eff9709874d4875a41e9d40093f4fd08834

SHA256
3e23809c8f13fb823831bde5d531b635f25215d80694872ac0fc0fe32fccf34a

SHA512
803bf9fc942e662c5688d3be9ce64a7e8b69c8546ee67ef1256a07d0b552f699c0653550b5a8def989ecae22a9c4151f102dea026c71902763c2fb9bf3f60c71

Download Submit
memory/3972-132-0x0000000000000000-mapping.dmp

Download
memory/3972-135-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/3972-136-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download