Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 01:46
Static task
static1
Behavioral task
behavioral1
Sample
PO 29102 (1).exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PO 29102 (1).exe
Resource
win10v2004-20220812-en
General
-
Target
PO 29102 (1).exe
-
Size
1.3MB
-
MD5
23ae1bb4fdd3ec336cd3a041448b68b8
-
SHA1
74d22f287a332b8285881b8e9693740eab912cbc
-
SHA256
91566a26cf3aa1217ae7956e95f95dfe0621f398ef18f7f2950f555ee43fe796
-
SHA512
be786ec30212be2d757d5d1e9458326ec8442459da510f523daa504f5ccc6a3ad23fb50005d139840f05128686827bc4d252705228444d2f2a643a04f0412fbe
-
SSDEEP
24576:z2O/Gl3GAsjPqmgGjiPIhdWi7t74vDq4FN7g6zwzRQegxP24VE2:/9GmgFPcLg5k1t4O2
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
hvxcrpv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hvxcrpv.exe -
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1824-139-0x00000000005A0000-0x0000000000628000-memory.dmp MailPassView behavioral2/memory/3476-146-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/3476-147-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3476-149-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3476-150-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1824-139-0x00000000005A0000-0x0000000000628000-memory.dmp WebBrowserPassView behavioral2/memory/2136-151-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/2136-152-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2136-154-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2136-156-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 9 IoCs
Processes:
resource yara_rule behavioral2/memory/1824-139-0x00000000005A0000-0x0000000000628000-memory.dmp Nirsoft behavioral2/memory/3476-146-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3476-147-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3476-149-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3476-150-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2136-151-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2136-152-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2136-154-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2136-156-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
hvxcrpv.exepid process 1456 hvxcrpv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PO 29102 (1).exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation PO 29102 (1).exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
hvxcrpv.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce hvxcrpv.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\AEJKM1~1 = "C:\\Users\\Admin\\AEJKM1~1\\szbhryozob.vbs" hvxcrpv.exe -
Processes:
hvxcrpv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hvxcrpv.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 42 whatismyipaddress.com 44 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
hvxcrpv.exeRegSvcs.exedescription pid process target process PID 1456 set thread context of 1824 1456 hvxcrpv.exe RegSvcs.exe PID 1824 set thread context of 3476 1824 RegSvcs.exe vbc.exe PID 1824 set thread context of 2136 1824 RegSvcs.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
hvxcrpv.exepid process 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe 1456 hvxcrpv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
hvxcrpv.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1824 RegSvcs.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe Token: SeDebugPrivilege 1456 hvxcrpv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1824 RegSvcs.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
PO 29102 (1).exehvxcrpv.exeRegSvcs.exedescription pid process target process PID 3112 wrote to memory of 1456 3112 PO 29102 (1).exe hvxcrpv.exe PID 3112 wrote to memory of 1456 3112 PO 29102 (1).exe hvxcrpv.exe PID 3112 wrote to memory of 1456 3112 PO 29102 (1).exe hvxcrpv.exe PID 1456 wrote to memory of 1824 1456 hvxcrpv.exe RegSvcs.exe PID 1456 wrote to memory of 1824 1456 hvxcrpv.exe RegSvcs.exe PID 1456 wrote to memory of 1824 1456 hvxcrpv.exe RegSvcs.exe PID 1456 wrote to memory of 1824 1456 hvxcrpv.exe RegSvcs.exe PID 1456 wrote to memory of 1824 1456 hvxcrpv.exe RegSvcs.exe PID 1824 wrote to memory of 3476 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 3476 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 3476 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 3476 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 3476 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 3476 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 3476 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 3476 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 3476 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 2136 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 2136 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 2136 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 2136 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 2136 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 2136 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 2136 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 2136 1824 RegSvcs.exe vbc.exe PID 1824 wrote to memory of 2136 1824 RegSvcs.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 29102 (1).exe"C:\Users\Admin\AppData\Local\Temp\PO 29102 (1).exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\aejkm1pv3i66ocf\hvxcrpv.exe"C:\Users\Admin\aejkm1pv3i66ocf\hvxcrpv.exe" awotrpubtkbu2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe03⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AEJKM1~1\WVMLBI~1.VOSFilesize
520KB
MD5f0d8c521c9401babffe6f4fd92f9c0fa
SHA1b5fc903ef6c6e84ead7e88c89676bf632768f097
SHA256f941795a215e26db3b18164a2ada421996e446f4162eb205f1fa8f31444d0b04
SHA5120142ed85dcde258e87edd818e7558abd94bda68624fad2d5db46ac1ce8c755d58b8ac7ac3db6573180d7fcd980d7647194da22bc3087fdd97ebaa3be9d6d79da
-
C:\Users\Admin\AEJKM1~1\nvpgqhkysg.AVMFilesize
232B
MD53c7d722f4dd6a7a40d9076e2210415b4
SHA148293c60a5be3330e7121dbc856d921b1753db2d
SHA2569a457796cdcc4eae5c9de2a4be59c3f3322ef4b2404fdab481778ab3b9561396
SHA512fd43d6f39994ac19e32faf8fe08d2b9995907ae7c0a140216d2f2b16d5b034588d61e031403e9d28997f644f709d6ffe8e4f77e2f8271ab8807ac9240cd1fe3c
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\aejkm1pv3i66ocf\awotrpubtkbuFilesize
546.8MB
MD50810b3fee19da743036878aa6fa8c2f0
SHA1d7d53fbf5141f996f10d6e8aeb00ed32b450ffcd
SHA25665e179369de8fc6acceff62f8e5f28fa9156300b490ee6bfbe3462b18470e4e7
SHA51237b4fef69c76e9e63ab010848e50a05996ee1870af91a5b5f66b28dedaedbd2e23733388e276dace9775683425679dd20d95ec44f81a34a79b7e92949f7df0bc
-
C:\Users\Admin\aejkm1pv3i66ocf\hvxcrpv.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\aejkm1pv3i66ocf\hvxcrpv.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
memory/1456-132-0x0000000000000000-mapping.dmp
-
memory/1824-142-0x0000000004C10000-0x0000000004CA2000-memory.dmpFilesize
584KB
-
memory/1824-141-0x0000000005120000-0x00000000056C4000-memory.dmpFilesize
5.6MB
-
memory/1824-139-0x00000000005A0000-0x0000000000628000-memory.dmpFilesize
544KB
-
memory/1824-143-0x0000000004B90000-0x0000000004B9A000-memory.dmpFilesize
40KB
-
memory/1824-144-0x0000000004E00000-0x0000000004E56000-memory.dmpFilesize
344KB
-
memory/1824-145-0x0000000007D40000-0x0000000007DA6000-memory.dmpFilesize
408KB
-
memory/1824-140-0x0000000004AA0000-0x0000000004B3C000-memory.dmpFilesize
624KB
-
memory/1824-138-0x0000000000000000-mapping.dmp
-
memory/2136-152-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2136-156-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2136-154-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2136-151-0x0000000000000000-mapping.dmp
-
memory/3476-146-0x0000000000000000-mapping.dmp
-
memory/3476-150-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3476-149-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3476-147-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB