Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 01:19
Static task
static1
Behavioral task
behavioral1
Sample
48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe
Resource
win10v2004-20220901-en
General
-
Target
48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe
-
Size
648KB
-
MD5
6f1efdc80f87d1b895004a26c2948210
-
SHA1
cae36f996570f5e520dca5e764bf7815dd490675
-
SHA256
48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e
-
SHA512
eec4c05ba75b988fc461a777ee97d38c49093919de2a633dd68a9baf6892e9dfb54efd0675f9cb5df1da6429b02294a6cee921c51ee35871c86144b2f0d1322e
-
SSDEEP
12288:j9ogAOvlpTyhX9oRZ17/gDXsa0mFzPOncImbp3hTRkWaQemLZN:j+gAwvTyhX9AgDXsa0mZPfIgp3hTCWa
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j2t6bIXtKRzH.lnk 48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" RegAsm.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 whatismyipaddress.com 17 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exeRegAsm.exedescription pid process target process PID 1208 set thread context of 3508 1208 48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe RegAsm.exe PID 3508 set thread context of 1524 3508 RegAsm.exe vbc.exe PID 3508 set thread context of 2700 3508 RegAsm.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegAsm.exepid process 3508 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RegAsm.exevbc.exevbc.exedescription pid process Token: SeDebugPrivilege 3508 RegAsm.exe Token: SeDebugPrivilege 1524 vbc.exe Token: SeDebugPrivilege 2700 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 3508 RegAsm.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exeRegAsm.exedescription pid process target process PID 1208 wrote to memory of 3508 1208 48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe RegAsm.exe PID 1208 wrote to memory of 3508 1208 48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe RegAsm.exe PID 1208 wrote to memory of 3508 1208 48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe RegAsm.exe PID 1208 wrote to memory of 3508 1208 48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe RegAsm.exe PID 1208 wrote to memory of 3508 1208 48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe RegAsm.exe PID 1208 wrote to memory of 3508 1208 48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe RegAsm.exe PID 1208 wrote to memory of 3508 1208 48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe RegAsm.exe PID 1208 wrote to memory of 3508 1208 48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe RegAsm.exe PID 3508 wrote to memory of 1524 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 1524 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 1524 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 1524 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 1524 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 1524 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 1524 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 1524 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 1524 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 2700 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 2700 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 2700 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 2700 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 2700 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 2700 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 2700 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 2700 3508 RegAsm.exe vbc.exe PID 3508 wrote to memory of 2700 3508 RegAsm.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe"C:\Users\Admin\AppData\Local\Temp\48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
271B
MD5a18df529a77ed1fbd887400151b9728f
SHA174912cb5e97566749ccae5f70e52ee87cb4dfa07
SHA256599ceb2fab753551e7b27340cd3a9d2eb44a887dfb178d1c05015159bb352eb3
SHA512a446e30992bc63b53952982e06069555e9b65eb25274495470d4410a04bcc9aeaa96b95300fc89512181e0614abf279f439b52f32ffc6ffb3034230c97aa08b0
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
327B
MD5e4f3273432f9167e5f8bd2048206773d
SHA1139b6566c6f8c6a359dd7e6063f88be24f701c8d
SHA256b620b529c43ed1dab8db9c63b402958e1a0b65c9110029b92ac8ae2c21c0acb2
SHA512e1bf722b627cd5f1e1678549d51f9556a1d31c8e5f47dfbe343c81aef7bac279ca2b062751666d650b2c196785a84b0d2edca09d1a04b829f4ae869e513e6941
-
memory/1208-136-0x0000000075320000-0x00000000758D1000-memory.dmpFilesize
5.7MB
-
memory/1208-132-0x0000000075320000-0x00000000758D1000-memory.dmpFilesize
5.7MB
-
memory/1524-140-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1524-138-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1524-139-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1524-137-0x0000000000000000-mapping.dmp
-
memory/1524-142-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2700-147-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2700-150-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2700-148-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2700-144-0x0000000000000000-mapping.dmp
-
memory/2700-145-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2700-146-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/3508-135-0x0000000075320000-0x00000000758D1000-memory.dmpFilesize
5.7MB
-
memory/3508-143-0x0000000075320000-0x00000000758D1000-memory.dmpFilesize
5.7MB
-
memory/3508-133-0x0000000000000000-mapping.dmp
-
memory/3508-134-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB