Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 01:57
Static task
static1
Behavioral task
behavioral1
Sample
aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe
Resource
win10v2004-20220901-en
General
-
Target
aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe
-
Size
813KB
-
MD5
6cd920530b09541a42f1b1b40948a460
-
SHA1
2a26a1a400d2472c743bfe7ed1b7afb902fed486
-
SHA256
aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419
-
SHA512
6746bf0d8461509253e8296fe626ac3701a98fd813cd61c2b5fe5fcbbac4871025682ce8109dbf06275624dcb9eba34ef76dd15c8fd39a3bc64c60261e48ad40
-
SSDEEP
12288:QvRwqFq+PzD6Shp6/MVqZyiqsg0iR/Cs1q0vcSouox6UauGxO9v:6uqzD83Zyi1g06/5q+cNuoxX76O
Malware Config
Signatures
-
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/688-141-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral2/memory/688-142-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral2/memory/688-143-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral2/memory/688-140-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/988-148-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/988-149-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/988-151-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/988-152-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 8 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/688-141-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral2/memory/688-142-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral2/memory/688-143-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral2/memory/688-140-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/3380-155-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/3380-156-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3380-158-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3380-160-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 12 IoCs
Processes:
resource yara_rule behavioral2/memory/688-141-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral2/memory/688-142-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral2/memory/688-143-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral2/memory/688-140-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/988-148-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/988-149-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/988-151-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/988-152-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3380-155-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3380-156-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3380-158-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3380-160-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exereg.exeaa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\SOnRUafR.exe" aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\SOnRUafR.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 whatismyipaddress.com 20 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exeaa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exedescription pid process target process PID 2972 set thread context of 688 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe PID 688 set thread context of 988 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 set thread context of 3380 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exevbc.exepid process 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe 3380 vbc.exe 3380 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exeaa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exedescription pid process Token: SeDebugPrivilege 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe Token: SeDebugPrivilege 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exepid process 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.execsc.execmd.exeaa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exedescription pid process target process PID 2972 wrote to memory of 4212 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe csc.exe PID 2972 wrote to memory of 4212 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe csc.exe PID 2972 wrote to memory of 4212 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe csc.exe PID 4212 wrote to memory of 1668 4212 csc.exe cvtres.exe PID 4212 wrote to memory of 1668 4212 csc.exe cvtres.exe PID 4212 wrote to memory of 1668 4212 csc.exe cvtres.exe PID 2972 wrote to memory of 688 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe PID 2972 wrote to memory of 688 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe PID 2972 wrote to memory of 688 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe PID 2972 wrote to memory of 688 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe PID 2972 wrote to memory of 688 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe PID 2972 wrote to memory of 688 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe PID 2972 wrote to memory of 688 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe PID 2972 wrote to memory of 688 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe PID 2972 wrote to memory of 5048 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe cmd.exe PID 2972 wrote to memory of 5048 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe cmd.exe PID 2972 wrote to memory of 5048 2972 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe cmd.exe PID 5048 wrote to memory of 1364 5048 cmd.exe reg.exe PID 5048 wrote to memory of 1364 5048 cmd.exe reg.exe PID 5048 wrote to memory of 1364 5048 cmd.exe reg.exe PID 688 wrote to memory of 988 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 988 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 988 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 988 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 988 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 988 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 988 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 988 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 988 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 3380 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 3380 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 3380 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 3380 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 3380 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 3380 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 3380 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 3380 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe PID 688 wrote to memory of 3380 688 aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe"C:\Users\Admin\AppData\Local\Temp\aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\irzqndfa.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB135.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB134.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe"C:\Users\Admin\AppData\Local\Temp\aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SOnRUafR.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SOnRUafR.exe3⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESB135.tmpFilesize
1KB
MD56ec3c0b99d9097859c4ae18af9c9ada9
SHA140d7ff2296785e9afb66d41e852aa4b95435bcb4
SHA256b994f46ae4f10fdb344310ebf8e9bb6b2eac7fba271a4c29f0dda68edd73f4f3
SHA512c83211ce4bf8850db96592f3431ccaa828f0436393bc864c55fa90fd2301651564862ac44a950e1bf8a854989ed8bada78830f3e6b089764b2965787c30e5d8f
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Local\Temp\irzqndfa.dllFilesize
1.1MB
MD5cc2a4494bfcf404c96250a29044940c2
SHA19a41df1a8630d21bac0d74a8d1084a23429c97bf
SHA256e7f559206ece73a4b97797aaec36ae96439d4b6b99a7ec0439dc6fbc6fcc2e20
SHA5121ae4cebb3e4222a15d36f2a34fc7a17cba20912fbed76b1275e08c54bb6df5f0a080d7b743fa0a247959f4ed6a620c4655729d9ea665dc72527c27141f3259d0
-
\??\c:\Users\Admin\AppData\Local\Temp\CSCB134.tmpFilesize
652B
MD5d4bd56385209a9354342c166d03cb37f
SHA1d4e3a53f170dc2f22dbebbc6dad5682ce5eee038
SHA2564c9685995ae51d6330125300c52023800d40f1b1f3af39cf872890310e9afffc
SHA5124a4c41969711ebe22ace7342bd738c1aec8e5938d3d6ff1244cf3305e74ecfac1663a1c67d14c64a36128d816ba5feab4d2936aefc0ea28962bc770e4c9454b0
-
\??\c:\Users\Admin\AppData\Local\Temp\irzqndfa.cmdlineFilesize
196B
MD5e56e29bdc404dfad69e2cf8e715a11f6
SHA1298fcc20c02f404d115c45077daa08484a14a6c9
SHA256d32efa080c32bc62d7ed2b564f27a0d2a80b63f5f777e5c5905eaad35d48ef76
SHA5121f8fdb206cb425005fb96fa195bede0109b7d6f61e533e21d0a63f4f4f40587a53d1c8ee21a26a0b6938b1253951718769a5a358cba111c41c0d13b6ac8be7e4
-
\??\c:\Users\Admin\AppData\Local\Temp\tmpAF50.tmp.txtFilesize
549KB
MD592b0844476fd369c495d090e03904503
SHA17526f336151b9ff70bda24f7445ac412ae0b5738
SHA25610bd8ca479b47c9b6a543790d5b9a0fba130efa0e42d4b538a756cc3aa42ca1f
SHA512dec7fd42d3193329dae373fe67e75daacf50c9eeec31023312f819e7ee557e0e288573de2a16894aea42da1e03dc3753039ea75e3ac938e21a227e852718639e
-
memory/688-147-0x00000000753F0000-0x00000000759A1000-memory.dmpFilesize
5.7MB
-
memory/688-154-0x00000000753F0000-0x00000000759A1000-memory.dmpFilesize
5.7MB
-
memory/688-141-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/688-142-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/688-143-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/688-140-0x0000000000000000-mapping.dmp
-
memory/988-152-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/988-148-0x0000000000000000-mapping.dmp
-
memory/988-149-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/988-151-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1364-146-0x0000000000000000-mapping.dmp
-
memory/1668-136-0x0000000000000000-mapping.dmp
-
memory/2972-153-0x00000000753F0000-0x00000000759A1000-memory.dmpFilesize
5.7MB
-
memory/2972-132-0x00000000753F0000-0x00000000759A1000-memory.dmpFilesize
5.7MB
-
memory/3380-155-0x0000000000000000-mapping.dmp
-
memory/3380-156-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3380-158-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3380-160-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4212-133-0x0000000000000000-mapping.dmp
-
memory/5048-145-0x0000000000000000-mapping.dmp