Analysis
-
max time kernel
137s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2022 18:42
Static task
static1
Behavioral task
behavioral1
Sample
12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
Resource
win7-20220812-en
General
-
Target
12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
-
Size
1.0MB
-
MD5
03a6f05f998a2c1da3bbe3dba6f44917
-
SHA1
b9a38f68387f77ed9b752f056bda282580a52ca8
-
SHA256
12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b
-
SHA512
d45f3792eba2e04b5f1c9686ee7711f6a2edc976e4f770f34cdff86bb537aeb247d1fe0b705c5cea8860cf32245794b95f2a156597136a168e5c1a953ef929f9
-
SSDEEP
24576:jBxiZeC6Lj/mHlOdBBR6x/a2fQY5kfqFGlwpV:jLiZeC4TOOdBn0LfTqfqFJL
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
natsv.exednsmon.exenatsv.exepid process 4952 natsv.exe 4248 dnsmon.exe 4764 natsv.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exenatsv.exednsmon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation natsv.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation dnsmon.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
Processes:
vbc.exevbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 whatismyipaddress.com 26 whatismyipaddress.com 28 whatismyipaddress.com -
Suspicious use of SetThreadContext 6 IoCs
Processes:
12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exednsmon.exeRegAsm.exeRegAsm.exedescription pid process target process PID 4304 set thread context of 2000 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe RegAsm.exe PID 4248 set thread context of 2448 4248 dnsmon.exe RegAsm.exe PID 2000 set thread context of 3412 2000 RegAsm.exe vbc.exe PID 2448 set thread context of 1596 2448 RegAsm.exe vbc.exe PID 2000 set thread context of 4912 2000 RegAsm.exe vbc.exe PID 2448 set thread context of 4352 2448 RegAsm.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exenatsv.exepid process 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4952 natsv.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
RegAsm.exepid process 2448 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exenatsv.exeRegAsm.exednsmon.exenatsv.exeRegAsm.exevbc.exevbc.exevbc.exevbc.exedescription pid process Token: SeDebugPrivilege 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe Token: SeDebugPrivilege 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe Token: SeDebugPrivilege 4952 natsv.exe Token: SeDebugPrivilege 2000 RegAsm.exe Token: SeDebugPrivilege 4248 dnsmon.exe Token: SeDebugPrivilege 4248 dnsmon.exe Token: SeDebugPrivilege 4764 natsv.exe Token: SeDebugPrivilege 2448 RegAsm.exe Token: SeDebugPrivilege 3412 vbc.exe Token: SeDebugPrivilege 1596 vbc.exe Token: SeDebugPrivilege 4912 vbc.exe Token: SeDebugPrivilege 4352 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exeRegAsm.exepid process 2000 RegAsm.exe 2448 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.execmd.exenatsv.execmd.exednsmon.execmd.exeRegAsm.exeRegAsm.exedescription pid process target process PID 4304 wrote to memory of 3900 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe cmd.exe PID 4304 wrote to memory of 3900 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe cmd.exe PID 4304 wrote to memory of 3900 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe cmd.exe PID 4304 wrote to memory of 2000 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe RegAsm.exe PID 4304 wrote to memory of 2000 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe RegAsm.exe PID 4304 wrote to memory of 2000 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe RegAsm.exe PID 4304 wrote to memory of 2000 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe RegAsm.exe PID 4304 wrote to memory of 2000 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe RegAsm.exe PID 4304 wrote to memory of 2000 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe RegAsm.exe PID 4304 wrote to memory of 2000 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe RegAsm.exe PID 4304 wrote to memory of 2000 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe RegAsm.exe PID 4304 wrote to memory of 2000 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe RegAsm.exe PID 4304 wrote to memory of 3444 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe cmd.exe PID 4304 wrote to memory of 3444 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe cmd.exe PID 4304 wrote to memory of 3444 4304 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe cmd.exe PID 3444 wrote to memory of 4952 3444 cmd.exe natsv.exe PID 3444 wrote to memory of 4952 3444 cmd.exe natsv.exe PID 3444 wrote to memory of 4952 3444 cmd.exe natsv.exe PID 4952 wrote to memory of 2452 4952 natsv.exe cmd.exe PID 4952 wrote to memory of 2452 4952 natsv.exe cmd.exe PID 4952 wrote to memory of 2452 4952 natsv.exe cmd.exe PID 2452 wrote to memory of 2868 2452 cmd.exe reg.exe PID 2452 wrote to memory of 2868 2452 cmd.exe reg.exe PID 2452 wrote to memory of 2868 2452 cmd.exe reg.exe PID 4952 wrote to memory of 4248 4952 natsv.exe dnsmon.exe PID 4952 wrote to memory of 4248 4952 natsv.exe dnsmon.exe PID 4952 wrote to memory of 4248 4952 natsv.exe dnsmon.exe PID 4248 wrote to memory of 2448 4248 dnsmon.exe RegAsm.exe PID 4248 wrote to memory of 2448 4248 dnsmon.exe RegAsm.exe PID 4248 wrote to memory of 2448 4248 dnsmon.exe RegAsm.exe PID 4248 wrote to memory of 2448 4248 dnsmon.exe RegAsm.exe PID 4248 wrote to memory of 2448 4248 dnsmon.exe RegAsm.exe PID 4248 wrote to memory of 2448 4248 dnsmon.exe RegAsm.exe PID 4248 wrote to memory of 2448 4248 dnsmon.exe RegAsm.exe PID 4248 wrote to memory of 2448 4248 dnsmon.exe RegAsm.exe PID 4248 wrote to memory of 2448 4248 dnsmon.exe RegAsm.exe PID 4248 wrote to memory of 2944 4248 dnsmon.exe cmd.exe PID 4248 wrote to memory of 2944 4248 dnsmon.exe cmd.exe PID 4248 wrote to memory of 2944 4248 dnsmon.exe cmd.exe PID 2944 wrote to memory of 4764 2944 cmd.exe natsv.exe PID 2944 wrote to memory of 4764 2944 cmd.exe natsv.exe PID 2944 wrote to memory of 4764 2944 cmd.exe natsv.exe PID 2000 wrote to memory of 3412 2000 RegAsm.exe vbc.exe PID 2000 wrote to memory of 3412 2000 RegAsm.exe vbc.exe PID 2000 wrote to memory of 3412 2000 RegAsm.exe vbc.exe PID 2000 wrote to memory of 3412 2000 RegAsm.exe vbc.exe PID 2000 wrote to memory of 3412 2000 RegAsm.exe vbc.exe PID 2000 wrote to memory of 3412 2000 RegAsm.exe vbc.exe PID 2000 wrote to memory of 3412 2000 RegAsm.exe vbc.exe PID 2000 wrote to memory of 3412 2000 RegAsm.exe vbc.exe PID 2000 wrote to memory of 3412 2000 RegAsm.exe vbc.exe PID 2448 wrote to memory of 1596 2448 RegAsm.exe vbc.exe PID 2448 wrote to memory of 1596 2448 RegAsm.exe vbc.exe PID 2448 wrote to memory of 1596 2448 RegAsm.exe vbc.exe PID 2448 wrote to memory of 1596 2448 RegAsm.exe vbc.exe PID 2448 wrote to memory of 1596 2448 RegAsm.exe vbc.exe PID 2448 wrote to memory of 1596 2448 RegAsm.exe vbc.exe PID 2448 wrote to memory of 1596 2448 RegAsm.exe vbc.exe PID 2448 wrote to memory of 1596 2448 RegAsm.exe vbc.exe PID 2448 wrote to memory of 1596 2448 RegAsm.exe vbc.exe PID 2000 wrote to memory of 4912 2000 RegAsm.exe vbc.exe PID 2000 wrote to memory of 4912 2000 RegAsm.exe vbc.exe PID 2000 wrote to memory of 4912 2000 RegAsm.exe vbc.exe PID 2000 wrote to memory of 4912 2000 RegAsm.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe"C:\Users\Admin\AppData\Local\Temp\12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f5⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"6⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\natsv.exe.logFilesize
128B
MD5a5dcc7c9c08af7dddd82be5b036a4416
SHA14f998ca1526d199e355ffb435bae111a2779b994
SHA256e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5
SHA51256035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
321B
MD5e62221a3bb549a72fcc4afa60d34e620
SHA1d60b16b540e0e3ed459a30cce0678d1fc8a1989a
SHA256587f8f51485b575f30e5e1608f70b31b9d8bb384318802373cc52cbdf2a4aa95
SHA5125b6f6a3a88961b62870e486b02e41d065b3f054f3ad45f7c7e01aff3ba151893e36fd3c13771ed9e3738aaa525296a8ee72adc05fb32932ec3af259404172aed
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
321B
MD5c3609e29395ccd5fd8407fed36414e75
SHA104c0c5dc3fcced0c5581c44af17fa60260fb591a
SHA256a32df1c247d5738af4241edc4aa520dbb21013d05d47cac5db96ccfb48de7857
SHA5128bbd7b458f2be6e91c46cad8f682e109c7a7317f9ae89e5ce889ae7d4db5775b83d03016f47b56aa75bd5646a50c06ae7adbf2fc8af6b9f8a976f2ce30de3533
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
321B
MD5e62221a3bb549a72fcc4afa60d34e620
SHA1d60b16b540e0e3ed459a30cce0678d1fc8a1989a
SHA256587f8f51485b575f30e5e1608f70b31b9d8bb384318802373cc52cbdf2a4aa95
SHA5125b6f6a3a88961b62870e486b02e41d065b3f054f3ad45f7c7e01aff3ba151893e36fd3c13771ed9e3738aaa525296a8ee72adc05fb32932ec3af259404172aed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exeFilesize
1.0MB
MD503a6f05f998a2c1da3bbe3dba6f44917
SHA1b9a38f68387f77ed9b752f056bda282580a52ca8
SHA25612608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b
SHA512d45f3792eba2e04b5f1c9686ee7711f6a2edc976e4f770f34cdff86bb537aeb247d1fe0b705c5cea8860cf32245794b95f2a156597136a168e5c1a953ef929f9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exeFilesize
1.0MB
MD503a6f05f998a2c1da3bbe3dba6f44917
SHA1b9a38f68387f77ed9b752f056bda282580a52ca8
SHA25612608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b
SHA512d45f3792eba2e04b5f1c9686ee7711f6a2edc976e4f770f34cdff86bb537aeb247d1fe0b705c5cea8860cf32245794b95f2a156597136a168e5c1a953ef929f9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exeFilesize
24KB
MD517f51ab722963d73b5dcd050d06e6d40
SHA170a1eb538fe961512c74dda727ef185c8eb42884
SHA256e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417
SHA512041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exeFilesize
24KB
MD517f51ab722963d73b5dcd050d06e6d40
SHA170a1eb538fe961512c74dda727ef185c8eb42884
SHA256e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417
SHA512041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exeFilesize
24KB
MD517f51ab722963d73b5dcd050d06e6d40
SHA170a1eb538fe961512c74dda727ef185c8eb42884
SHA256e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417
SHA512041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exeFilesize
24KB
MD517f51ab722963d73b5dcd050d06e6d40
SHA170a1eb538fe961512c74dda727ef185c8eb42884
SHA256e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417
SHA512041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d
-
C:\Users\Admin\AppData\Roaming\pid.txtFilesize
4B
MD508f90c1a417155361a5c4b8d297e0d78
SHA1a4ac914c09d7c097fe1f4f96b897e625b6922069
SHA25681a83544cf93c245178cbc1620030f1123f435af867c79d87135983c52ab39d9
SHA51257acf66b146e4f606413e8707ffae882a5ea0228de3455c8efffd439f6ef1a2a04eec109d2879bf64c1d7e05cdd808a14db5c5b0f6a4ccf758d0c998058b53cd
-
C:\Users\Admin\AppData\Roaming\pidloc.txtFilesize
56B
MD5efd1636cfc3cc38fd7babae5cac9ede0
SHA14d7d378abeb682eefbd039930c0ea996fbf54178
SHA256f827d5b11c1eb3902d601c3e0b59ba32fe11c0b573fbf22fb2af86bfd4651bba
SHA51269b2b0ab1a6e13395ef52dcb903b8e17d842e6d0d44f801ff2659cfd5ec343c8cc57928b02961fc7099ad43ff05633baf5ac39042a00c8676d4fa8f6f8c2a5d7
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cchFilesize
514B
MD5cf738b913686436584e0e66865dbed4d
SHA128c636baff765afae70eb7496eea29c3e799de7a
SHA2562020dc9a431a6ef7120fba50f8cdd0601ae325b06fbfd10baa510db76f1acd7e
SHA5127824053ba982722586096170d3bdb932db46e9eee367f57acca7a6415e2de52ae26733dd7cf0cbcd1385301ea3c99102bc302839470f980ba385c141e2831ee3
-
memory/1596-171-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/1596-167-0x0000000000000000-mapping.dmp
-
memory/1596-173-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/1596-176-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2000-141-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/2000-145-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/2000-136-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/2000-135-0x0000000000000000-mapping.dmp
-
memory/2448-161-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/2448-152-0x0000000000000000-mapping.dmp
-
memory/2448-178-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/2452-143-0x0000000000000000-mapping.dmp
-
memory/2868-144-0x0000000000000000-mapping.dmp
-
memory/2944-154-0x0000000000000000-mapping.dmp
-
memory/3412-165-0x0000000000000000-mapping.dmp
-
memory/3412-174-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/3412-170-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/3412-169-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/3412-166-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/3444-137-0x0000000000000000-mapping.dmp
-
memory/3900-134-0x0000000000000000-mapping.dmp
-
memory/4248-177-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/4248-148-0x0000000000000000-mapping.dmp
-
memory/4248-150-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/4304-133-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/4304-164-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/4304-132-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/4352-182-0x0000000000000000-mapping.dmp
-
memory/4352-188-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4352-187-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4352-186-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4764-155-0x0000000000000000-mapping.dmp
-
memory/4764-162-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/4764-179-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/4912-189-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4912-181-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4912-184-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4912-185-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4912-180-0x0000000000000000-mapping.dmp
-
memory/4912-191-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4952-147-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/4952-138-0x0000000000000000-mapping.dmp
-
memory/4952-142-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/4952-151-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB