b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0

General

Target

b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
Size

497KB
MD5

9f6d6e5d6c62c441b49547ce3fad75bd
SHA1

5d5851c522dccd615c0b21ae80b6d5e2c6eb17ca
SHA256

b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0
SHA512

96eda44630c2fdc01cd03b4b8009d1b56f49c25a1290842ffd898ceebf84a7e36c7ebcf944e6a4e8b0c07e4dd6bd58d6e44be9b2ef47d4419afbf5b7087033e4
SSDEEP

12288:/jqatBqaba6QM3Do0cXC+VYApXJ6a26ZoyqIIhCY:/jqeYaO6QYDPcBVn76a2wPqkY

Score

9^/10

upx

Malware Config

Signatures

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2352-142-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/2352-143-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/2352-149-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/2352-151-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2468-146-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/2468-147-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/2468-150-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/2468-152-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2352-142-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/2352-143-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2468-146-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/2468-147-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/2352-149-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2468-150-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/2468-152-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/2352-151-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/648-134-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/648-136-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/648-137-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/648-138-0x0000000000400000-0x000000000047C000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe

pid process

5096 b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
5096	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 whatismyipaddress.com

flow	ioc
8	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exeb12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe

description	pid	process	target process
PID 5096 set thread context of 648	5096	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
PID 648 set thread context of 2352	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 set thread context of 2468	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe

Drops file in Windows directory 3 IoCs

Processes:

b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
File created	C:\Windows\assembly\Desktop.ini	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

2468 vbc.exe
2468 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe

description pid process

Token: SeDebugPrivilege 648 b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe

pid process

648 b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe

pid	process
2468	vbc.exe
2468	vbc.exe

description	pid	process
Token: SeDebugPrivilege	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe

pid	process
648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exeb12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe

description	pid	process	target process
PID 5096 wrote to memory of 648	5096	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
PID 5096 wrote to memory of 648	5096	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
PID 5096 wrote to memory of 648	5096	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
PID 5096 wrote to memory of 648	5096	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
PID 5096 wrote to memory of 648	5096	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
PID 5096 wrote to memory of 648	5096	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
PID 5096 wrote to memory of 648	5096	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
PID 5096 wrote to memory of 648	5096	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
PID 648 wrote to memory of 2352	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2352	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2352	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2352	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2352	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2352	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2352	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2352	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2352	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2468	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2468	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2468	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2468	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2468	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2468	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2468	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2468	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe
PID 648 wrote to memory of 2468	648	b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
"C:\Users\Admin\AppData\Local\Temp\b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Local\Temp\b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe
"C:\Users\Admin\AppData\Local\Temp\b12b5ab5d46bf8c7ec3392d7a8ce20cd8b6d388784b326cebf21bc0bd5a4bae0.exe"
2⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
PID:2352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsgDB34.tmp\WbmrBRTjfFbuMqUx.dll

Filesize
100KB

MD5
1594ef51526f554500fae20b79c3330a

SHA1
d0de7333c2da6ac94a3b17dc58f8dbc1bec76302

SHA256
59ee64781d8add283177bdadc70a0cbf104a7d747c72d7a57185f1d29e8e04f9

SHA512
188d4748c6cf5cc6474fcec17d7bf7294d7787ebee59b4428bd149128af5d2ffa150f4d0cc79e84d337b9887f70f738ad9bc2548ead08c8244a529f28379ae02

Download Submit
memory/648-141-0x000000000284C000-0x000000000284F000-memory.dmp

Filesize
12KB

Download
memory/648-138-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/648-133-0x0000000000000000-mapping.dmp

Download
memory/648-137-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/648-134-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/648-139-0x00000000752F0000-0x00000000758A1000-memory.dmp

Filesize
5.7MB

Download
memory/648-140-0x00000000752F0000-0x00000000758A1000-memory.dmp

Filesize
5.7MB

Download
memory/648-145-0x000000000284C000-0x000000000284F000-memory.dmp

Filesize
12KB

Download
memory/648-136-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2352-143-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2352-142-0x0000000000000000-mapping.dmp

Download
memory/2352-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2352-151-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2468-146-0x0000000000000000-mapping.dmp

Download
memory/2468-147-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2468-150-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2468-152-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads