df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806

Analysis

max time kernel
151s
max time network
134s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
Size

706KB
MD5

4b7ee56888a0acd71058bf1f024c0af4
SHA1

10372be5eff74427006c6313409a32949c4d1995
SHA256

df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806
SHA512

85bbd2c0ff4d8b72ca8dab0b6c10347c23284514d14b7ccdcba05adb61a9160e31d9768ceec3519caa4a9265ee26473d7d92e9763017b7463f652d2ca6b75c0f
SSDEEP

12288:fcAZuLDjFjOf8XjkphHMumlJ/8P0kLAyIqdyLXAF9KxEzHLTTrm+pLFys8a3:qvNfQphsueJtkwXO9MELT3m+pd8a

Score

9^/10

collection persistence spyware stealer

Malware Config

Signatures

NirSoft MailPassView 7 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1776-110-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1776-111-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1776-114-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1776-115-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1776-137-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/568-167-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/568-171-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

Nirsoft 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1252-95-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/1252-96-0x000000000040E758-mapping.dmp	Nirsoft
behavioral1/memory/1252-99-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/1252-100-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/1776-110-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1776-111-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1776-114-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1776-115-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1776-137-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2040-152-0x000000000040E758-mapping.dmp	Nirsoft
behavioral1/memory/2040-155-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/2040-156-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/568-167-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/568-171-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

WUDHost.exeAcctres.exeWUDHost.exeAcctres.exe

pid process

1980 WUDHost.exe
972 Acctres.exe
1700 WUDHost.exe
960 Acctres.exe

pid	process
1980	WUDHost.exe
972	Acctres.exe
1700	WUDHost.exe
960	Acctres.exe

Drops startup file 4 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exeWUDHost.exedw20.exe

pid process

1780 df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1980 WUDHost.exe
520 dw20.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

vbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WUDHost.exeWUDHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 bot.whatismyipaddress.com

flow	ioc
6	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exedf1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exeAcctres.exeAcctres.exe

description	pid	process	target process
PID 1780 set thread context of 1356	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
PID 1356 set thread context of 1252	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 set thread context of 1776	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 972 set thread context of 960	972	Acctres.exe	Acctres.exe
PID 960 set thread context of 2040	960	Acctres.exe	vbc.exe
PID 960 set thread context of 568	960	Acctres.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exeWUDHost.exeAcctres.exe

pid	process
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1980	WUDHost.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1980	WUDHost.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1980	WUDHost.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1980	WUDHost.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1980	WUDHost.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1980	WUDHost.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1980	WUDHost.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1980	WUDHost.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1980	WUDHost.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1980	WUDHost.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1980	WUDHost.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1980	WUDHost.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
972	Acctres.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exedf1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exeWUDHost.exeAcctres.exeAcctres.exeWUDHost.exe

description	pid	process
Token: SeDebugPrivilege	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
Token: SeDebugPrivilege	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
Token: SeDebugPrivilege	1980	WUDHost.exe
Token: SeDebugPrivilege	972	Acctres.exe
Token: SeDebugPrivilege	960	Acctres.exe
Token: SeDebugPrivilege	1700	WUDHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exeAcctres.exe

pid process

1356 df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
960 Acctres.exe

pid	process
1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
960	Acctres.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exedf1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exeWUDHost.exeAcctres.exeAcctres.exe

description	pid	process	target process
PID 1780 wrote to memory of 1356	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
PID 1780 wrote to memory of 1356	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
PID 1780 wrote to memory of 1356	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
PID 1780 wrote to memory of 1356	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
PID 1780 wrote to memory of 1356	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
PID 1780 wrote to memory of 1356	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
PID 1780 wrote to memory of 1356	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
PID 1780 wrote to memory of 1356	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
PID 1780 wrote to memory of 1356	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
PID 1780 wrote to memory of 1980	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	WUDHost.exe
PID 1780 wrote to memory of 1980	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	WUDHost.exe
PID 1780 wrote to memory of 1980	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	WUDHost.exe
PID 1780 wrote to memory of 1980	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	WUDHost.exe
PID 1356 wrote to memory of 1900	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	cmd.exe
PID 1356 wrote to memory of 1900	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	cmd.exe
PID 1356 wrote to memory of 1900	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	cmd.exe
PID 1356 wrote to memory of 1900	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	cmd.exe
PID 1356 wrote to memory of 316	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	dw20.exe
PID 1356 wrote to memory of 316	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	dw20.exe
PID 1356 wrote to memory of 316	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	dw20.exe
PID 1356 wrote to memory of 316	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	dw20.exe
PID 1980 wrote to memory of 972	1980	WUDHost.exe	Acctres.exe
PID 1980 wrote to memory of 972	1980	WUDHost.exe	Acctres.exe
PID 1980 wrote to memory of 972	1980	WUDHost.exe	Acctres.exe
PID 1980 wrote to memory of 972	1980	WUDHost.exe	Acctres.exe
PID 1356 wrote to memory of 1252	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1252	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1252	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1252	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1252	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1252	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1252	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1252	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1252	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1252	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1776	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1776	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1776	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1776	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1776	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1776	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1776	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1776	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1776	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1356 wrote to memory of 1776	1356	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	vbc.exe
PID 1780 wrote to memory of 1700	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	WUDHost.exe
PID 1780 wrote to memory of 1700	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	WUDHost.exe
PID 1780 wrote to memory of 1700	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	WUDHost.exe
PID 1780 wrote to memory of 1700	1780	df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe	WUDHost.exe
PID 972 wrote to memory of 960	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 960	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 960	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 960	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 960	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 960	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 960	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 960	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 960	972	Acctres.exe	Acctres.exe
PID 960 wrote to memory of 1436	960	Acctres.exe	cmd.exe
PID 960 wrote to memory of 1436	960	Acctres.exe	cmd.exe
PID 960 wrote to memory of 1436	960	Acctres.exe	cmd.exe
PID 960 wrote to memory of 1436	960	Acctres.exe	cmd.exe
PID 960 wrote to memory of 520	960	Acctres.exe	dw20.exe
PID 960 wrote to memory of 520	960	Acctres.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
"C:\Users\Admin\AppData\Local\Temp\df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Local\Temp\df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe
"C:\Users\Admin\AppData\Local\Temp\df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Local\Temp\df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806.exe"
3⤵
- Drops startup file
PID:1900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1668
3⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
3⤵
PID:1252

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt
3⤵
- Accesses Microsoft Outlook accounts
PID:1776

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe"
5⤵
- Drops startup file
PID:1436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1712
5⤵
- Loads dropped DLL
PID:520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
5⤵
PID:2040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt
5⤵
- Accesses Microsoft Outlook accounts
PID:568

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\logff.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\logff.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
706KB

MD5
4b7ee56888a0acd71058bf1f024c0af4

SHA1
10372be5eff74427006c6313409a32949c4d1995

SHA256
df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806

SHA512
85bbd2c0ff4d8b72ca8dab0b6c10347c23284514d14b7ccdcba05adb61a9160e31d9768ceec3519caa4a9265ee26473d7d92e9763017b7463f652d2ca6b75c0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
706KB

MD5
4b7ee56888a0acd71058bf1f024c0af4

SHA1
10372be5eff74427006c6313409a32949c4d1995

SHA256
df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806

SHA512
85bbd2c0ff4d8b72ca8dab0b6c10347c23284514d14b7ccdcba05adb61a9160e31d9768ceec3519caa4a9265ee26473d7d92e9763017b7463f652d2ca6b75c0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
706KB

MD5
4b7ee56888a0acd71058bf1f024c0af4

SHA1
10372be5eff74427006c6313409a32949c4d1995

SHA256
df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806

SHA512
85bbd2c0ff4d8b72ca8dab0b6c10347c23284514d14b7ccdcba05adb61a9160e31d9768ceec3519caa4a9265ee26473d7d92e9763017b7463f652d2ca6b75c0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
706KB

MD5
4b7ee56888a0acd71058bf1f024c0af4

SHA1
10372be5eff74427006c6313409a32949c4d1995

SHA256
df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806

SHA512
85bbd2c0ff4d8b72ca8dab0b6c10347c23284514d14b7ccdcba05adb61a9160e31d9768ceec3519caa4a9265ee26473d7d92e9763017b7463f652d2ca6b75c0f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
706KB

MD5
4b7ee56888a0acd71058bf1f024c0af4

SHA1
10372be5eff74427006c6313409a32949c4d1995

SHA256
df1e9c32dca0bfb46f837503fdfaf837c0f2422ab2e20e82bc728d192e069806

SHA512
85bbd2c0ff4d8b72ca8dab0b6c10347c23284514d14b7ccdcba05adb61a9160e31d9768ceec3519caa4a9265ee26473d7d92e9763017b7463f652d2ca6b75c0f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
memory/316-77-0x0000000000000000-mapping.dmp

Download
memory/520-138-0x0000000000000000-mapping.dmp

Download
memory/568-167-0x0000000000411654-mapping.dmp

Download
memory/568-171-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/960-136-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/960-142-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/960-128-0x000000000047057E-mapping.dmp

Download
memory/972-86-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/972-116-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/972-83-0x0000000000000000-mapping.dmp

Download
memory/1252-93-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1252-100-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1252-99-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1252-96-0x000000000040E758-mapping.dmp

Download
memory/1252-95-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1252-87-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1252-88-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1252-90-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1252-92-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1356-63-0x000000000047057E-mapping.dmp

Download
memory/1356-65-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1356-67-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1356-75-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1356-79-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1356-62-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1356-61-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1356-60-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1356-58-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1356-57-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1436-135-0x0000000000000000-mapping.dmp

Download
memory/1700-118-0x0000000000000000-mapping.dmp

Download
memory/1700-121-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-141-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1776-103-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-110-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-108-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-107-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-111-0x0000000000411654-mapping.dmp

Download
memory/1776-102-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1780-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1780-56-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1780-55-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1900-72-0x0000000000000000-mapping.dmp

Download
memory/1980-80-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-70-0x0000000000000000-mapping.dmp

Download
memory/1980-76-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-117-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-152-0x000000000040E758-mapping.dmp

Download
memory/2040-155-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2040-156-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download