Analysis
-
max time kernel
151s -
max time network
189s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 09:40
Static task
static1
Behavioral task
behavioral1
Sample
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
Resource
win10v2004-20221111-en
General
-
Target
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
-
Size
606KB
-
MD5
720d10b1cf1f0ffea760e4614547a371
-
SHA1
a68f59f07bbacbd75e1951082bf2a66cc3936c9e
-
SHA256
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c
-
SHA512
2efe8967868821c934ce4bf2c55b486ad9f2942dbb2b4509938a6d6273b1a7d7d2644bcb93cbe63298669d257871fc2a38aecf33e73ac0849c58e3d9d7029019
-
SSDEEP
12288:lZ72G7ahUmH2fG+nW6ITjKdXix4ZQ/gyblukHCGrFp:n729UmH2++XIa12lbQYCGBp
Malware Config
Signatures
-
NirSoft MailPassView 12 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1712-60-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1712-61-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1712-62-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1712-63-0x000000000047EA8E-mapping.dmp MailPassView behavioral1/memory/1712-65-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1712-67-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1216-77-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1216-78-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1216-81-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1216-82-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1216-90-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1568-106-0x000000000047EA8E-mapping.dmp MailPassView -
NirSoft WebBrowserPassView 12 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1712-60-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1712-61-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1712-62-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1712-63-0x000000000047EA8E-mapping.dmp WebBrowserPassView behavioral1/memory/1712-65-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1712-67-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1784-92-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1784-91-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1784-95-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1784-96-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1784-98-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1568-106-0x000000000047EA8E-mapping.dmp WebBrowserPassView -
Nirsoft 17 IoCs
Processes:
resource yara_rule behavioral1/memory/1712-60-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1712-61-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1712-62-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1712-63-0x000000000047EA8E-mapping.dmp Nirsoft behavioral1/memory/1712-65-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1712-67-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1216-77-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1216-78-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1216-81-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1216-82-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1216-90-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1784-92-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1784-91-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1784-95-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1784-96-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1784-98-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1568-106-0x000000000047EA8E-mapping.dmp Nirsoft -
Executes dropped EXE 3 IoCs
Processes:
WUDHost.exeAcctres.exeAcctres.exepid process 940 WUDHost.exe 1676 Acctres.exe 1568 Acctres.exe -
Loads dropped DLL 2 IoCs
Processes:
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exeWUDHost.exepid process 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 940 WUDHost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exeWUDHost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe" WUDHost.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 whatismyipaddress.com 4 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exeAcctres.exedescription pid process target process PID 1956 set thread context of 1712 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe PID 1712 set thread context of 1216 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 set thread context of 1784 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1676 set thread context of 1568 1676 Acctres.exe Acctres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exeWUDHost.exepid process 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 940 WUDHost.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 940 WUDHost.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 940 WUDHost.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 940 WUDHost.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 940 WUDHost.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 940 WUDHost.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 940 WUDHost.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 940 WUDHost.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 940 WUDHost.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 940 WUDHost.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 940 WUDHost.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 940 WUDHost.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exeWUDHost.exeAcctres.exedescription pid process Token: SeDebugPrivilege 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe Token: SeDebugPrivilege 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe Token: SeDebugPrivilege 940 WUDHost.exe Token: SeDebugPrivilege 1676 Acctres.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exepid process 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exeWUDHost.exeAcctres.exedescription pid process target process PID 1956 wrote to memory of 1712 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe PID 1956 wrote to memory of 1712 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe PID 1956 wrote to memory of 1712 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe PID 1956 wrote to memory of 1712 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe PID 1956 wrote to memory of 1712 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe PID 1956 wrote to memory of 1712 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe PID 1956 wrote to memory of 1712 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe PID 1956 wrote to memory of 1712 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe PID 1956 wrote to memory of 1712 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe PID 1956 wrote to memory of 940 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe WUDHost.exe PID 1956 wrote to memory of 940 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe WUDHost.exe PID 1956 wrote to memory of 940 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe WUDHost.exe PID 1956 wrote to memory of 940 1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe WUDHost.exe PID 1712 wrote to memory of 1216 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1216 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1216 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1216 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1216 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1216 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1216 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1216 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1216 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1216 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 940 wrote to memory of 1676 940 WUDHost.exe Acctres.exe PID 940 wrote to memory of 1676 940 WUDHost.exe Acctres.exe PID 940 wrote to memory of 1676 940 WUDHost.exe Acctres.exe PID 940 wrote to memory of 1676 940 WUDHost.exe Acctres.exe PID 1712 wrote to memory of 1784 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1784 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1784 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1784 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1784 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1784 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1784 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1784 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1784 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1712 wrote to memory of 1784 1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe vbc.exe PID 1676 wrote to memory of 1568 1676 Acctres.exe Acctres.exe PID 1676 wrote to memory of 1568 1676 Acctres.exe Acctres.exe PID 1676 wrote to memory of 1568 1676 Acctres.exe Acctres.exe PID 1676 wrote to memory of 1568 1676 Acctres.exe Acctres.exe PID 1676 wrote to memory of 1568 1676 Acctres.exe Acctres.exe PID 1676 wrote to memory of 1568 1676 Acctres.exe Acctres.exe PID 1676 wrote to memory of 1568 1676 Acctres.exe Acctres.exe PID 1676 wrote to memory of 1568 1676 Acctres.exe Acctres.exe PID 1676 wrote to memory of 1568 1676 Acctres.exe Acctres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe"C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe"C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
PID:1216 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵PID:1784
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe"4⤵
- Executes dropped EXE
PID:1568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
606KB
MD5720d10b1cf1f0ffea760e4614547a371
SHA1a68f59f07bbacbd75e1951082bf2a66cc3936c9e
SHA25686d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c
SHA5122efe8967868821c934ce4bf2c55b486ad9f2942dbb2b4509938a6d6273b1a7d7d2644bcb93cbe63298669d257871fc2a38aecf33e73ac0849c58e3d9d7029019
-
Filesize
606KB
MD5720d10b1cf1f0ffea760e4614547a371
SHA1a68f59f07bbacbd75e1951082bf2a66cc3936c9e
SHA25686d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c
SHA5122efe8967868821c934ce4bf2c55b486ad9f2942dbb2b4509938a6d6273b1a7d7d2644bcb93cbe63298669d257871fc2a38aecf33e73ac0849c58e3d9d7029019
-
Filesize
606KB
MD5720d10b1cf1f0ffea760e4614547a371
SHA1a68f59f07bbacbd75e1951082bf2a66cc3936c9e
SHA25686d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c
SHA5122efe8967868821c934ce4bf2c55b486ad9f2942dbb2b4509938a6d6273b1a7d7d2644bcb93cbe63298669d257871fc2a38aecf33e73ac0849c58e3d9d7029019
-
Filesize
6KB
MD581cd48fa8f0a70fe3872780af4f96055
SHA1fe725ffab8ad3be4df9b6205894a665f67668af5
SHA25666dcd6ab5721af5efce98e4d04dc46059f59480481b60f675cbe05fc0758b991
SHA512ad22d4a56f9d86ca4d80b9fd51151fbf8b71b2f96a5a95999a582ab9cf5626e8e2b4cc71a0ff27cf581d7091f842222ac9538eced4847572d28948446e66d1e7
-
Filesize
6KB
MD581cd48fa8f0a70fe3872780af4f96055
SHA1fe725ffab8ad3be4df9b6205894a665f67668af5
SHA25666dcd6ab5721af5efce98e4d04dc46059f59480481b60f675cbe05fc0758b991
SHA512ad22d4a56f9d86ca4d80b9fd51151fbf8b71b2f96a5a95999a582ab9cf5626e8e2b4cc71a0ff27cf581d7091f842222ac9538eced4847572d28948446e66d1e7
-
Filesize
606KB
MD5720d10b1cf1f0ffea760e4614547a371
SHA1a68f59f07bbacbd75e1951082bf2a66cc3936c9e
SHA25686d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c
SHA5122efe8967868821c934ce4bf2c55b486ad9f2942dbb2b4509938a6d6273b1a7d7d2644bcb93cbe63298669d257871fc2a38aecf33e73ac0849c58e3d9d7029019
-
Filesize
6KB
MD581cd48fa8f0a70fe3872780af4f96055
SHA1fe725ffab8ad3be4df9b6205894a665f67668af5
SHA25666dcd6ab5721af5efce98e4d04dc46059f59480481b60f675cbe05fc0758b991
SHA512ad22d4a56f9d86ca4d80b9fd51151fbf8b71b2f96a5a95999a582ab9cf5626e8e2b4cc71a0ff27cf581d7091f842222ac9538eced4847572d28948446e66d1e7