Analysis
-
max time kernel
165s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:46
Static task
static1
Behavioral task
behavioral1
Sample
871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe
Resource
win10v2004-20221111-en
General
-
Target
871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe
-
Size
1.1MB
-
MD5
628159cada256516f610bbe6db816f77
-
SHA1
3d707cc93337e5d875861e01e363e10be7248702
-
SHA256
871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70
-
SHA512
cc86a5fdc6d506c3b838ea83ced31d7264ab32296b45993f3a20af2ecd521f81dfb426eda345e4615e3505ace632b1c1a9551d418c835625ab61123b3a40d965
-
SSDEEP
24576:1ALejTbyeniCQEx88bUJevBnDa58aY+zX52t4/xpeJ2YYHv:1M4GCF8uU8cgk4tAxpsQv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe" 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe -
NirSoft MailPassView 7 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp.exe MailPassView C:\Users\Admin\AppData\Local\Temp\tmp.exe MailPassView behavioral2/memory/1900-143-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral2/memory/1680-150-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/1680-151-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1680-153-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1680-154-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 8 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\tmp.exe WebBrowserPassView behavioral2/memory/1900-143-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral2/memory/2896-155-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/2896-156-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2896-158-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2896-159-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2896-161-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 12 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\tmp.exe Nirsoft behavioral2/memory/1900-143-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral2/memory/1680-150-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/1680-151-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1680-153-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1680-154-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2896-155-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2896-156-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2896-158-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2896-159-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2896-161-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
tmp.exenotepad .exepid process 4252 tmp.exe 1900 notepad .exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" tmp.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 34 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exetmp.exedescription pid process target process PID 3404 set thread context of 1900 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe notepad .exe PID 4252 set thread context of 1680 4252 tmp.exe vbc.exe PID 4252 set thread context of 2896 4252 tmp.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exevbc.exepid process 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe 2896 vbc.exe 2896 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exetmp.exedescription pid process Token: SeDebugPrivilege 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe Token: SeDebugPrivilege 4252 tmp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
tmp.exepid process 4252 tmp.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.execmd.exetmp.exedescription pid process target process PID 3404 wrote to memory of 1780 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe cmd.exe PID 3404 wrote to memory of 1780 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe cmd.exe PID 3404 wrote to memory of 1780 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe cmd.exe PID 1780 wrote to memory of 1128 1780 cmd.exe wscript.exe PID 1780 wrote to memory of 1128 1780 cmd.exe wscript.exe PID 1780 wrote to memory of 1128 1780 cmd.exe wscript.exe PID 3404 wrote to memory of 4252 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe tmp.exe PID 3404 wrote to memory of 4252 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe tmp.exe PID 3404 wrote to memory of 4252 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe tmp.exe PID 3404 wrote to memory of 1900 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe notepad .exe PID 3404 wrote to memory of 1900 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe notepad .exe PID 3404 wrote to memory of 1900 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe notepad .exe PID 3404 wrote to memory of 1900 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe notepad .exe PID 3404 wrote to memory of 1900 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe notepad .exe PID 3404 wrote to memory of 1900 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe notepad .exe PID 3404 wrote to memory of 1900 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe notepad .exe PID 3404 wrote to memory of 1900 3404 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe notepad .exe PID 4252 wrote to memory of 1680 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 1680 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 1680 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 1680 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 1680 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 1680 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 1680 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 1680 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 1680 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 2896 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 2896 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 2896 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 2896 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 2896 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 2896 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 2896 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 2896 4252 tmp.exe vbc.exe PID 4252 wrote to memory of 2896 4252 tmp.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe"C:\Users\Admin\AppData\Local\Temp\871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\mata.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Windows\temp\invs.vbs" "C:\Windows\temp\mata2.bat3⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
PID:1680 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\notepad .exe"C:\Users\Admin\AppData\Local\Temp\notepad .exe"2⤵
- Executes dropped EXE
PID:1900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
69B
MD51d3598a9affc15c286c78b40a665bffc
SHA1dad491b8d033ce7dd37b8cade0eb6f8fdb61ecdf
SHA256524357b7b65b324c1c32607ba9cc71fed6437c502540c059732e8a44a6129bb2
SHA5123c7ccc403d9c515f04acc99607609cd2254b2f5a21667f4df5706297e4a5ef15a161da839e325b755f6f9eec8b47e060ec1a027b0092c5b70cbbbb853228d0a2
-
Filesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
Filesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
Filesize
502KB
MD5dd2f48d0d1fbc39d67d398c02dd03d08
SHA1f34c3bd0511d0fe4f3a7417b31ccdf7ae8d4b807
SHA256b3d5c2e7a04dd9b3c5da94b91b5783e2f1e65a6ddb26b86b62bc7f9d68986d1f
SHA51222ebb2c8bf613987ded5f8e50a0edd6e19203b1187a52bdc442c4fa77113d8b3ba40b15d9b1af48f89b0153e3ab7c877d4d05a4c8a6a8bb6add1fda2fdac693c
-
Filesize
502KB
MD5dd2f48d0d1fbc39d67d398c02dd03d08
SHA1f34c3bd0511d0fe4f3a7417b31ccdf7ae8d4b807
SHA256b3d5c2e7a04dd9b3c5da94b91b5783e2f1e65a6ddb26b86b62bc7f9d68986d1f
SHA51222ebb2c8bf613987ded5f8e50a0edd6e19203b1187a52bdc442c4fa77113d8b3ba40b15d9b1af48f89b0153e3ab7c877d4d05a4c8a6a8bb6add1fda2fdac693c