Overview

overview

9

Static

static

011a83621f...1d.exe

windows7-x64

9

011a83621f...1d.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    142s
  • max time network
    197s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe

  • Size

    819KB

  • MD5

    d01d00c8e3827ed23b6bfa86fa20ec64

  • SHA1

    58206786f3cb06b38aa5131f1fd617df5846534e

  • SHA256

    011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d

  • SHA512

    1ba669e22373031ab06320cbaeb7f684abc7873bb17c397d68140f60f97238453a41ef41a8f970d910139532148b650a1f014c3340456a4c84a26a8548da01dd

  • SSDEEP

    12288:sscf6Itg+WOMD4rEr1yq9sZfHZrijZUyOD2zzmQceG:WCIJnra1yHtZWlUyODo9cF

Score
9/10
collectionspywarestealer

Malware Config

Signatures

  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • Nirsoft 10 IoCs
  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe
    "C:\Users\Admin\AppData\Local\Temp\011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe
      "C:\Users\Admin\AppData\Local\Temp\011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1068
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:536
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1496
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:736
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\takshost.exe"
          4⤵
          • Drops startup file
          PID:1208
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 1588
          4⤵
            PID:692
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
            4⤵
              PID:1104
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt
              4⤵
              • Accesses Microsoft Outlook accounts
              PID:840

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\logff.txt
        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F9B1UUVI.txt
        Filesize

        601B

        MD5

        9c089eed82b3ac7d6034e5b3f82f2383

        SHA1

        540aab7fdaedaad33fab5ab9347726705f294660

        SHA256

        77595f570848dd81818fa5f0658c7bfdb112448cce63771b38d4517c1071906d

        SHA512

        6f97040aef21f86106bbed6cf9d3b41e531228e127ebf5bebb6b30522951257b66c5201507598783dfedd225d39e5d15f5c105958761e01280fa04921f1d4948

        Download Submit
      • memory/268-72-0x0000000074600000-0x0000000074BAB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/268-87-0x0000000074600000-0x0000000074BAB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/268-73-0x0000000074600000-0x0000000074BAB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/268-68-0x0000000000000000-mapping.dmp
        Download
      • memory/692-91-0x0000000000000000-mapping.dmp
        Download
      • memory/736-123-0x0000000000BD5000-0x0000000000BE6000-memory.dmp
        Filesize

        68KB

        Download
      • memory/736-90-0x0000000000BD5000-0x0000000000BE6000-memory.dmp
        Filesize

        68KB

        Download
      • memory/736-88-0x0000000074600000-0x0000000074BAB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/736-86-0x0000000074600000-0x0000000074BAB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/736-80-0x000000000047089E-mapping.dmp
        Download
      • memory/840-115-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/840-117-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/840-124-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/840-122-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/840-121-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/840-118-0x0000000000411654-mapping.dmp
        Download
      • memory/840-109-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/840-110-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/840-112-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/840-114-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/1068-58-0x0000000000400000-0x0000000000476000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1068-57-0x0000000000400000-0x0000000000476000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1068-67-0x0000000000400000-0x0000000000476000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1068-65-0x0000000000400000-0x0000000000476000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1068-63-0x000000000047089E-mapping.dmp
        Download
      • memory/1068-61-0x0000000000400000-0x0000000000476000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1068-62-0x0000000000400000-0x0000000000476000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1068-60-0x0000000000400000-0x0000000000476000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1104-101-0x000000000040E758-mapping.dmp
        Download
      • memory/1104-98-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1104-105-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1104-95-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1104-92-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1104-97-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1104-104-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1104-107-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1104-93-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1104-100-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1208-89-0x0000000000000000-mapping.dmp
        Download
      • memory/1368-70-0x0000000074600000-0x0000000074BAB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1368-56-0x0000000074600000-0x0000000074BAB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1368-54-0x0000000076301000-0x0000000076303000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1368-55-0x0000000074600000-0x0000000074BAB000-memory.dmp
        Filesize

        5.7MB

        Download