3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86

Analysis

max time kernel
151s
max time network
133s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
Size

619KB
MD5

055e822885e9b0971b4e87b0ebfa4ab6
SHA1

c23f1fe682b87478bd3e327dd499960adf412aef
SHA256

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86
SHA512

85fe528df5975ef29fb794f99a91dc9d0fab665c4fd8bc923f7a980ddefff00696441343c0684db1ad8894830d5c2f538b5fce3420520318c149a33ae5035afe
SSDEEP

12288:YkA5CuXTZVMUX8+fdS+D3niMcH+GjXyNrZWsg:Y15CuDZVMethD3i9HVXU9g

Score

9^/10

collection persistence spyware stealer

Malware Config

Signatures

NirSoft MailPassView 7 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1692-110-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1692-111-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1692-114-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1692-115-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1692-116-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1728-172-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1728-176-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

Nirsoft 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/800-95-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/800-96-0x000000000040E758-mapping.dmp	Nirsoft
behavioral1/memory/800-99-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/800-100-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/1692-110-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1692-111-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1692-114-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1692-115-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1692-116-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1968-157-0x000000000040E758-mapping.dmp	Nirsoft
behavioral1/memory/1968-161-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/1728-172-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1728-176-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

IpOverUsbSvrc.exeAcctres.exeIpOverUsbSvrc.exeAcctres.exe

pid process

340 IpOverUsbSvrc.exe
972 Acctres.exe
1516 IpOverUsbSvrc.exe
1052 Acctres.exe

pid	process
340	IpOverUsbSvrc.exe
972	Acctres.exe
1516	IpOverUsbSvrc.exe
1052	Acctres.exe

Drops startup file 4 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exeIpOverUsbSvrc.exedw20.exe

pid process

1908 3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
340 IpOverUsbSvrc.exe
1936 dw20.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

vbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IpOverUsbSvrc.exeIpOverUsbSvrc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 bot.whatismyipaddress.com

flow	ioc
5	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exeAcctres.exeAcctres.exe

description	pid	process	target process
PID 1908 set thread context of 1524	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 1524 set thread context of 800	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 set thread context of 1692	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 972 set thread context of 1052	972	Acctres.exe	Acctres.exe
PID 1052 set thread context of 1968	1052	Acctres.exe	vbc.exe
PID 1052 set thread context of 1728	1052	Acctres.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exeIpOverUsbSvrc.exeAcctres.exe

pid	process
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
340	IpOverUsbSvrc.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
340	IpOverUsbSvrc.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
340	IpOverUsbSvrc.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
340	IpOverUsbSvrc.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
340	IpOverUsbSvrc.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
340	IpOverUsbSvrc.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
972	Acctres.exe
1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
972	Acctres.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exeIpOverUsbSvrc.exeAcctres.exeAcctres.exeIpOverUsbSvrc.exe

description	pid	process
Token: SeDebugPrivilege	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
Token: SeDebugPrivilege	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
Token: SeDebugPrivilege	340	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	972	Acctres.exe
Token: SeDebugPrivilege	1052	Acctres.exe
Token: SeDebugPrivilege	1516	IpOverUsbSvrc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exeAcctres.exe

pid process

1524 3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1052 Acctres.exe

pid	process
1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
1052	Acctres.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exeIpOverUsbSvrc.exeAcctres.exeAcctres.exe

description	pid	process	target process
PID 1908 wrote to memory of 1524	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 1908 wrote to memory of 1524	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 1908 wrote to memory of 1524	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 1908 wrote to memory of 1524	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 1908 wrote to memory of 1524	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 1908 wrote to memory of 1524	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 1908 wrote to memory of 1524	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 1908 wrote to memory of 1524	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 1908 wrote to memory of 1524	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 1908 wrote to memory of 340	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	IpOverUsbSvrc.exe
PID 1908 wrote to memory of 340	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	IpOverUsbSvrc.exe
PID 1908 wrote to memory of 340	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	IpOverUsbSvrc.exe
PID 1908 wrote to memory of 340	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	IpOverUsbSvrc.exe
PID 1524 wrote to memory of 1280	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	cmd.exe
PID 1524 wrote to memory of 1280	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	cmd.exe
PID 1524 wrote to memory of 1280	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	cmd.exe
PID 1524 wrote to memory of 1280	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	cmd.exe
PID 1524 wrote to memory of 748	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	dw20.exe
PID 1524 wrote to memory of 748	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	dw20.exe
PID 1524 wrote to memory of 748	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	dw20.exe
PID 1524 wrote to memory of 748	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	dw20.exe
PID 340 wrote to memory of 972	340	IpOverUsbSvrc.exe	Acctres.exe
PID 340 wrote to memory of 972	340	IpOverUsbSvrc.exe	Acctres.exe
PID 340 wrote to memory of 972	340	IpOverUsbSvrc.exe	Acctres.exe
PID 340 wrote to memory of 972	340	IpOverUsbSvrc.exe	Acctres.exe
PID 1524 wrote to memory of 800	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 800	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 800	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 800	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 800	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 800	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 800	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 800	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 800	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 800	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 1692	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 1692	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 1692	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 1692	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 1692	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 1692	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 1692	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 1692	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 1692	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1524 wrote to memory of 1692	1524	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	vbc.exe
PID 1908 wrote to memory of 1516	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	IpOverUsbSvrc.exe
PID 1908 wrote to memory of 1516	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	IpOverUsbSvrc.exe
PID 1908 wrote to memory of 1516	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	IpOverUsbSvrc.exe
PID 1908 wrote to memory of 1516	1908	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	IpOverUsbSvrc.exe
PID 972 wrote to memory of 1052	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 1052	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 1052	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 1052	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 1052	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 1052	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 1052	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 1052	972	Acctres.exe	Acctres.exe
PID 972 wrote to memory of 1052	972	Acctres.exe	Acctres.exe
PID 1052 wrote to memory of 1356	1052	Acctres.exe	cmd.exe
PID 1052 wrote to memory of 1356	1052	Acctres.exe	cmd.exe
PID 1052 wrote to memory of 1356	1052	Acctres.exe	cmd.exe
PID 1052 wrote to memory of 1356	1052	Acctres.exe	cmd.exe
PID 1052 wrote to memory of 1936	1052	Acctres.exe	dw20.exe
PID 1052 wrote to memory of 1936	1052	Acctres.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
"C:\Users\Admin\AppData\Local\Temp\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
"C:\Users\Admin\AppData\Local\Temp\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Local\Temp\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe"
3⤵
- Drops startup file
PID:1280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1652
3⤵
PID:748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
3⤵
PID:800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt
3⤵
- Accesses Microsoft Outlook accounts
PID:1692

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe"
5⤵
- Drops startup file
PID:1356

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1636
5⤵
- Loads dropped DLL
PID:1936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
5⤵
PID:1968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt
5⤵
- Accesses Microsoft Outlook accounts
PID:1728

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\logff.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\logff.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
619KB

MD5
055e822885e9b0971b4e87b0ebfa4ab6

SHA1
c23f1fe682b87478bd3e327dd499960adf412aef

SHA256
3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86

SHA512
85fe528df5975ef29fb794f99a91dc9d0fab665c4fd8bc923f7a980ddefff00696441343c0684db1ad8894830d5c2f538b5fce3420520318c149a33ae5035afe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
619KB

MD5
055e822885e9b0971b4e87b0ebfa4ab6

SHA1
c23f1fe682b87478bd3e327dd499960adf412aef

SHA256
3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86

SHA512
85fe528df5975ef29fb794f99a91dc9d0fab665c4fd8bc923f7a980ddefff00696441343c0684db1ad8894830d5c2f538b5fce3420520318c149a33ae5035afe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
619KB

MD5
055e822885e9b0971b4e87b0ebfa4ab6

SHA1
c23f1fe682b87478bd3e327dd499960adf412aef

SHA256
3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86

SHA512
85fe528df5975ef29fb794f99a91dc9d0fab665c4fd8bc923f7a980ddefff00696441343c0684db1ad8894830d5c2f538b5fce3420520318c149a33ae5035afe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
fd03ff313a655e0b59dce81044bc6341

SHA1
0fa0dc26876f636956c3de82685bdbbc8ad3ef86

SHA256
1f1c8c1458eaee47a448513db52ddb536406146d48793c3c24f41eb72b13cec9

SHA512
00fdf54987cb8abd0c68619e02991aeb50e5509ea56b0e5fa613ac29fddcc57c585cd0e5be055cb5c6563828b6a631666fe6e7004dada7607ddd903659264ddd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
fd03ff313a655e0b59dce81044bc6341

SHA1
0fa0dc26876f636956c3de82685bdbbc8ad3ef86

SHA256
1f1c8c1458eaee47a448513db52ddb536406146d48793c3c24f41eb72b13cec9

SHA512
00fdf54987cb8abd0c68619e02991aeb50e5509ea56b0e5fa613ac29fddcc57c585cd0e5be055cb5c6563828b6a631666fe6e7004dada7607ddd903659264ddd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
fd03ff313a655e0b59dce81044bc6341

SHA1
0fa0dc26876f636956c3de82685bdbbc8ad3ef86

SHA256
1f1c8c1458eaee47a448513db52ddb536406146d48793c3c24f41eb72b13cec9

SHA512
00fdf54987cb8abd0c68619e02991aeb50e5509ea56b0e5fa613ac29fddcc57c585cd0e5be055cb5c6563828b6a631666fe6e7004dada7607ddd903659264ddd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
619KB

MD5
055e822885e9b0971b4e87b0ebfa4ab6

SHA1
c23f1fe682b87478bd3e327dd499960adf412aef

SHA256
3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86

SHA512
85fe528df5975ef29fb794f99a91dc9d0fab665c4fd8bc923f7a980ddefff00696441343c0684db1ad8894830d5c2f538b5fce3420520318c149a33ae5035afe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
619KB

MD5
055e822885e9b0971b4e87b0ebfa4ab6

SHA1
c23f1fe682b87478bd3e327dd499960adf412aef

SHA256
3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86

SHA512
85fe528df5975ef29fb794f99a91dc9d0fab665c4fd8bc923f7a980ddefff00696441343c0684db1ad8894830d5c2f538b5fce3420520318c149a33ae5035afe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
fd03ff313a655e0b59dce81044bc6341

SHA1
0fa0dc26876f636956c3de82685bdbbc8ad3ef86

SHA256
1f1c8c1458eaee47a448513db52ddb536406146d48793c3c24f41eb72b13cec9

SHA512
00fdf54987cb8abd0c68619e02991aeb50e5509ea56b0e5fa613ac29fddcc57c585cd0e5be055cb5c6563828b6a631666fe6e7004dada7607ddd903659264ddd

Download Submit
memory/340-118-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/340-76-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/340-80-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/340-70-0x0000000000000000-mapping.dmp

Download
memory/748-77-0x0000000000000000-mapping.dmp

Download
memory/800-96-0x000000000040E758-mapping.dmp

Download
memory/800-90-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/800-100-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/800-99-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/800-95-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/800-93-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/800-92-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/800-87-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/800-88-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/972-117-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/972-83-0x0000000000000000-mapping.dmp

Download
memory/972-86-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-136-0x0000000000080000-0x00000000000F6000-memory.dmp

Filesize
472KB

Download
memory/1052-147-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-142-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-139-0x0000000000080000-0x00000000000F6000-memory.dmp

Filesize
472KB

Download
memory/1052-132-0x0000000000080000-0x00000000000F6000-memory.dmp

Filesize
472KB

Download
memory/1052-129-0x000000000047057E-mapping.dmp

Download
memory/1280-74-0x0000000000000000-mapping.dmp

Download
memory/1356-141-0x0000000000000000-mapping.dmp

Download
memory/1516-146-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-122-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-119-0x0000000000000000-mapping.dmp

Download
memory/1524-60-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1524-58-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1524-62-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1524-65-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1524-67-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1524-79-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-75-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-61-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1524-63-0x000000000047057E-mapping.dmp

Download
memory/1524-57-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1692-107-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1692-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1692-102-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1692-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1692-108-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1692-116-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1692-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1692-110-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1692-111-0x0000000000411654-mapping.dmp

Download
memory/1692-103-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-176-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-172-0x0000000000411654-mapping.dmp

Download
memory/1908-56-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1908-55-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-143-0x0000000000000000-mapping.dmp

Download
memory/1968-161-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1968-157-0x000000000040E758-mapping.dmp

Download