Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 18:40
Static task
static1
Behavioral task
behavioral1
Sample
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe
Resource
win10v2004-20220812-en
General
-
Target
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe
-
Size
640KB
-
MD5
6615e3fdf098a182b254fd943a62a474
-
SHA1
790213ad034281437f7887f17a2ae97b73f8131f
-
SHA256
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1
-
SHA512
3701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e
-
SSDEEP
12288:rFY0DADILZoNEFKED5oJx/Ij9FD/aWWhsaExq:rF/AyZgEcEKK9FD/anil
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
general123
Signatures
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2860-138-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral2/memory/4808-153-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/4808-154-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4808-156-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4808-157-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2860-138-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView -
Nirsoft 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2860-138-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral2/memory/4808-153-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4808-154-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4808-156-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4808-157-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 3716 Windows Update.exe 204 Windows Update.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exea777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp\\GoogleUpdate.exe.lnk" reg.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 whatismyipaddress.com 27 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1084 set thread context of 2860 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 3716 set thread context of 204 3716 Windows Update.exe Windows Update.exe PID 204 set thread context of 4808 204 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exeWindows Update.exeWindows Update.exepid process 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe 3716 Windows Update.exe 3716 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe 204 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exeWindows Update.exeWindows Update.exedescription pid process Token: SeDebugPrivilege 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe Token: SeDebugPrivilege 3716 Windows Update.exe Token: SeDebugPrivilege 204 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 204 Windows Update.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.execmd.exea777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1084 wrote to memory of 2652 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe cmd.exe PID 1084 wrote to memory of 2652 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe cmd.exe PID 1084 wrote to memory of 2652 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe cmd.exe PID 2652 wrote to memory of 1716 2652 cmd.exe reg.exe PID 2652 wrote to memory of 1716 2652 cmd.exe reg.exe PID 2652 wrote to memory of 1716 2652 cmd.exe reg.exe PID 1084 wrote to memory of 828 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1084 wrote to memory of 828 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1084 wrote to memory of 828 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1084 wrote to memory of 2860 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1084 wrote to memory of 2860 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1084 wrote to memory of 2860 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1084 wrote to memory of 2860 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1084 wrote to memory of 2860 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1084 wrote to memory of 2860 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1084 wrote to memory of 2860 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 1084 wrote to memory of 2860 1084 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe PID 2860 wrote to memory of 3716 2860 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe Windows Update.exe PID 2860 wrote to memory of 3716 2860 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe Windows Update.exe PID 2860 wrote to memory of 3716 2860 a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe Windows Update.exe PID 3716 wrote to memory of 204 3716 Windows Update.exe Windows Update.exe PID 3716 wrote to memory of 204 3716 Windows Update.exe Windows Update.exe PID 3716 wrote to memory of 204 3716 Windows Update.exe Windows Update.exe PID 3716 wrote to memory of 204 3716 Windows Update.exe Windows Update.exe PID 3716 wrote to memory of 204 3716 Windows Update.exe Windows Update.exe PID 3716 wrote to memory of 204 3716 Windows Update.exe Windows Update.exe PID 3716 wrote to memory of 204 3716 Windows Update.exe Windows Update.exe PID 3716 wrote to memory of 204 3716 Windows Update.exe Windows Update.exe PID 204 wrote to memory of 4808 204 Windows Update.exe vbc.exe PID 204 wrote to memory of 4808 204 Windows Update.exe vbc.exe PID 204 wrote to memory of 4808 204 Windows Update.exe vbc.exe PID 204 wrote to memory of 4808 204 Windows Update.exe vbc.exe PID 204 wrote to memory of 4808 204 Windows Update.exe vbc.exe PID 204 wrote to memory of 4808 204 Windows Update.exe vbc.exe PID 204 wrote to memory of 4808 204 Windows Update.exe vbc.exe PID 204 wrote to memory of 4808 204 Windows Update.exe vbc.exe PID 204 wrote to memory of 4808 204 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe"C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe"C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe"C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5c75d6d0d293ffb4995427e9aa537b095
SHA10fe0b1763179846ae78f0ceb8108a8a3ceb74698
SHA25621ce126b4cf434ba1bf468087a69ce18945fb98ab91a0803e000cef191fb652c
SHA512ec50a0cfeb2d09b242032fdaf44e3052f0ed04920587d387e6d27c1325cf00ba5abc9cb4d3770eaf56b3602a8bb8cb07edeeec76c9c933a45bae6476daee2af2
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
640KB
MD56615e3fdf098a182b254fd943a62a474
SHA1790213ad034281437f7887f17a2ae97b73f8131f
SHA256a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1
SHA5123701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
640KB
MD56615e3fdf098a182b254fd943a62a474
SHA1790213ad034281437f7887f17a2ae97b73f8131f
SHA256a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1
SHA5123701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
640KB
MD56615e3fdf098a182b254fd943a62a474
SHA1790213ad034281437f7887f17a2ae97b73f8131f
SHA256a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1
SHA5123701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e
-
memory/204-146-0x0000000000000000-mapping.dmp
-
memory/204-152-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/204-150-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/828-136-0x0000000000000000-mapping.dmp
-
memory/1084-135-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/1084-139-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/1084-132-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/1716-134-0x0000000000000000-mapping.dmp
-
memory/2652-133-0x0000000000000000-mapping.dmp
-
memory/2860-138-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/2860-144-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/2860-140-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/2860-137-0x0000000000000000-mapping.dmp
-
memory/3716-145-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/3716-149-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/3716-141-0x0000000000000000-mapping.dmp
-
memory/4808-153-0x0000000000000000-mapping.dmp
-
memory/4808-154-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4808-156-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4808-157-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB