Analysis
-
max time kernel
148s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 02:13
Static task
static1
Behavioral task
behavioral1
Sample
a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe
Resource
win10v2004-20220812-en
General
-
Target
a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe
-
Size
550KB
-
MD5
5a9fff2de2f9912b553c6d4d2eab3d66
-
SHA1
e43bd2c688b48db645d37a598eeccf9c7570b99e
-
SHA256
a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e
-
SHA512
9c99e8ecdd55738cb51d661e34f654d6e25293d92041da281327a3dd73b0c28b917e6fbed4164ab3f9195fd5e120f3be598f6395872db15fcb200a9c7897d7db
-
SSDEEP
12288:PBFZTK6hTEJmB5yC9TgIdwV1FqMd+f7eZX:PBFZu6h0mZpDK+f7e
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\K1LsqC4mm6DVaCs7\\MjqvEbaHc003.exe\",explorer.exe" a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe -
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2752-135-0x0000000000400000-0x000000000048C000-memory.dmp MailPassView behavioral2/memory/2004-141-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/2004-142-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2004-144-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2004-145-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2004-146-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2752-135-0x0000000000400000-0x000000000048C000-memory.dmp WebBrowserPassView behavioral2/memory/5052-147-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/5052-148-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/5052-150-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/5052-151-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/5052-153-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
Processes:
resource yara_rule behavioral2/memory/2752-135-0x0000000000400000-0x000000000048C000-memory.dmp Nirsoft behavioral2/memory/2004-141-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2004-142-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2004-144-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2004-145-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2004-146-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/5052-147-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/5052-148-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/5052-150-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/5052-151-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/5052-153-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exea3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exedescription pid process target process PID 964 set thread context of 2752 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe PID 2752 set thread context of 2004 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 set thread context of 5052 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exea3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exevbc.exepid process 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe 5052 vbc.exe 5052 vbc.exe 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exea3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exedescription pid process Token: SeDebugPrivilege 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe Token: SeDebugPrivilege 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exepid process 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exea3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exedescription pid process target process PID 964 wrote to memory of 4108 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe PID 964 wrote to memory of 4108 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe PID 964 wrote to memory of 4108 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe PID 964 wrote to memory of 2752 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe PID 964 wrote to memory of 2752 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe PID 964 wrote to memory of 2752 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe PID 964 wrote to memory of 2752 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe PID 964 wrote to memory of 2752 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe PID 964 wrote to memory of 2752 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe PID 964 wrote to memory of 2752 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe PID 964 wrote to memory of 2752 964 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe PID 2752 wrote to memory of 2004 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 2004 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 2004 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 2004 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 2004 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 2004 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 2004 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 2004 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 2004 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 5052 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 5052 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 5052 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 5052 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 5052 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 5052 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 5052 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 5052 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe PID 2752 wrote to memory of 5052 2752 a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe"C:\Users\Admin\AppData\Local\Temp\a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe"C:\Users\Admin\AppData\Local\Temp\a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe"2⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe"C:\Users\Admin\AppData\Local\Temp\a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
PID:2004 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\a3ad6380bb7ca56ce6b0198ccbee6d4782510dbcbb31681ced66387496081a3e.exe.logFilesize
400B
MD50a9b4592cd49c3c21f6767c2dabda92f
SHA1f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA5126b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
memory/964-132-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/964-139-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/2004-141-0x0000000000000000-mapping.dmp
-
memory/2004-146-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2004-145-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2004-144-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2004-142-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2752-137-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/2752-140-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/2752-138-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/2752-135-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/2752-134-0x0000000000000000-mapping.dmp
-
memory/4108-133-0x0000000000000000-mapping.dmp
-
memory/5052-147-0x0000000000000000-mapping.dmp
-
memory/5052-148-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/5052-150-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/5052-151-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/5052-153-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB