Analysis
-
max time kernel
166s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 04:22
Static task
static1
Behavioral task
behavioral1
Sample
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe
Resource
win10v2004-20221111-en
General
-
Target
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe
-
Size
596KB
-
MD5
eeeef046f5456cfc861fd40c459c6891
-
SHA1
b37e91ad182fe800e2c0ee08b0dd4c01f5f8fa96
-
SHA256
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429
-
SHA512
82407f5343a6a3fa30af975cb4087b395a2eb49ac81acdb48ee86076215823bfc2dfb46503e47ad912ad25514e7e9560e888104cb8d75503fdff69efa6829d1b
-
SSDEEP
6144:R6ju7BA9luh8zWC82h19oikIIeapv6EQ6/kIIGGGMzaAyFdzDTruVXwpccNfL0d3:t8yAv7apDQCHGG7H++q4LbmS
Malware Config
Signatures
-
NirSoft MailPassView 7 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1800-65-0x0000000000400000-0x000000000048A000-memory.dmp MailPassView behavioral1/memory/1800-63-0x0000000000400000-0x000000000048A000-memory.dmp MailPassView behavioral1/memory/1800-66-0x0000000000400000-0x000000000048A000-memory.dmp MailPassView behavioral1/memory/1800-67-0x000000000048266E-mapping.dmp MailPassView behavioral1/memory/1800-69-0x0000000000400000-0x000000000048A000-memory.dmp MailPassView behavioral1/memory/1800-72-0x0000000000400000-0x000000000048A000-memory.dmp MailPassView behavioral1/memory/1468-89-0x000000000048266E-mapping.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1800-65-0x0000000000400000-0x000000000048A000-memory.dmp WebBrowserPassView behavioral1/memory/1800-63-0x0000000000400000-0x000000000048A000-memory.dmp WebBrowserPassView behavioral1/memory/1800-66-0x0000000000400000-0x000000000048A000-memory.dmp WebBrowserPassView behavioral1/memory/1800-67-0x000000000048266E-mapping.dmp WebBrowserPassView behavioral1/memory/1800-69-0x0000000000400000-0x000000000048A000-memory.dmp WebBrowserPassView behavioral1/memory/1800-72-0x0000000000400000-0x000000000048A000-memory.dmp WebBrowserPassView behavioral1/memory/1468-89-0x000000000048266E-mapping.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1800-65-0x0000000000400000-0x000000000048A000-memory.dmp Nirsoft behavioral1/memory/1800-63-0x0000000000400000-0x000000000048A000-memory.dmp Nirsoft behavioral1/memory/1800-66-0x0000000000400000-0x000000000048A000-memory.dmp Nirsoft behavioral1/memory/1800-67-0x000000000048266E-mapping.dmp Nirsoft behavioral1/memory/1800-69-0x0000000000400000-0x000000000048A000-memory.dmp Nirsoft behavioral1/memory/1800-72-0x0000000000400000-0x000000000048A000-memory.dmp Nirsoft behavioral1/memory/1468-89-0x000000000048266E-mapping.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 600 Windows Update.exe 1468 Windows Update.exe -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 1468 Windows Update.exe -
Loads dropped DLL 3 IoCs
Processes:
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exeeb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exeWindows Update.exepid process 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe 1800 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe 600 Windows Update.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp\\GoogleUpdate.exe.lnk" reg.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exeWindows Update.exeWindows Update.exedescription pid process target process PID 860 set thread context of 1800 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 600 set thread context of 1468 600 Windows Update.exe Windows Update.exe PID 1468 set thread context of 1320 1468 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exeWindows Update.exeWindows Update.exepid process 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe 600 Windows Update.exe 1468 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exeWindows Update.exeWindows Update.exedescription pid process Token: SeDebugPrivilege 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe Token: SeDebugPrivilege 600 Windows Update.exe Token: SeDebugPrivilege 1468 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 1468 Windows Update.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.execmd.exeeb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exeWindows Update.exeWindows Update.exedescription pid process target process PID 860 wrote to memory of 1820 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe cmd.exe PID 860 wrote to memory of 1820 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe cmd.exe PID 860 wrote to memory of 1820 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe cmd.exe PID 860 wrote to memory of 1820 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe cmd.exe PID 1820 wrote to memory of 948 1820 cmd.exe reg.exe PID 1820 wrote to memory of 948 1820 cmd.exe reg.exe PID 1820 wrote to memory of 948 1820 cmd.exe reg.exe PID 1820 wrote to memory of 948 1820 cmd.exe reg.exe PID 860 wrote to memory of 1800 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 860 wrote to memory of 1800 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 860 wrote to memory of 1800 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 860 wrote to memory of 1800 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 860 wrote to memory of 1800 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 860 wrote to memory of 1800 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 860 wrote to memory of 1800 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 860 wrote to memory of 1800 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 860 wrote to memory of 1800 860 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 1800 wrote to memory of 600 1800 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe Windows Update.exe PID 1800 wrote to memory of 600 1800 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe Windows Update.exe PID 1800 wrote to memory of 600 1800 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe Windows Update.exe PID 1800 wrote to memory of 600 1800 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe Windows Update.exe PID 1800 wrote to memory of 600 1800 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe Windows Update.exe PID 1800 wrote to memory of 600 1800 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe Windows Update.exe PID 1800 wrote to memory of 600 1800 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe Windows Update.exe PID 600 wrote to memory of 1468 600 Windows Update.exe Windows Update.exe PID 600 wrote to memory of 1468 600 Windows Update.exe Windows Update.exe PID 600 wrote to memory of 1468 600 Windows Update.exe Windows Update.exe PID 600 wrote to memory of 1468 600 Windows Update.exe Windows Update.exe PID 600 wrote to memory of 1468 600 Windows Update.exe Windows Update.exe PID 600 wrote to memory of 1468 600 Windows Update.exe Windows Update.exe PID 600 wrote to memory of 1468 600 Windows Update.exe Windows Update.exe PID 600 wrote to memory of 1468 600 Windows Update.exe Windows Update.exe PID 600 wrote to memory of 1468 600 Windows Update.exe Windows Update.exe PID 600 wrote to memory of 1468 600 Windows Update.exe Windows Update.exe PID 600 wrote to memory of 1468 600 Windows Update.exe Windows Update.exe PID 600 wrote to memory of 1468 600 Windows Update.exe Windows Update.exe PID 1468 wrote to memory of 1320 1468 Windows Update.exe vbc.exe PID 1468 wrote to memory of 1320 1468 Windows Update.exe vbc.exe PID 1468 wrote to memory of 1320 1468 Windows Update.exe vbc.exe PID 1468 wrote to memory of 1320 1468 Windows Update.exe vbc.exe PID 1468 wrote to memory of 1320 1468 Windows Update.exe vbc.exe PID 1468 wrote to memory of 1320 1468 Windows Update.exe vbc.exe PID 1468 wrote to memory of 1320 1468 Windows Update.exe vbc.exe PID 1468 wrote to memory of 1320 1468 Windows Update.exe vbc.exe PID 1468 wrote to memory of 1320 1468 Windows Update.exe vbc.exe PID 1468 wrote to memory of 1320 1468 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe"C:\Users\Admin\AppData\Local\Temp\eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"2⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"3⤵
- Adds Run key to start application
PID:948 -
C:\Users\Admin\AppData\Local\Temp\eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe"C:\Users\Admin\AppData\Local\Temp\eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵PID:1320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD57a41a2c0ab3c89ea72c9b1a51e66e35a
SHA186a4f0f045151875dd7434d0b88f9b7631ff091a
SHA25649a57814154518de9f36076b2186250d3d3ff39ece9d646379a189016f655013
SHA512ace2d74a2928cf575d6f5b84b08deaa9f3d226c774c70bfbf4c1f4fe8d8897848c810b02cff6c8721421db5cf4251e1bbb13d03adf3d530448c42493530ba44c
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
596KB
MD5eeeef046f5456cfc861fd40c459c6891
SHA1b37e91ad182fe800e2c0ee08b0dd4c01f5f8fa96
SHA256eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429
SHA51282407f5343a6a3fa30af975cb4087b395a2eb49ac81acdb48ee86076215823bfc2dfb46503e47ad912ad25514e7e9560e888104cb8d75503fdff69efa6829d1b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
596KB
MD5eeeef046f5456cfc861fd40c459c6891
SHA1b37e91ad182fe800e2c0ee08b0dd4c01f5f8fa96
SHA256eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429
SHA51282407f5343a6a3fa30af975cb4087b395a2eb49ac81acdb48ee86076215823bfc2dfb46503e47ad912ad25514e7e9560e888104cb8d75503fdff69efa6829d1b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
596KB
MD5eeeef046f5456cfc861fd40c459c6891
SHA1b37e91ad182fe800e2c0ee08b0dd4c01f5f8fa96
SHA256eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429
SHA51282407f5343a6a3fa30af975cb4087b395a2eb49ac81acdb48ee86076215823bfc2dfb46503e47ad912ad25514e7e9560e888104cb8d75503fdff69efa6829d1b
-
\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exeFilesize
596KB
MD5eeeef046f5456cfc861fd40c459c6891
SHA1b37e91ad182fe800e2c0ee08b0dd4c01f5f8fa96
SHA256eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429
SHA51282407f5343a6a3fa30af975cb4087b395a2eb49ac81acdb48ee86076215823bfc2dfb46503e47ad912ad25514e7e9560e888104cb8d75503fdff69efa6829d1b
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
596KB
MD5eeeef046f5456cfc861fd40c459c6891
SHA1b37e91ad182fe800e2c0ee08b0dd4c01f5f8fa96
SHA256eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429
SHA51282407f5343a6a3fa30af975cb4087b395a2eb49ac81acdb48ee86076215823bfc2dfb46503e47ad912ad25514e7e9560e888104cb8d75503fdff69efa6829d1b
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
596KB
MD5eeeef046f5456cfc861fd40c459c6891
SHA1b37e91ad182fe800e2c0ee08b0dd4c01f5f8fa96
SHA256eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429
SHA51282407f5343a6a3fa30af975cb4087b395a2eb49ac81acdb48ee86076215823bfc2dfb46503e47ad912ad25514e7e9560e888104cb8d75503fdff69efa6829d1b
-
memory/600-93-0x00000000739C0000-0x0000000073F6B000-memory.dmpFilesize
5.7MB
-
memory/600-75-0x0000000000000000-mapping.dmp
-
memory/600-87-0x00000000739C0000-0x0000000073F6B000-memory.dmpFilesize
5.7MB
-
memory/860-55-0x0000000073F70000-0x000000007451B000-memory.dmpFilesize
5.7MB
-
memory/860-56-0x0000000073F70000-0x000000007451B000-memory.dmpFilesize
5.7MB
-
memory/860-71-0x0000000073F70000-0x000000007451B000-memory.dmpFilesize
5.7MB
-
memory/860-54-0x0000000075071000-0x0000000075073000-memory.dmpFilesize
8KB
-
memory/948-59-0x0000000000000000-mapping.dmp
-
memory/1320-104-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1320-101-0x0000000000411106-mapping.dmp
-
memory/1320-100-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1320-105-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1468-99-0x0000000073F70000-0x000000007451B000-memory.dmpFilesize
5.7MB
-
memory/1468-97-0x0000000073F70000-0x000000007451B000-memory.dmpFilesize
5.7MB
-
memory/1468-89-0x000000000048266E-mapping.dmp
-
memory/1800-69-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1800-79-0x00000000739C0000-0x0000000073F6B000-memory.dmpFilesize
5.7MB
-
memory/1800-67-0x000000000048266E-mapping.dmp
-
memory/1800-60-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1800-65-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1800-66-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1800-61-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1800-72-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1800-63-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1820-58-0x0000000000000000-mapping.dmp