Analysis
-
max time kernel
127s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 04:22
Static task
static1
Behavioral task
behavioral1
Sample
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe
Resource
win10v2004-20221111-en
General
-
Target
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe
-
Size
596KB
-
MD5
eeeef046f5456cfc861fd40c459c6891
-
SHA1
b37e91ad182fe800e2c0ee08b0dd4c01f5f8fa96
-
SHA256
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429
-
SHA512
82407f5343a6a3fa30af975cb4087b395a2eb49ac81acdb48ee86076215823bfc2dfb46503e47ad912ad25514e7e9560e888104cb8d75503fdff69efa6829d1b
-
SSDEEP
6144:R6ju7BA9luh8zWC82h19oikIIeapv6EQ6/kIIGGGMzaAyFdzDTruVXwpccNfL0d3:t8yAv7apDQCHGG7H++q4LbmS
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4800-137-0x0000000000400000-0x000000000048A000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4800-137-0x0000000000400000-0x000000000048A000-memory.dmp WebBrowserPassView behavioral2/memory/2880-156-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/2880-157-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral2/memory/2880-159-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral2/memory/2880-161-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral2/memory/2880-162-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
Processes:
resource yara_rule behavioral2/memory/4800-137-0x0000000000400000-0x000000000048A000-memory.dmp Nirsoft behavioral2/memory/2880-156-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2880-157-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral2/memory/2880-159-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral2/memory/2880-161-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral2/memory/2880-162-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 732 Windows Update.exe 3856 Windows Update.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exeeb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp\\GoogleUpdate.exe.lnk" reg.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 40 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exeWindows Update.exeWindows Update.exedescription pid process target process PID 2092 set thread context of 4800 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 732 set thread context of 3856 732 Windows Update.exe Windows Update.exe PID 3856 set thread context of 804 3856 Windows Update.exe vbc.exe PID 3856 set thread context of 2880 3856 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exeWindows Update.exeWindows Update.exevbc.exepid process 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe 732 Windows Update.exe 732 Windows Update.exe 3856 Windows Update.exe 2880 vbc.exe 2880 vbc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exeWindows Update.exeWindows Update.exedescription pid process Token: SeDebugPrivilege 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe Token: SeDebugPrivilege 732 Windows Update.exe Token: SeDebugPrivilege 3856 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 3856 Windows Update.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.execmd.exeeb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exeWindows Update.exeWindows Update.exedescription pid process target process PID 2092 wrote to memory of 2384 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe cmd.exe PID 2092 wrote to memory of 2384 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe cmd.exe PID 2092 wrote to memory of 2384 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe cmd.exe PID 2384 wrote to memory of 1848 2384 cmd.exe reg.exe PID 2384 wrote to memory of 1848 2384 cmd.exe reg.exe PID 2384 wrote to memory of 1848 2384 cmd.exe reg.exe PID 2092 wrote to memory of 4800 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 2092 wrote to memory of 4800 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 2092 wrote to memory of 4800 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 2092 wrote to memory of 4800 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 2092 wrote to memory of 4800 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 2092 wrote to memory of 4800 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 2092 wrote to memory of 4800 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 2092 wrote to memory of 4800 2092 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe PID 4800 wrote to memory of 732 4800 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe Windows Update.exe PID 4800 wrote to memory of 732 4800 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe Windows Update.exe PID 4800 wrote to memory of 732 4800 eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe Windows Update.exe PID 732 wrote to memory of 3856 732 Windows Update.exe Windows Update.exe PID 732 wrote to memory of 3856 732 Windows Update.exe Windows Update.exe PID 732 wrote to memory of 3856 732 Windows Update.exe Windows Update.exe PID 732 wrote to memory of 3856 732 Windows Update.exe Windows Update.exe PID 732 wrote to memory of 3856 732 Windows Update.exe Windows Update.exe PID 732 wrote to memory of 3856 732 Windows Update.exe Windows Update.exe PID 732 wrote to memory of 3856 732 Windows Update.exe Windows Update.exe PID 732 wrote to memory of 3856 732 Windows Update.exe Windows Update.exe PID 3856 wrote to memory of 804 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 804 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 804 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 804 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 804 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 804 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 804 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 804 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 804 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 2880 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 2880 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 2880 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 2880 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 2880 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 2880 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 2880 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 2880 3856 Windows Update.exe vbc.exe PID 3856 wrote to memory of 2880 3856 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe"C:\Users\Admin\AppData\Local\Temp\eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"2⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"3⤵
- Adds Run key to start application
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe"C:\Users\Admin\AppData\Local\Temp\eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
PID:804 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD57a41a2c0ab3c89ea72c9b1a51e66e35a
SHA186a4f0f045151875dd7434d0b88f9b7631ff091a
SHA25649a57814154518de9f36076b2186250d3d3ff39ece9d646379a189016f655013
SHA512ace2d74a2928cf575d6f5b84b08deaa9f3d226c774c70bfbf4c1f4fe8d8897848c810b02cff6c8721421db5cf4251e1bbb13d03adf3d530448c42493530ba44c
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
596KB
MD5eeeef046f5456cfc861fd40c459c6891
SHA1b37e91ad182fe800e2c0ee08b0dd4c01f5f8fa96
SHA256eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429
SHA51282407f5343a6a3fa30af975cb4087b395a2eb49ac81acdb48ee86076215823bfc2dfb46503e47ad912ad25514e7e9560e888104cb8d75503fdff69efa6829d1b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
596KB
MD5eeeef046f5456cfc861fd40c459c6891
SHA1b37e91ad182fe800e2c0ee08b0dd4c01f5f8fa96
SHA256eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429
SHA51282407f5343a6a3fa30af975cb4087b395a2eb49ac81acdb48ee86076215823bfc2dfb46503e47ad912ad25514e7e9560e888104cb8d75503fdff69efa6829d1b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
596KB
MD5eeeef046f5456cfc861fd40c459c6891
SHA1b37e91ad182fe800e2c0ee08b0dd4c01f5f8fa96
SHA256eb090a048d52c44cea30006c9433e4a856e536bdcdf8ccd279053b6418cd4429
SHA51282407f5343a6a3fa30af975cb4087b395a2eb49ac81acdb48ee86076215823bfc2dfb46503e47ad912ad25514e7e9560e888104cb8d75503fdff69efa6829d1b
-
memory/732-147-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB
-
memory/732-140-0x0000000000000000-mapping.dmp
-
memory/804-155-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/804-154-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/804-152-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/804-151-0x0000000000000000-mapping.dmp
-
memory/804-160-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1848-135-0x0000000000000000-mapping.dmp
-
memory/2092-133-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB
-
memory/2092-132-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB
-
memory/2092-138-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB
-
memory/2384-134-0x0000000000000000-mapping.dmp
-
memory/2880-159-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2880-157-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2880-156-0x0000000000000000-mapping.dmp
-
memory/2880-161-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2880-162-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3856-144-0x0000000000000000-mapping.dmp
-
memory/3856-150-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB
-
memory/3856-148-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB
-
memory/4800-139-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB
-
memory/4800-143-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB
-
memory/4800-136-0x0000000000000000-mapping.dmp
-
memory/4800-137-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB