Analysis
-
max time kernel
148s -
max time network
181s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 13:27
Static task
static1
Behavioral task
behavioral1
Sample
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe
Resource
win7-20221111-en
General
-
Target
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe
-
Size
561KB
-
MD5
e2edbdf4559a85cd198c10814871a6bc
-
SHA1
6fdc576b9a9bedf6c7ce20e827ca1a93f1267d55
-
SHA256
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda
-
SHA512
a99ddb12fa68d785a5e3b176fd74b0ebb3db6f9a7a6635e26a344315724a277474e79cd84a913b2e29f3b7fe6db4323b1a0c5de5cafe43850469ba4d3d1b81ea
-
SSDEEP
12288:DHkGcrDdXoIu8YVlGxYl/5ozNfCOQgeYSSZiCJBp:7RciIu8YVlSe/5ozNmYSqi+p
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
sasuke2014
Signatures
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2012-66-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2012-67-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/2012-70-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2012-71-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2012-72-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1676-73-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1676-74-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1676-77-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1676-78-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1676-80-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 10 IoCs
Processes:
resource yara_rule behavioral1/memory/2012-66-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2012-67-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/2012-70-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2012-71-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2012-72-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1676-73-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1676-74-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1676-77-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1676-78-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1676-80-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid process 1068 Windows Update.exe -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 1068 Windows Update.exe -
Loads dropped DLL 1 IoCs
Processes:
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exepid process 2028 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Windows Update.exedescription pid process target process PID 1068 set thread context of 2012 1068 Windows Update.exe vbc.exe PID 1068 set thread context of 1676 1068 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Windows Update.exepid process 1068 Windows Update.exe 1068 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exeWindows Update.exedescription pid process Token: SeDebugPrivilege 2028 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Token: 33 2028 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Token: SeIncBasePriorityPrivilege 2028 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Token: SeDebugPrivilege 1068 Windows Update.exe Token: 33 1068 Windows Update.exe Token: SeIncBasePriorityPrivilege 1068 Windows Update.exe Token: 33 1068 Windows Update.exe Token: SeIncBasePriorityPrivilege 1068 Windows Update.exe Token: 33 1068 Windows Update.exe Token: SeIncBasePriorityPrivilege 1068 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 1068 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exeWindows Update.exedescription pid process target process PID 2028 wrote to memory of 1068 2028 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Windows Update.exe PID 2028 wrote to memory of 1068 2028 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Windows Update.exe PID 2028 wrote to memory of 1068 2028 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Windows Update.exe PID 2028 wrote to memory of 1068 2028 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Windows Update.exe PID 2028 wrote to memory of 1068 2028 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Windows Update.exe PID 2028 wrote to memory of 1068 2028 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Windows Update.exe PID 2028 wrote to memory of 1068 2028 0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe Windows Update.exe PID 1068 wrote to memory of 2012 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 2012 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 2012 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 2012 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 2012 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 2012 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 2012 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 2012 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 2012 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 2012 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 1676 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 1676 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 1676 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 1676 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 1676 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 1676 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 1676 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 1676 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 1676 1068 Windows Update.exe vbc.exe PID 1068 wrote to memory of 1676 1068 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe"C:\Users\Admin\AppData\Local\Temp\0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD52604d7ffddc312ead7c9c41be977afe8
SHA1c7c7658bd8d4da6a3737d5bfaa4607d22ec44e53
SHA25632d557da5c5805f32d343689da4fdadadc887c6a95e1a099883ce9694d501c49
SHA5122812c90efb8305df394b8771fb95bec938893726192aa25272dc5afb6ec2d2ab2c5eb087da26130c2740db9f6890469392f1f55639a2624179b0c97e01981c1b
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
561KB
MD5e2edbdf4559a85cd198c10814871a6bc
SHA16fdc576b9a9bedf6c7ce20e827ca1a93f1267d55
SHA2560e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda
SHA512a99ddb12fa68d785a5e3b176fd74b0ebb3db6f9a7a6635e26a344315724a277474e79cd84a913b2e29f3b7fe6db4323b1a0c5de5cafe43850469ba4d3d1b81ea
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
561KB
MD5e2edbdf4559a85cd198c10814871a6bc
SHA16fdc576b9a9bedf6c7ce20e827ca1a93f1267d55
SHA2560e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda
SHA512a99ddb12fa68d785a5e3b176fd74b0ebb3db6f9a7a6635e26a344315724a277474e79cd84a913b2e29f3b7fe6db4323b1a0c5de5cafe43850469ba4d3d1b81ea
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
561KB
MD5e2edbdf4559a85cd198c10814871a6bc
SHA16fdc576b9a9bedf6c7ce20e827ca1a93f1267d55
SHA2560e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda
SHA512a99ddb12fa68d785a5e3b176fd74b0ebb3db6f9a7a6635e26a344315724a277474e79cd84a913b2e29f3b7fe6db4323b1a0c5de5cafe43850469ba4d3d1b81ea
-
memory/1068-58-0x0000000000000000-mapping.dmp
-
memory/1068-63-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/1068-64-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/1676-80-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1676-78-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1676-77-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1676-74-0x0000000000442628-mapping.dmp
-
memory/1676-73-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2012-72-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2012-71-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2012-70-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2012-67-0x0000000000411654-mapping.dmp
-
memory/2012-66-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2028-56-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/2028-62-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/2028-54-0x0000000075881000-0x0000000075883000-memory.dmpFilesize
8KB
-
memory/2028-55-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB