bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938

Analysis

max time kernel
191s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:58

Target

bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe
Size

611KB
MD5

ad47cfd40857dc7a8560e13a21446d3c
SHA1

95b8a713ff383777cebf0a5fb9b5bd78be9b3195
SHA256

bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938
SHA512

b32fdf3cf8605d2766e427281ff908f954315d586b16383adc4aa22294f7800d4ff2cd8c9526b050489532f6da5a349fd8d041b71cc4cef4d3bca068a77dd5f8
SSDEEP

12288:ahJlg4a4SkSxK9CJnIv5eBMfUSOxwGCTRywJPc171VQQFy6Pu:WJta4SrsC1xMccGA7JUdAQF

Score

9^/10

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2240-135-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2240-135-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2240-135-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

79 whatismyipaddress.com

flow	ioc
79	whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe

description	pid	process	target process
PID 2928 set thread context of 2240	2928	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exebd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe

description	pid	process
Token: SeDebugPrivilege	2928	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe
Token: SeDebugPrivilege	2240	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe

description	pid	process	target process
PID 2928 wrote to memory of 2240	2928	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe
PID 2928 wrote to memory of 2240	2928	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe
PID 2928 wrote to memory of 2240	2928	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe
PID 2928 wrote to memory of 2240	2928	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe
PID 2928 wrote to memory of 2240	2928	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe
PID 2928 wrote to memory of 2240	2928	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe
PID 2928 wrote to memory of 2240	2928	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe
PID 2928 wrote to memory of 2240	2928	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe	bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe

C:\Users\Admin\AppData\Local\Temp\bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe
"C:\Users\Admin\AppData\Local\Temp\bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe
  "C:\Users\Admin\AppData\Local\Temp\bd97fa4a869e6abe3d7281da4732db2a1f6878925095aa0c23acd64ea99af938.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2240

memory/2240-134-0x0000000000000000-mapping.dmp

Download
memory/2240-135-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2240-137-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/2240-138-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/2928-132-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/2928-133-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/2928-136-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download