Analysis
-
max time kernel
247s -
max time network
337s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 01:56
Static task
static1
Behavioral task
behavioral1
Sample
4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe
Resource
win7-20221111-en
General
-
Target
4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe
-
Size
600KB
-
MD5
27d84e58000078a566602e597aa73186
-
SHA1
0521b65491fedad4f142baef107f4a691f3f5c06
-
SHA256
4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88
-
SHA512
1c26a751ca202de1deb6aee5da533b5fcedea4b530bb15f3e8ca06398519d6180e6735bd522949d2a3d0091ff804036278c79b87dc1e3bb84d9234606c8736c8
-
SSDEEP
12288:MBtdzSMfWEGgEgt1rrRRXV3p+96cQP48KieqFrAoZlNFKihqw8:MBt89EbEe1rrV3p+9VQPFeqFrVZNP
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
overcomer123
Signatures
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1744-92-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1744-91-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1744-95-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1744-96-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1744-97-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
Nirsoft 9 IoCs
Processes:
resource yara_rule behavioral1/memory/596-76-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral1/memory/596-77-0x000000000040E758-mapping.dmp Nirsoft behavioral1/memory/596-80-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral1/memory/596-81-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral1/memory/1744-92-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1744-91-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1744-95-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1744-96-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1744-97-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Disables RegEdit via registry modification 1 IoCs
Processes:
PO 2.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" PO 2.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
PO 2.exepid process 584 PO 2.exe -
Loads dropped DLL 3 IoCs
Processes:
4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exedw20.exepid process 628 4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe 628 4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe 1996 dw20.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
PO 2.exedescription pid process target process PID 584 set thread context of 596 584 PO 2.exe vbc.exe PID 584 set thread context of 1744 584 PO 2.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO 2.exedescription pid process Token: SeDebugPrivilege 584 PO 2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PO 2.exepid process 584 PO 2.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exePO 2.exedescription pid process target process PID 628 wrote to memory of 584 628 4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe PO 2.exe PID 628 wrote to memory of 584 628 4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe PO 2.exe PID 628 wrote to memory of 584 628 4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe PO 2.exe PID 628 wrote to memory of 584 628 4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe PO 2.exe PID 584 wrote to memory of 1996 584 PO 2.exe dw20.exe PID 584 wrote to memory of 1996 584 PO 2.exe dw20.exe PID 584 wrote to memory of 1996 584 PO 2.exe dw20.exe PID 584 wrote to memory of 1996 584 PO 2.exe dw20.exe PID 584 wrote to memory of 596 584 PO 2.exe vbc.exe PID 584 wrote to memory of 596 584 PO 2.exe vbc.exe PID 584 wrote to memory of 596 584 PO 2.exe vbc.exe PID 584 wrote to memory of 596 584 PO 2.exe vbc.exe PID 584 wrote to memory of 596 584 PO 2.exe vbc.exe PID 584 wrote to memory of 596 584 PO 2.exe vbc.exe PID 584 wrote to memory of 596 584 PO 2.exe vbc.exe PID 584 wrote to memory of 596 584 PO 2.exe vbc.exe PID 584 wrote to memory of 596 584 PO 2.exe vbc.exe PID 584 wrote to memory of 596 584 PO 2.exe vbc.exe PID 584 wrote to memory of 1744 584 PO 2.exe vbc.exe PID 584 wrote to memory of 1744 584 PO 2.exe vbc.exe PID 584 wrote to memory of 1744 584 PO 2.exe vbc.exe PID 584 wrote to memory of 1744 584 PO 2.exe vbc.exe PID 584 wrote to memory of 1744 584 PO 2.exe vbc.exe PID 584 wrote to memory of 1744 584 PO 2.exe vbc.exe PID 584 wrote to memory of 1744 584 PO 2.exe vbc.exe PID 584 wrote to memory of 1744 584 PO 2.exe vbc.exe PID 584 wrote to memory of 1744 584 PO 2.exe vbc.exe PID 584 wrote to memory of 1744 584 PO 2.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe"C:\Users\Admin\AppData\Local\Temp\4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO 2.exe"C:\Users\Admin\AppData\Local\Temp\PO 2.exe"2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8483⤵
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt3⤵
- Accesses Microsoft Outlook accounts
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PO 2.exeFilesize
444KB
MD5e832e6b1625bd33408fe293f2a303ed9
SHA1dc79ad7fd138003025304e9d0bbfff35a2929722
SHA2568327ef22aeeb0cf938d9adbf3e0710a0b354ad7d0022b9ae1233b8d179aefd3d
SHA5129bf39dc015378a41580760a0b972a8aa3fa215cec99c1f5167134cd4cb322390ed2f233cad59fb375cbfc9e86ada246907262615bca40950e9381957985761c8
-
C:\Users\Admin\AppData\Local\Temp\PO 2.exeFilesize
444KB
MD5e832e6b1625bd33408fe293f2a303ed9
SHA1dc79ad7fd138003025304e9d0bbfff35a2929722
SHA2568327ef22aeeb0cf938d9adbf3e0710a0b354ad7d0022b9ae1233b8d179aefd3d
SHA5129bf39dc015378a41580760a0b972a8aa3fa215cec99c1f5167134cd4cb322390ed2f233cad59fb375cbfc9e86ada246907262615bca40950e9381957985761c8
-
C:\Users\Admin\AppData\Local\Temp\logff.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\Users\Admin\AppData\Local\Temp\PO 2.exeFilesize
444KB
MD5e832e6b1625bd33408fe293f2a303ed9
SHA1dc79ad7fd138003025304e9d0bbfff35a2929722
SHA2568327ef22aeeb0cf938d9adbf3e0710a0b354ad7d0022b9ae1233b8d179aefd3d
SHA5129bf39dc015378a41580760a0b972a8aa3fa215cec99c1f5167134cd4cb322390ed2f233cad59fb375cbfc9e86ada246907262615bca40950e9381957985761c8
-
\Users\Admin\AppData\Local\Temp\PO 2.exeFilesize
444KB
MD5e832e6b1625bd33408fe293f2a303ed9
SHA1dc79ad7fd138003025304e9d0bbfff35a2929722
SHA2568327ef22aeeb0cf938d9adbf3e0710a0b354ad7d0022b9ae1233b8d179aefd3d
SHA5129bf39dc015378a41580760a0b972a8aa3fa215cec99c1f5167134cd4cb322390ed2f233cad59fb375cbfc9e86ada246907262615bca40950e9381957985761c8
-
\Users\Admin\AppData\Local\Temp\PO 2.exeFilesize
444KB
MD5e832e6b1625bd33408fe293f2a303ed9
SHA1dc79ad7fd138003025304e9d0bbfff35a2929722
SHA2568327ef22aeeb0cf938d9adbf3e0710a0b354ad7d0022b9ae1233b8d179aefd3d
SHA5129bf39dc015378a41580760a0b972a8aa3fa215cec99c1f5167134cd4cb322390ed2f233cad59fb375cbfc9e86ada246907262615bca40950e9381957985761c8
-
memory/584-64-0x0000000074420000-0x00000000749CB000-memory.dmpFilesize
5.7MB
-
memory/584-58-0x0000000000000000-mapping.dmp
-
memory/584-63-0x0000000074420000-0x00000000749CB000-memory.dmpFilesize
5.7MB
-
memory/596-74-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/596-81-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/596-80-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/596-68-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/596-69-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/596-71-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/596-73-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/596-77-0x000000000040E758-mapping.dmp
-
memory/596-76-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/628-55-0x0000000074420000-0x00000000749CB000-memory.dmpFilesize
5.7MB
-
memory/628-62-0x0000000074420000-0x00000000749CB000-memory.dmpFilesize
5.7MB
-
memory/628-54-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/1744-86-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1744-83-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1744-84-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1744-88-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1744-89-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1744-92-0x0000000000411654-mapping.dmp
-
memory/1744-91-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1744-95-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1744-96-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1744-97-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1996-65-0x0000000000000000-mapping.dmp