Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 17:00
Static task
static1
Behavioral task
behavioral1
Sample
0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe
Resource
win7-20221111-en
General
-
Target
0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe
-
Size
627KB
-
MD5
f72f0bd4740a5bf40302898abb26648e
-
SHA1
a829f08134ccc32ea00b9169b2a0ad853e26f55d
-
SHA256
0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd
-
SHA512
e4186448cecb97eddeafe25092b6654eef0e00743d39e1c4322c62eeb6b552fd16d274e7c9bc217791b414b14a29746cd261ad742a587e106f859b96e4f325b4
-
SSDEEP
12288:L0hcCkjICIT47WQCVq6duV5O1GFk6hl+0uTrAQQ132arcj/GVeWN/Wzj:YhuQIWQCYquTO0Fk6hc0uT43NycO
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/372-134-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/372-134-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/372-134-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 4124 Windows Update.exe 1204 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 50 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exeWindows Update.exeWindows Update.exedescription pid process target process PID 5056 set thread context of 372 5056 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe PID 4124 set thread context of 1204 4124 Windows Update.exe Windows Update.exe PID 1204 set thread context of 4620 1204 Windows Update.exe vbc.exe PID 1204 set thread context of 3040 1204 Windows Update.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2276 3040 WerFault.exe vbc.exe 2144 3040 WerFault.exe vbc.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows Update.exepid process 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe 1204 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Windows Update.exedw20.exedescription pid process Token: SeDebugPrivilege 1204 Windows Update.exe Token: SeRestorePrivilege 2316 dw20.exe Token: SeBackupPrivilege 2316 dw20.exe Token: SeBackupPrivilege 2316 dw20.exe Token: SeBackupPrivilege 2316 dw20.exe Token: SeBackupPrivilege 2316 dw20.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 1204 Windows Update.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exeWindows Update.exeWindows Update.exevbc.exedescription pid process target process PID 5056 wrote to memory of 372 5056 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe PID 5056 wrote to memory of 372 5056 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe PID 5056 wrote to memory of 372 5056 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe PID 5056 wrote to memory of 372 5056 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe PID 5056 wrote to memory of 372 5056 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe PID 5056 wrote to memory of 372 5056 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe PID 5056 wrote to memory of 372 5056 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe PID 5056 wrote to memory of 372 5056 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe PID 372 wrote to memory of 4124 372 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe Windows Update.exe PID 372 wrote to memory of 4124 372 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe Windows Update.exe PID 372 wrote to memory of 4124 372 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe Windows Update.exe PID 4124 wrote to memory of 1204 4124 Windows Update.exe Windows Update.exe PID 4124 wrote to memory of 1204 4124 Windows Update.exe Windows Update.exe PID 4124 wrote to memory of 1204 4124 Windows Update.exe Windows Update.exe PID 4124 wrote to memory of 1204 4124 Windows Update.exe Windows Update.exe PID 4124 wrote to memory of 1204 4124 Windows Update.exe Windows Update.exe PID 4124 wrote to memory of 1204 4124 Windows Update.exe Windows Update.exe PID 4124 wrote to memory of 1204 4124 Windows Update.exe Windows Update.exe PID 4124 wrote to memory of 1204 4124 Windows Update.exe Windows Update.exe PID 1204 wrote to memory of 3040 1204 Windows Update.exe vbc.exe PID 1204 wrote to memory of 3040 1204 Windows Update.exe vbc.exe PID 1204 wrote to memory of 3040 1204 Windows Update.exe vbc.exe PID 1204 wrote to memory of 3040 1204 Windows Update.exe vbc.exe PID 1204 wrote to memory of 3040 1204 Windows Update.exe vbc.exe PID 1204 wrote to memory of 3040 1204 Windows Update.exe vbc.exe PID 1204 wrote to memory of 3040 1204 Windows Update.exe vbc.exe PID 1204 wrote to memory of 3040 1204 Windows Update.exe vbc.exe PID 1204 wrote to memory of 4620 1204 Windows Update.exe vbc.exe PID 1204 wrote to memory of 4620 1204 Windows Update.exe vbc.exe PID 1204 wrote to memory of 4620 1204 Windows Update.exe vbc.exe PID 1204 wrote to memory of 4620 1204 Windows Update.exe vbc.exe PID 1204 wrote to memory of 4620 1204 Windows Update.exe vbc.exe PID 1204 wrote to memory of 3040 1204 Windows Update.exe vbc.exe PID 1204 wrote to memory of 2316 1204 Windows Update.exe dw20.exe PID 1204 wrote to memory of 2316 1204 Windows Update.exe dw20.exe PID 1204 wrote to memory of 2316 1204 Windows Update.exe dw20.exe PID 3040 wrote to memory of 2276 3040 vbc.exe WerFault.exe PID 3040 wrote to memory of 2276 3040 vbc.exe WerFault.exe PID 3040 wrote to memory of 2276 3040 vbc.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe"C:\Users\Admin\AppData\Local\Temp\0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe"C:\Users\Admin\AppData\Local\Temp\0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 1886⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 1886⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 24405⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3040 -ip 30401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe.logFilesize
500B
MD5316b893cb8d745c9eef9570036c8b3ca
SHA1cbc6946021df5209ea26e10d001e7b147d2b93c6
SHA256f6914cb6b6ac49145bd1bd2bd2339ae0cbfedfdee06ff692ed87619ce4c5b945
SHA512ae09efc1870ba009c9c458ad48e755a2bc76a2338800eeaffc672c1b81700294cc646378b9597e02d7dac170c4ad0752eb969a7d567e1c913390401c69978ec8
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Windows Update.exe.logFilesize
680B
MD50dd5377429a57612efdc15a9cfe56267
SHA190437bbacde93bbe5e2808b801ed843db186babd
SHA25698b015fece99228b9447afb9f427cd63be8415da0256b12dcfb9ed1f3b8a0d14
SHA512678b0daf543f08eeb17c7b4b575eab6e3002c08c53fea2ab6218c23f1c26aa2a5dcf7e2e54c3dc22ca74afcb9a92bdf801feeca0fbf7de1c852c93aeefca5fc5
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5ae55808126ae7e0afde527117517b0c7
SHA18f0a47e350f58c04a7a48550991c25027910a381
SHA256953875015204e5f4c7937d02d76fe0928dc8a93c434c51a078ad7c6407bc59d6
SHA512c0be3dbf584c70ddc3b67c10d398803d9267f212acf52a524546b86d8de3196aba5485f2090d6d32554aa333377f7cdfe67d629b1899924a933ebc9954c92599
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
627KB
MD5f72f0bd4740a5bf40302898abb26648e
SHA1a829f08134ccc32ea00b9169b2a0ad853e26f55d
SHA2560c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd
SHA512e4186448cecb97eddeafe25092b6654eef0e00743d39e1c4322c62eeb6b552fd16d274e7c9bc217791b414b14a29746cd261ad742a587e106f859b96e4f325b4
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
627KB
MD5f72f0bd4740a5bf40302898abb26648e
SHA1a829f08134ccc32ea00b9169b2a0ad853e26f55d
SHA2560c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd
SHA512e4186448cecb97eddeafe25092b6654eef0e00743d39e1c4322c62eeb6b552fd16d274e7c9bc217791b414b14a29746cd261ad742a587e106f859b96e4f325b4
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
627KB
MD5f72f0bd4740a5bf40302898abb26648e
SHA1a829f08134ccc32ea00b9169b2a0ad853e26f55d
SHA2560c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd
SHA512e4186448cecb97eddeafe25092b6654eef0e00743d39e1c4322c62eeb6b552fd16d274e7c9bc217791b414b14a29746cd261ad742a587e106f859b96e4f325b4
-
memory/372-141-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/372-136-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/372-134-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/372-133-0x0000000000000000-mapping.dmp
-
memory/1204-159-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/1204-143-0x0000000000000000-mapping.dmp
-
memory/1204-148-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/1204-150-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/2276-158-0x0000000000000000-mapping.dmp
-
memory/2316-157-0x0000000000000000-mapping.dmp
-
memory/3040-151-0x0000000000000000-mapping.dmp
-
memory/3040-154-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4124-142-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/4124-147-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/4124-137-0x0000000000000000-mapping.dmp
-
memory/4620-152-0x0000000000000000-mapping.dmp
-
memory/5056-132-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB
-
memory/5056-135-0x0000000074D80000-0x0000000075331000-memory.dmpFilesize
5.7MB