Analysis
-
max time kernel
231s -
max time network
249s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 20:57
Static task
static1
Behavioral task
behavioral1
Sample
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Resource
win10v2004-20221111-en
General
-
Target
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
-
Size
1.1MB
-
MD5
f318e540a01cf649bbb1640c81c55c94
-
SHA1
7afdb12755c99467b79dcc7ca92b07cac8b38a93
-
SHA256
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
-
SHA512
a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87
-
SSDEEP
24576:X6blI9AqgZh+D3vspAANvVp2OrHtKuzNwiTIV3teph6ar+:X6bK91eh+D0pFBKOn8lwph6ay
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
drlwjrdttnageixp
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/3952-145-0x0000000000400000-0x00000000004F0000-memory.dmp MailPassView behavioral2/memory/3788-149-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/3788-150-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/3952-145-0x0000000000400000-0x00000000004F0000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3952-145-0x0000000000400000-0x00000000004F0000-memory.dmp Nirsoft behavioral2/memory/3788-149-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3788-150-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Executes dropped EXE 3 IoCs
Processes:
nvtray.exenvtray.exenvtray.exepid process 2128 nvtray.exe 2284 nvtray.exe 3952 nvtray.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe -
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 98 whatismyipaddress.com 102 whatismyipaddress.com -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
nvtray.exeb4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 nvtray.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum nvtray.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
nvtray.exenvtray.exedescription pid process target process PID 2128 set thread context of 3952 2128 nvtray.exe nvtray.exe PID 3952 set thread context of 3788 3952 nvtray.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exenvtray.exenvtray.exepid process 3192 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 2128 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe 3952 nvtray.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exenvtray.exenvtray.exedescription pid process Token: SeDebugPrivilege 3192 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe Token: SeDebugPrivilege 2128 nvtray.exe Token: SeDebugPrivilege 3952 nvtray.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
nvtray.exepid process 3952 nvtray.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.execmd.exenvtray.exenvtray.exedescription pid process target process PID 3192 wrote to memory of 3944 3192 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe cmd.exe PID 3192 wrote to memory of 3944 3192 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe cmd.exe PID 3192 wrote to memory of 3944 3192 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe cmd.exe PID 3944 wrote to memory of 2492 3944 cmd.exe reg.exe PID 3944 wrote to memory of 2492 3944 cmd.exe reg.exe PID 3944 wrote to memory of 2492 3944 cmd.exe reg.exe PID 3192 wrote to memory of 2128 3192 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe nvtray.exe PID 3192 wrote to memory of 2128 3192 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe nvtray.exe PID 3192 wrote to memory of 2128 3192 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe nvtray.exe PID 2128 wrote to memory of 2284 2128 nvtray.exe nvtray.exe PID 2128 wrote to memory of 2284 2128 nvtray.exe nvtray.exe PID 2128 wrote to memory of 2284 2128 nvtray.exe nvtray.exe PID 2128 wrote to memory of 3952 2128 nvtray.exe nvtray.exe PID 2128 wrote to memory of 3952 2128 nvtray.exe nvtray.exe PID 2128 wrote to memory of 3952 2128 nvtray.exe nvtray.exe PID 2128 wrote to memory of 3952 2128 nvtray.exe nvtray.exe PID 2128 wrote to memory of 3952 2128 nvtray.exe nvtray.exe PID 2128 wrote to memory of 3952 2128 nvtray.exe nvtray.exe PID 2128 wrote to memory of 3952 2128 nvtray.exe nvtray.exe PID 2128 wrote to memory of 3952 2128 nvtray.exe nvtray.exe PID 3952 wrote to memory of 3788 3952 nvtray.exe vbc.exe PID 3952 wrote to memory of 3788 3952 nvtray.exe vbc.exe PID 3952 wrote to memory of 3788 3952 nvtray.exe vbc.exe PID 3952 wrote to memory of 3788 3952 nvtray.exe vbc.exe PID 3952 wrote to memory of 3788 3952 nvtray.exe vbc.exe PID 3952 wrote to memory of 3788 3952 nvtray.exe vbc.exe PID 3952 wrote to memory of 3788 3952 nvtray.exe vbc.exe PID 3952 wrote to memory of 3788 3952 nvtray.exe vbc.exe PID 3952 wrote to memory of 3788 3952 nvtray.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe"C:\Users\Admin\AppData\Local\Temp\b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows" /f /v "Load" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nvtray.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows" /f /v "Load" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nvtray.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\nvtray.exe"C:\Users\Admin\AppData\Roaming\nvtray.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nvtray.exe"C:\Users\Admin\AppData\Roaming\nvtray.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\nvtray.exe"C:\Users\Admin\AppData\Roaming\nvtray.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\nvtray.exeFilesize
1.1MB
MD5f318e540a01cf649bbb1640c81c55c94
SHA17afdb12755c99467b79dcc7ca92b07cac8b38a93
SHA256b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
SHA512a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87
-
C:\Users\Admin\AppData\Roaming\nvtray.exeFilesize
1.1MB
MD5f318e540a01cf649bbb1640c81c55c94
SHA17afdb12755c99467b79dcc7ca92b07cac8b38a93
SHA256b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
SHA512a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87
-
C:\Users\Admin\AppData\Roaming\nvtray.exeFilesize
1.1MB
MD5f318e540a01cf649bbb1640c81c55c94
SHA17afdb12755c99467b79dcc7ca92b07cac8b38a93
SHA256b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
SHA512a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87
-
C:\Users\Admin\AppData\Roaming\nvtray.exeFilesize
1.1MB
MD5f318e540a01cf649bbb1640c81c55c94
SHA17afdb12755c99467b79dcc7ca92b07cac8b38a93
SHA256b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
SHA512a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87
-
memory/2128-140-0x00000000751D0000-0x0000000075781000-memory.dmpFilesize
5.7MB
-
memory/2128-141-0x00000000751D0000-0x0000000075781000-memory.dmpFilesize
5.7MB
-
memory/2128-136-0x0000000000000000-mapping.dmp
-
memory/2284-142-0x0000000000000000-mapping.dmp
-
memory/2492-135-0x0000000000000000-mapping.dmp
-
memory/3192-133-0x00000000751D0000-0x0000000075781000-memory.dmpFilesize
5.7MB
-
memory/3192-132-0x00000000751D0000-0x0000000075781000-memory.dmpFilesize
5.7MB
-
memory/3192-139-0x00000000751D0000-0x0000000075781000-memory.dmpFilesize
5.7MB
-
memory/3788-149-0x0000000000000000-mapping.dmp
-
memory/3788-150-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3944-134-0x0000000000000000-mapping.dmp
-
memory/3952-144-0x0000000000000000-mapping.dmp
-
memory/3952-145-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/3952-147-0x00000000751D0000-0x0000000075781000-memory.dmpFilesize
5.7MB
-
memory/3952-148-0x00000000751D0000-0x0000000075781000-memory.dmpFilesize
5.7MB