b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91

General

Target

b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Size

1.1MB
MD5

f318e540a01cf649bbb1640c81c55c94
SHA1

7afdb12755c99467b79dcc7ca92b07cac8b38a93
SHA256

b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
SHA512

a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87
SSDEEP

24576:X6blI9AqgZh+D3vspAANvVp2OrHtKuzNwiTIV3teph6ar+:X6bK91eh+D0pFBKOn8lwph6ay

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
drlwjrdttnageixp

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3952-145-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral2/memory/3788-149-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/3788-150-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3952-145-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3952-145-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral2/memory/3788-149-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/3788-150-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

nvtray.exenvtray.exenvtray.exe

pid process

2128 nvtray.exe
2284 nvtray.exe
3952 nvtray.exe

pid	process
2128	nvtray.exe
2284	nvtray.exe
3952	nvtray.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

98 whatismyipaddress.com
102 whatismyipaddress.com

flow	ioc
98	whatismyipaddress.com
102	whatismyipaddress.com

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

nvtray.exeb4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	nvtray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	nvtray.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

nvtray.exenvtray.exe

description	pid	process	target process
PID 2128 set thread context of 3952	2128	nvtray.exe	nvtray.exe
PID 3952 set thread context of 3788	3952	nvtray.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exenvtray.exenvtray.exe

pid	process
3192	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
2128	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe
3952	nvtray.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exenvtray.exenvtray.exe

description	pid	process
Token: SeDebugPrivilege	3192	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Token: SeDebugPrivilege	2128	nvtray.exe
Token: SeDebugPrivilege	3952	nvtray.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

nvtray.exe

pid process

3952 nvtray.exe

pid	process
3952	nvtray.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.execmd.exenvtray.exenvtray.exe

description	pid	process	target process
PID 3192 wrote to memory of 3944	3192	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe	cmd.exe
PID 3192 wrote to memory of 3944	3192	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe	cmd.exe
PID 3192 wrote to memory of 3944	3192	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe	cmd.exe
PID 3944 wrote to memory of 2492	3944	cmd.exe	reg.exe
PID 3944 wrote to memory of 2492	3944	cmd.exe	reg.exe
PID 3944 wrote to memory of 2492	3944	cmd.exe	reg.exe
PID 3192 wrote to memory of 2128	3192	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe	nvtray.exe
PID 3192 wrote to memory of 2128	3192	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe	nvtray.exe
PID 3192 wrote to memory of 2128	3192	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe	nvtray.exe
PID 2128 wrote to memory of 2284	2128	nvtray.exe	nvtray.exe
PID 2128 wrote to memory of 2284	2128	nvtray.exe	nvtray.exe
PID 2128 wrote to memory of 2284	2128	nvtray.exe	nvtray.exe
PID 2128 wrote to memory of 3952	2128	nvtray.exe	nvtray.exe
PID 2128 wrote to memory of 3952	2128	nvtray.exe	nvtray.exe
PID 2128 wrote to memory of 3952	2128	nvtray.exe	nvtray.exe
PID 2128 wrote to memory of 3952	2128	nvtray.exe	nvtray.exe
PID 2128 wrote to memory of 3952	2128	nvtray.exe	nvtray.exe
PID 2128 wrote to memory of 3952	2128	nvtray.exe	nvtray.exe
PID 2128 wrote to memory of 3952	2128	nvtray.exe	nvtray.exe
PID 2128 wrote to memory of 3952	2128	nvtray.exe	nvtray.exe
PID 3952 wrote to memory of 3788	3952	nvtray.exe	vbc.exe
PID 3952 wrote to memory of 3788	3952	nvtray.exe	vbc.exe
PID 3952 wrote to memory of 3788	3952	nvtray.exe	vbc.exe
PID 3952 wrote to memory of 3788	3952	nvtray.exe	vbc.exe
PID 3952 wrote to memory of 3788	3952	nvtray.exe	vbc.exe
PID 3952 wrote to memory of 3788	3952	nvtray.exe	vbc.exe
PID 3952 wrote to memory of 3788	3952	nvtray.exe	vbc.exe
PID 3952 wrote to memory of 3788	3952	nvtray.exe	vbc.exe
PID 3952 wrote to memory of 3788	3952	nvtray.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
"C:\Users\Admin\AppData\Local\Temp\b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows" /f /v "Load" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nvtray.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows" /f /v "Load" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nvtray.exe"
3⤵
PID:2492

C:\Users\Admin\AppData\Roaming\nvtray.exe
"C:\Users\Admin\AppData\Roaming\nvtray.exe"
2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Roaming\nvtray.exe
"C:\Users\Admin\AppData\Roaming\nvtray.exe"
3⤵
- Executes dropped EXE
PID:2284

C:\Users\Admin\AppData\Roaming\nvtray.exe
"C:\Users\Admin\AppData\Roaming\nvtray.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
PID:3788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nvtray.exe
Filesize
1.1MB

MD5
f318e540a01cf649bbb1640c81c55c94

SHA1
7afdb12755c99467b79dcc7ca92b07cac8b38a93

SHA256
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91

SHA512
a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87

Download Submit
C:\Users\Admin\AppData\Roaming\nvtray.exe
Filesize
1.1MB

MD5
f318e540a01cf649bbb1640c81c55c94

SHA1
7afdb12755c99467b79dcc7ca92b07cac8b38a93

SHA256
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91

SHA512
a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87

Download Submit
C:\Users\Admin\AppData\Roaming\nvtray.exe
Filesize
1.1MB

MD5
f318e540a01cf649bbb1640c81c55c94

SHA1
7afdb12755c99467b79dcc7ca92b07cac8b38a93

SHA256
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91

SHA512
a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87

Download Submit
C:\Users\Admin\AppData\Roaming\nvtray.exe
Filesize
1.1MB

MD5
f318e540a01cf649bbb1640c81c55c94

SHA1
7afdb12755c99467b79dcc7ca92b07cac8b38a93

SHA256
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91

SHA512
a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87

Download Submit
memory/2128-140-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/2128-141-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/2128-136-0x0000000000000000-mapping.dmp

Download
memory/2284-142-0x0000000000000000-mapping.dmp

Download
memory/2492-135-0x0000000000000000-mapping.dmp

Download
memory/3192-133-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/3192-132-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/3192-139-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/3788-149-0x0000000000000000-mapping.dmp

Download
memory/3788-150-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3944-134-0x0000000000000000-mapping.dmp

Download
memory/3952-144-0x0000000000000000-mapping.dmp

Download
memory/3952-145-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3952-147-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/3952-148-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads