Analysis
-
max time kernel
106s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 22:17
Static task
static1
Behavioral task
behavioral1
Sample
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe
Resource
win10v2004-20221111-en
General
-
Target
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe
-
Size
576KB
-
MD5
4fbf3ef1ae2a1e7a4ac62217833fd135
-
SHA1
b1e95acd1d6c5ece5009aad16e200391f04e371b
-
SHA256
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46
-
SHA512
becba007222b52fdb566697ad1ed39ba7bd0f1c6e755dada5a9b2acbe1dd87ef604d43cf07e5d5d1ffa223924a41c87f4c69eb56ed5bfa1e5c993bdd52a361a1
-
SSDEEP
12288:ekNCadTPVIIZKT4sqqdwGePz+4gXG5Y9Jb/tBLMNn/9IUTUwSBDuC:DpF2hT4jz+4oUY9JRBLCVfIHBy
Malware Config
Signatures
-
NirSoft MailPassView 9 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/316-66-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/316-67-0x000000000047EA3E-mapping.dmp MailPassView behavioral1/memory/316-70-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/316-72-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1164-77-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1164-78-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1164-81-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1164-83-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1164-90-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 9 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/316-66-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/316-67-0x000000000047EA3E-mapping.dmp WebBrowserPassView behavioral1/memory/316-70-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/316-72-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1724-84-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1724-85-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1724-88-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1724-89-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1724-92-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 14 IoCs
Processes:
resource yara_rule behavioral1/memory/316-66-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/316-67-0x000000000047EA3E-mapping.dmp Nirsoft behavioral1/memory/316-70-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/316-72-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1164-77-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1164-78-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1164-81-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1164-83-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1724-84-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1724-85-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1724-88-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1724-89-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1164-90-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1724-92-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
hgcgc.exesvchost.exepid process 624 hgcgc.exe 316 svchost.exe -
Loads dropped DLL 3 IoCs
Processes:
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exehgcgc.exepid process 864 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe 864 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe 624 hgcgc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\chcgcx = "C:\\Users\\Admin\\AppData\\Roaming\\downloads\\hgcgc.exe" 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
hgcgc.exesvchost.exedescription pid process target process PID 624 set thread context of 316 624 hgcgc.exe svchost.exe PID 316 set thread context of 1164 316 svchost.exe vbc.exe PID 316 set thread context of 1724 316 svchost.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 316 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exehgcgc.exesvchost.exepid process 864 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe 624 hgcgc.exe 316 svchost.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exehgcgc.exesvchost.exedescription pid process target process PID 864 wrote to memory of 624 864 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe hgcgc.exe PID 864 wrote to memory of 624 864 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe hgcgc.exe PID 864 wrote to memory of 624 864 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe hgcgc.exe PID 864 wrote to memory of 624 864 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe hgcgc.exe PID 624 wrote to memory of 316 624 hgcgc.exe svchost.exe PID 624 wrote to memory of 316 624 hgcgc.exe svchost.exe PID 624 wrote to memory of 316 624 hgcgc.exe svchost.exe PID 624 wrote to memory of 316 624 hgcgc.exe svchost.exe PID 624 wrote to memory of 316 624 hgcgc.exe svchost.exe PID 624 wrote to memory of 316 624 hgcgc.exe svchost.exe PID 624 wrote to memory of 316 624 hgcgc.exe svchost.exe PID 624 wrote to memory of 316 624 hgcgc.exe svchost.exe PID 624 wrote to memory of 316 624 hgcgc.exe svchost.exe PID 624 wrote to memory of 316 624 hgcgc.exe svchost.exe PID 624 wrote to memory of 316 624 hgcgc.exe svchost.exe PID 624 wrote to memory of 316 624 hgcgc.exe svchost.exe PID 624 wrote to memory of 316 624 hgcgc.exe svchost.exe PID 624 wrote to memory of 316 624 hgcgc.exe svchost.exe PID 316 wrote to memory of 1164 316 svchost.exe vbc.exe PID 316 wrote to memory of 1164 316 svchost.exe vbc.exe PID 316 wrote to memory of 1164 316 svchost.exe vbc.exe PID 316 wrote to memory of 1164 316 svchost.exe vbc.exe PID 316 wrote to memory of 1164 316 svchost.exe vbc.exe PID 316 wrote to memory of 1164 316 svchost.exe vbc.exe PID 316 wrote to memory of 1164 316 svchost.exe vbc.exe PID 316 wrote to memory of 1164 316 svchost.exe vbc.exe PID 316 wrote to memory of 1164 316 svchost.exe vbc.exe PID 316 wrote to memory of 1164 316 svchost.exe vbc.exe PID 316 wrote to memory of 1724 316 svchost.exe vbc.exe PID 316 wrote to memory of 1724 316 svchost.exe vbc.exe PID 316 wrote to memory of 1724 316 svchost.exe vbc.exe PID 316 wrote to memory of 1724 316 svchost.exe vbc.exe PID 316 wrote to memory of 1724 316 svchost.exe vbc.exe PID 316 wrote to memory of 1724 316 svchost.exe vbc.exe PID 316 wrote to memory of 1724 316 svchost.exe vbc.exe PID 316 wrote to memory of 1724 316 svchost.exe vbc.exe PID 316 wrote to memory of 1724 316 svchost.exe vbc.exe PID 316 wrote to memory of 1724 316 svchost.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe"C:\Users\Admin\AppData\Local\Temp\2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe"C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
32KB
MD5d79f070423fdd3f01ce8c2ba3fbbc8ed
SHA12f8ed26eb714b4efbe5d7a3167e33ade82c51fd8
SHA25697bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
SHA51247bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
32KB
MD5d79f070423fdd3f01ce8c2ba3fbbc8ed
SHA12f8ed26eb714b4efbe5d7a3167e33ade82c51fd8
SHA25697bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
SHA51247bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db
-
C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exeFilesize
576KB
MD5bd69f5cbb1c7b9e0b9af4cd6f5c0b518
SHA125b677796521fbe484cb6b6a1c863033b1fae404
SHA25671ee42d16270dc1c30348cdad7bc557f0831bd84aaa6d4f3cc28df065e6b79dc
SHA51253cdc6e748b5b1cc7d84678f46808837794d166e818bf5906e1ab2788b9cba3d6ea31879d5e4c34482368b1bef3c02132ba278a55c60bc7585cd7d5ec759fffd
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
32KB
MD5d79f070423fdd3f01ce8c2ba3fbbc8ed
SHA12f8ed26eb714b4efbe5d7a3167e33ade82c51fd8
SHA25697bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
SHA51247bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db
-
\Users\Admin\AppData\Roaming\downloads\hgcgc.exeFilesize
576KB
MD5bd69f5cbb1c7b9e0b9af4cd6f5c0b518
SHA125b677796521fbe484cb6b6a1c863033b1fae404
SHA25671ee42d16270dc1c30348cdad7bc557f0831bd84aaa6d4f3cc28df065e6b79dc
SHA51253cdc6e748b5b1cc7d84678f46808837794d166e818bf5906e1ab2788b9cba3d6ea31879d5e4c34482368b1bef3c02132ba278a55c60bc7585cd7d5ec759fffd
-
\Users\Admin\AppData\Roaming\downloads\hgcgc.exeFilesize
576KB
MD5bd69f5cbb1c7b9e0b9af4cd6f5c0b518
SHA125b677796521fbe484cb6b6a1c863033b1fae404
SHA25671ee42d16270dc1c30348cdad7bc557f0831bd84aaa6d4f3cc28df065e6b79dc
SHA51253cdc6e748b5b1cc7d84678f46808837794d166e818bf5906e1ab2788b9cba3d6ea31879d5e4c34482368b1bef3c02132ba278a55c60bc7585cd7d5ec759fffd
-
memory/316-76-0x0000000074C00000-0x00000000751AB000-memory.dmpFilesize
5.7MB
-
memory/316-82-0x00000000000A0000-0x00000000000E0000-memory.dmpFilesize
256KB
-
memory/316-66-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/316-70-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/316-72-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/316-93-0x00000000000A0000-0x00000000000E0000-memory.dmpFilesize
256KB
-
memory/316-75-0x0000000074C00000-0x00000000751AB000-memory.dmpFilesize
5.7MB
-
memory/316-67-0x000000000047EA3E-mapping.dmp
-
memory/624-60-0x0000000000000000-mapping.dmp
-
memory/864-56-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/864-57-0x0000000000280000-0x0000000000286000-memory.dmpFilesize
24KB
-
memory/1164-90-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1164-83-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1164-77-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1164-81-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1164-78-0x0000000000411654-mapping.dmp
-
memory/1724-84-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1724-85-0x0000000000442628-mapping.dmp
-
memory/1724-88-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1724-89-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1724-92-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB