c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379

Analysis

max time kernel
207s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe
Size

1.2MB
MD5

0c8e79eb046e7de5525fbad7d3c051eb
SHA1

03ea745c77087375744552f1b9ac5f6f4f9d1942
SHA256

c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379
SHA512

ed2c188732d69f7273381e773f1adead2862348fc4ebd43a783be81777d309a6752913422484d6727d5c915a0a41160ea12f9778b3e307900094c4505b36a4aa
SSDEEP

24576:wtb20pkaCqT5TBWgNQ7aBW7GvVi4eUFkdTo5/pLP8t6A:5Vg5tQ7aBW7GNi4jOJeh7s5

Score

9^/10

collection spyware stealer upx

Malware Config

Signatures

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4360-142-0x0000000000400000-0x000000000041E000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/5004-147-0x0000000000400000-0x000000000045D000-memory.dmp	WebBrowserPassView
behavioral2/memory/5004-157-0x0000000000400000-0x000000000045D000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4360-142-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral2/memory/5004-147-0x0000000000400000-0x000000000045D000-memory.dmp	Nirsoft
behavioral2/memory/1432-151-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral2/memory/424-156-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/5004-157-0x0000000000400000-0x000000000045D000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

mpv.exeWBP.exemespv.exepv.exe

pid process

4360 mpv.exe
5004 WBP.exe
1432 mespv.exe
424 pv.exe

pid	process
4360	mpv.exe
5004	WBP.exe
1432	mespv.exe
424	pv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mespv.exe	upx
C:\Users\Admin\AppData\Local\Temp\mespv.exe	upx
behavioral2/memory/1432-151-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

mpv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	mpv.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe

description pid process target process

PID 4252 set thread context of 664 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe vbc.exe

description	pid	process	target process
PID 4252 set thread context of 664	4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe	vbc.exe

NTFS ADS 1 IoCs

Processes:

c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe:Zone.Identifier:$DATA	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WBP.exemespv.exe

pid process

5004 WBP.exe
5004 WBP.exe
1432 mespv.exe
1432 mespv.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

mespv.exe

description pid process

Token: SeDebugPrivilege 1432 mespv.exe

pid	process
5004	WBP.exe
5004	WBP.exe
1432	mespv.exe
1432	mespv.exe

description	pid	process
Token: SeDebugPrivilege	1432	mespv.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe

pid	process
4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe
4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe
4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe
4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe

pid	process
4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe
4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe
4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe
4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exevbc.exe

description	pid	process	target process
PID 4252 wrote to memory of 664	4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe	vbc.exe
PID 4252 wrote to memory of 664	4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe	vbc.exe
PID 4252 wrote to memory of 664	4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe	vbc.exe
PID 4252 wrote to memory of 664	4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe	vbc.exe
PID 4252 wrote to memory of 664	4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe	vbc.exe
PID 4252 wrote to memory of 664	4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe	vbc.exe
PID 4252 wrote to memory of 664	4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe	vbc.exe
PID 4252 wrote to memory of 664	4252	c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe	vbc.exe
PID 664 wrote to memory of 4360	664	vbc.exe	mpv.exe
PID 664 wrote to memory of 4360	664	vbc.exe	mpv.exe
PID 664 wrote to memory of 4360	664	vbc.exe	mpv.exe
PID 664 wrote to memory of 5004	664	vbc.exe	WBP.exe
PID 664 wrote to memory of 5004	664	vbc.exe	WBP.exe
PID 664 wrote to memory of 5004	664	vbc.exe	WBP.exe
PID 664 wrote to memory of 1432	664	vbc.exe	mespv.exe
PID 664 wrote to memory of 1432	664	vbc.exe	mespv.exe
PID 664 wrote to memory of 1432	664	vbc.exe	mespv.exe
PID 664 wrote to memory of 424	664	vbc.exe	pv.exe
PID 664 wrote to memory of 424	664	vbc.exe	pv.exe
PID 664 wrote to memory of 424	664	vbc.exe	pv.exe

C:\Users\Admin\AppData\Local\Temp\c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe
"C:\Users\Admin\AppData\Local\Temp\c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe"
1⤵
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\mpv.exe
C:\Users\Admin\AppData\Local\Temp\mpv.exe /stext C:\Users\Admin\AppData\Local\Temp\mpvp.txt
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:4360

C:\Users\Admin\AppData\Local\Temp\WBP.exe
C:\Users\Admin\AppData\Local\Temp\WBP.exe /stext C:\Users\Admin\AppData\Local\Temp\WBVP.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5004

C:\Users\Admin\AppData\Local\Temp\mespv.exe
C:\Users\Admin\AppData\Local\Temp\mespv.exe /stext C:\Users\Admin\AppData\Local\Temp\mespvp.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Users\Admin\AppData\Local\Temp\pv.exe
C:\Users\Admin\AppData\Local\Temp\pv.exe /stext C:\Users\Admin\AppData\Local\Temp\pvp.txt
3⤵
- Executes dropped EXE
PID:424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WBP.exe
Filesize
183KB

MD5
6d95f03eaf83b31686f263260202ee36

SHA1
6633ac9d7790031b49bb2a4170ec77591d94bb58

SHA256
29f2a54c829c37fc904a2b682c50b57d6d35e9af5dc7f43d72b68c8c51255103

SHA512
a8dda5f3c9e493f9f0e17bfee40a73f74ac6c4276b22589ec9bb163a91f941d966e4ce3b0866be7488fddd229156d73017fb8b22fc3b90903591fef2045c2b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\WBP.exe
Filesize
183KB

MD5
6d95f03eaf83b31686f263260202ee36

SHA1
6633ac9d7790031b49bb2a4170ec77591d94bb58

SHA256
29f2a54c829c37fc904a2b682c50b57d6d35e9af5dc7f43d72b68c8c51255103

SHA512
a8dda5f3c9e493f9f0e17bfee40a73f74ac6c4276b22589ec9bb163a91f941d966e4ce3b0866be7488fddd229156d73017fb8b22fc3b90903591fef2045c2b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\mespv.exe
Filesize
65KB

MD5
ffc52f2b4435fcddaca6e15489a88b75

SHA1
63ec31a04cf176852344d544ae855da0dac64980

SHA256
3f3c8484962b395f304a836ee5e8ee17beaafe982795c9747d8ee98cc6e4ca8f

SHA512
389694feccfe6ca352705b9481913fece6d1d47083f235ccdd60c05cfda82606be53845fde0dba8ec3f3748f820a828c9be0ce078c8b9cc853285b23f172841c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mespv.exe
Filesize
65KB

MD5
ffc52f2b4435fcddaca6e15489a88b75

SHA1
63ec31a04cf176852344d544ae855da0dac64980

SHA256
3f3c8484962b395f304a836ee5e8ee17beaafe982795c9747d8ee98cc6e4ca8f

SHA512
389694feccfe6ca352705b9481913fece6d1d47083f235ccdd60c05cfda82606be53845fde0dba8ec3f3748f820a828c9be0ce078c8b9cc853285b23f172841c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpv.exe
Filesize
50KB

MD5
a138fca70622323e45d6018125322051

SHA1
b91f8e20569fecabed22e48da5ec626758563488

SHA256
677d333648aba8e2538cbbb9fdd8a32901c67a5e10c8f951970313499304783a

SHA512
b89f1d513608f5b0f8022a8d983cdfec0064ecd5e8479125b40477738fc0f5e2b1aa77868333fd783cd5cd2233e0f018d16d8865650071b1a371d375c22a54ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpv.exe
Filesize
50KB

MD5
a138fca70622323e45d6018125322051

SHA1
b91f8e20569fecabed22e48da5ec626758563488

SHA256
677d333648aba8e2538cbbb9fdd8a32901c67a5e10c8f951970313499304783a

SHA512
b89f1d513608f5b0f8022a8d983cdfec0064ecd5e8479125b40477738fc0f5e2b1aa77868333fd783cd5cd2233e0f018d16d8865650071b1a371d375c22a54ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\pv.exe
Filesize
38KB

MD5
afe3aeeffaa1e1772a926ca45923f33f

SHA1
f20104fa1f75f341818751b5164b5c2b24d2dd9e

SHA256
6cbc1d59fdba6445b8e7243a08bd64816f01fcf6ce7f68570d9170e13c8810a7

SHA512
083732db58970d192b98c4298444b8eba2ecae5fa982b3d9505cfa17bce920106281f66df507e6e211d969a6c553d212e50dcdcfeab4b900301d01c442a0de91

Download Submit
C:\Users\Admin\AppData\Local\Temp\pv.exe
Filesize
38KB

MD5
afe3aeeffaa1e1772a926ca45923f33f

SHA1
f20104fa1f75f341818751b5164b5c2b24d2dd9e

SHA256
6cbc1d59fdba6445b8e7243a08bd64816f01fcf6ce7f68570d9170e13c8810a7

SHA512
083732db58970d192b98c4298444b8eba2ecae5fa982b3d9505cfa17bce920106281f66df507e6e211d969a6c553d212e50dcdcfeab4b900301d01c442a0de91

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvp.txt
Filesize
727B

MD5
1fb453f0396783521dfc6a5d330dd090

SHA1
a76076daffd6cfd5fd72b2c6e58264842b7a3829

SHA256
d344b70b33550594b1cbc7524f0517f496305131e52b0c79a896efd89c550dde

SHA512
6bade052ae64f752df02bacf6fa71d6b8ef7c294f57d4779e62b3e96540ae4d391fb83d1e924ae285210e119d01f8b4b9faf6242339827f7e6b6144160ebf763

Download Submit
memory/424-156-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/424-152-0x0000000000000000-mapping.dmp

Download
memory/664-132-0x0000000000000000-mapping.dmp

Download
memory/664-138-0x0000000001200000-0x0000000001256000-memory.dmp

Filesize
344KB

Download
memory/664-135-0x0000000008360000-0x0000000008904000-memory.dmp

Filesize
5.6MB

Download
memory/664-134-0x0000000007D10000-0x0000000007DAC000-memory.dmp

Filesize
624KB

Download
memory/664-137-0x0000000007DB0000-0x0000000007DBA000-memory.dmp

Filesize
40KB

Download
memory/664-136-0x0000000007E50000-0x0000000007EE2000-memory.dmp

Filesize
584KB

Download
memory/664-133-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1432-151-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1432-148-0x0000000000000000-mapping.dmp

Download
memory/4360-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4360-139-0x0000000000000000-mapping.dmp

Download
memory/5004-147-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5004-146-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5004-143-0x0000000000000000-mapping.dmp

Download
memory/5004-157-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download