Analysis
-
max time kernel
207s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 07:43
Static task
static1
Behavioral task
behavioral1
Sample
c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe
Resource
win10v2004-20221111-en
General
-
Target
c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe
-
Size
1.2MB
-
MD5
0c8e79eb046e7de5525fbad7d3c051eb
-
SHA1
03ea745c77087375744552f1b9ac5f6f4f9d1942
-
SHA256
c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379
-
SHA512
ed2c188732d69f7273381e773f1adead2862348fc4ebd43a783be81777d309a6752913422484d6727d5c915a0a41160ea12f9778b3e307900094c4505b36a4aa
-
SSDEEP
24576:wtb20pkaCqT5TBWgNQ7aBW7GvVi4eUFkdTo5/pLP8t6A:5Vg5tQ7aBW7GNi4jOJeh7s5
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4360-142-0x0000000000400000-0x000000000041E000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/5004-147-0x0000000000400000-0x000000000045D000-memory.dmp WebBrowserPassView behavioral2/memory/5004-157-0x0000000000400000-0x000000000045D000-memory.dmp WebBrowserPassView -
Nirsoft 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4360-142-0x0000000000400000-0x000000000041E000-memory.dmp Nirsoft behavioral2/memory/5004-147-0x0000000000400000-0x000000000045D000-memory.dmp Nirsoft behavioral2/memory/1432-151-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral2/memory/424-156-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/5004-157-0x0000000000400000-0x000000000045D000-memory.dmp Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
mpv.exeWBP.exemespv.exepv.exepid process 4360 mpv.exe 5004 WBP.exe 1432 mespv.exe 424 pv.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\mespv.exe upx C:\Users\Admin\AppData\Local\Temp\mespv.exe upx behavioral2/memory/1432-151-0x0000000000400000-0x0000000000426000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
mpv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts mpv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exedescription pid process target process PID 4252 set thread context of 664 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe vbc.exe -
NTFS ADS 1 IoCs
Processes:
c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe:Zone.Identifier:$DATA c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WBP.exemespv.exepid process 5004 WBP.exe 5004 WBP.exe 1432 mespv.exe 1432 mespv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
mespv.exedescription pid process Token: SeDebugPrivilege 1432 mespv.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exepid process 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exepid process 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exevbc.exedescription pid process target process PID 4252 wrote to memory of 664 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe vbc.exe PID 4252 wrote to memory of 664 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe vbc.exe PID 4252 wrote to memory of 664 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe vbc.exe PID 4252 wrote to memory of 664 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe vbc.exe PID 4252 wrote to memory of 664 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe vbc.exe PID 4252 wrote to memory of 664 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe vbc.exe PID 4252 wrote to memory of 664 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe vbc.exe PID 4252 wrote to memory of 664 4252 c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe vbc.exe PID 664 wrote to memory of 4360 664 vbc.exe mpv.exe PID 664 wrote to memory of 4360 664 vbc.exe mpv.exe PID 664 wrote to memory of 4360 664 vbc.exe mpv.exe PID 664 wrote to memory of 5004 664 vbc.exe WBP.exe PID 664 wrote to memory of 5004 664 vbc.exe WBP.exe PID 664 wrote to memory of 5004 664 vbc.exe WBP.exe PID 664 wrote to memory of 1432 664 vbc.exe mespv.exe PID 664 wrote to memory of 1432 664 vbc.exe mespv.exe PID 664 wrote to memory of 1432 664 vbc.exe mespv.exe PID 664 wrote to memory of 424 664 vbc.exe pv.exe PID 664 wrote to memory of 424 664 vbc.exe pv.exe PID 664 wrote to memory of 424 664 vbc.exe pv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe"C:\Users\Admin\AppData\Local\Temp\c092906c62fcb79a8f9515704d8f82fb29f7cab31db10f998bf979ee6e794379.exe"1⤵
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mpv.exeC:\Users\Admin\AppData\Local\Temp\mpv.exe /stext C:\Users\Admin\AppData\Local\Temp\mpvp.txt3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\AppData\Local\Temp\WBP.exeC:\Users\Admin\AppData\Local\Temp\WBP.exe /stext C:\Users\Admin\AppData\Local\Temp\WBVP.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\mespv.exeC:\Users\Admin\AppData\Local\Temp\mespv.exe /stext C:\Users\Admin\AppData\Local\Temp\mespvp.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\pv.exeC:\Users\Admin\AppData\Local\Temp\pv.exe /stext C:\Users\Admin\AppData\Local\Temp\pvp.txt3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WBP.exeFilesize
183KB
MD56d95f03eaf83b31686f263260202ee36
SHA16633ac9d7790031b49bb2a4170ec77591d94bb58
SHA25629f2a54c829c37fc904a2b682c50b57d6d35e9af5dc7f43d72b68c8c51255103
SHA512a8dda5f3c9e493f9f0e17bfee40a73f74ac6c4276b22589ec9bb163a91f941d966e4ce3b0866be7488fddd229156d73017fb8b22fc3b90903591fef2045c2b46
-
C:\Users\Admin\AppData\Local\Temp\WBP.exeFilesize
183KB
MD56d95f03eaf83b31686f263260202ee36
SHA16633ac9d7790031b49bb2a4170ec77591d94bb58
SHA25629f2a54c829c37fc904a2b682c50b57d6d35e9af5dc7f43d72b68c8c51255103
SHA512a8dda5f3c9e493f9f0e17bfee40a73f74ac6c4276b22589ec9bb163a91f941d966e4ce3b0866be7488fddd229156d73017fb8b22fc3b90903591fef2045c2b46
-
C:\Users\Admin\AppData\Local\Temp\mespv.exeFilesize
65KB
MD5ffc52f2b4435fcddaca6e15489a88b75
SHA163ec31a04cf176852344d544ae855da0dac64980
SHA2563f3c8484962b395f304a836ee5e8ee17beaafe982795c9747d8ee98cc6e4ca8f
SHA512389694feccfe6ca352705b9481913fece6d1d47083f235ccdd60c05cfda82606be53845fde0dba8ec3f3748f820a828c9be0ce078c8b9cc853285b23f172841c
-
C:\Users\Admin\AppData\Local\Temp\mespv.exeFilesize
65KB
MD5ffc52f2b4435fcddaca6e15489a88b75
SHA163ec31a04cf176852344d544ae855da0dac64980
SHA2563f3c8484962b395f304a836ee5e8ee17beaafe982795c9747d8ee98cc6e4ca8f
SHA512389694feccfe6ca352705b9481913fece6d1d47083f235ccdd60c05cfda82606be53845fde0dba8ec3f3748f820a828c9be0ce078c8b9cc853285b23f172841c
-
C:\Users\Admin\AppData\Local\Temp\mpv.exeFilesize
50KB
MD5a138fca70622323e45d6018125322051
SHA1b91f8e20569fecabed22e48da5ec626758563488
SHA256677d333648aba8e2538cbbb9fdd8a32901c67a5e10c8f951970313499304783a
SHA512b89f1d513608f5b0f8022a8d983cdfec0064ecd5e8479125b40477738fc0f5e2b1aa77868333fd783cd5cd2233e0f018d16d8865650071b1a371d375c22a54ee
-
C:\Users\Admin\AppData\Local\Temp\mpv.exeFilesize
50KB
MD5a138fca70622323e45d6018125322051
SHA1b91f8e20569fecabed22e48da5ec626758563488
SHA256677d333648aba8e2538cbbb9fdd8a32901c67a5e10c8f951970313499304783a
SHA512b89f1d513608f5b0f8022a8d983cdfec0064ecd5e8479125b40477738fc0f5e2b1aa77868333fd783cd5cd2233e0f018d16d8865650071b1a371d375c22a54ee
-
C:\Users\Admin\AppData\Local\Temp\pv.exeFilesize
38KB
MD5afe3aeeffaa1e1772a926ca45923f33f
SHA1f20104fa1f75f341818751b5164b5c2b24d2dd9e
SHA2566cbc1d59fdba6445b8e7243a08bd64816f01fcf6ce7f68570d9170e13c8810a7
SHA512083732db58970d192b98c4298444b8eba2ecae5fa982b3d9505cfa17bce920106281f66df507e6e211d969a6c553d212e50dcdcfeab4b900301d01c442a0de91
-
C:\Users\Admin\AppData\Local\Temp\pv.exeFilesize
38KB
MD5afe3aeeffaa1e1772a926ca45923f33f
SHA1f20104fa1f75f341818751b5164b5c2b24d2dd9e
SHA2566cbc1d59fdba6445b8e7243a08bd64816f01fcf6ce7f68570d9170e13c8810a7
SHA512083732db58970d192b98c4298444b8eba2ecae5fa982b3d9505cfa17bce920106281f66df507e6e211d969a6c553d212e50dcdcfeab4b900301d01c442a0de91
-
C:\Users\Admin\AppData\Local\Temp\pvp.txtFilesize
727B
MD51fb453f0396783521dfc6a5d330dd090
SHA1a76076daffd6cfd5fd72b2c6e58264842b7a3829
SHA256d344b70b33550594b1cbc7524f0517f496305131e52b0c79a896efd89c550dde
SHA5126bade052ae64f752df02bacf6fa71d6b8ef7c294f57d4779e62b3e96540ae4d391fb83d1e924ae285210e119d01f8b4b9faf6242339827f7e6b6144160ebf763
-
memory/424-156-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/424-152-0x0000000000000000-mapping.dmp
-
memory/664-132-0x0000000000000000-mapping.dmp
-
memory/664-138-0x0000000001200000-0x0000000001256000-memory.dmpFilesize
344KB
-
memory/664-135-0x0000000008360000-0x0000000008904000-memory.dmpFilesize
5.6MB
-
memory/664-134-0x0000000007D10000-0x0000000007DAC000-memory.dmpFilesize
624KB
-
memory/664-137-0x0000000007DB0000-0x0000000007DBA000-memory.dmpFilesize
40KB
-
memory/664-136-0x0000000007E50000-0x0000000007EE2000-memory.dmpFilesize
584KB
-
memory/664-133-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/1432-151-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1432-148-0x0000000000000000-mapping.dmp
-
memory/4360-142-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4360-139-0x0000000000000000-mapping.dmp
-
memory/5004-147-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/5004-146-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/5004-143-0x0000000000000000-mapping.dmp
-
memory/5004-157-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB