a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214

General

Target

a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
Size

1.2MB
MD5

d60d342c872960e239fc21a6785cb23e
SHA1

b2208b51a0cce67409c0b177f411b7ba6759a0ea
SHA256

a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214
SHA512

74bb867bbe785076cdf320fc7dc0835e6e94c5b4a3cc74696ba96a1632b9064cdc02e62caf8117ce156bdd2bfb14b51862ae8fb23c5b3c3ddb27322b4e1f81c8
SSDEEP

24576:m3XTLC8OesJvIy112r6iiLoGmuP6cHsiK9GkUddebsVp3vmQfIL2ntbyEwxstM6o:mzQzJvIyL269mi66JXvmRL2nyxstM6D0

Score

10^/10

persistence

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
mocxcefaktgkceun

Signatures

NirSoft MailPassView 6 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3432-135-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral2/memory/3452-162-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3452-160-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/3452-169-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3452-177-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3452-178-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3432-135-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral2/memory/3268-159-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/3268-161-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/3268-171-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/3268-180-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 15 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3432-135-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral2/memory/3268-159-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/3268-161-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/3452-162-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3452-160-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4272-167-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4272-168-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/3268-171-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/3452-169-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4272-174-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/4272-176-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/3452-177-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3452-178-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4272-179-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/3268-180-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

LookupSvi.exesecdrv.exesecdrv.exeLookupSvi.exe

pid process

4672 LookupSvi.exe
2336 secdrv.exe
4660 secdrv.exe
3968 LookupSvi.exe

pid	process
4672	LookupSvi.exe
2336	secdrv.exe
4660	secdrv.exe
3968	LookupSvi.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exeLookupSvi.exesecdrv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	LookupSvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	secdrv.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

LookupSvi.exeLookupSvi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

76 whatismyipaddress.com

flow	ioc
76	whatismyipaddress.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exesecdrv.exea447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe

description	pid	process	target process
PID 2024 set thread context of 3432	2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
PID 2336 set thread context of 4660	2336	secdrv.exe	secdrv.exe
PID 3432 set thread context of 3268	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 set thread context of 3452	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 set thread context of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe

pid	process
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exeLookupSvi.exesecdrv.exeLookupSvi.exea447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe

description	pid	process
Token: SeDebugPrivilege	2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
Token: SeDebugPrivilege	4672	LookupSvi.exe
Token: SeDebugPrivilege	2336	secdrv.exe
Token: SeDebugPrivilege	3968	LookupSvi.exe
Token: SeDebugPrivilege	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe

pid process

3432 a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe

pid	process
3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exeLookupSvi.exesecdrv.exea447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe

description	pid	process	target process
PID 2024 wrote to memory of 3432	2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
PID 2024 wrote to memory of 3432	2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
PID 2024 wrote to memory of 3432	2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
PID 2024 wrote to memory of 3432	2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
PID 2024 wrote to memory of 3432	2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
PID 2024 wrote to memory of 3432	2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
PID 2024 wrote to memory of 3432	2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
PID 2024 wrote to memory of 3432	2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
PID 2024 wrote to memory of 4672	2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	LookupSvi.exe
PID 2024 wrote to memory of 4672	2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	LookupSvi.exe
PID 2024 wrote to memory of 4672	2024	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	LookupSvi.exe
PID 4672 wrote to memory of 2336	4672	LookupSvi.exe	secdrv.exe
PID 4672 wrote to memory of 2336	4672	LookupSvi.exe	secdrv.exe
PID 4672 wrote to memory of 2336	4672	LookupSvi.exe	secdrv.exe
PID 2336 wrote to memory of 4660	2336	secdrv.exe	secdrv.exe
PID 2336 wrote to memory of 4660	2336	secdrv.exe	secdrv.exe
PID 2336 wrote to memory of 4660	2336	secdrv.exe	secdrv.exe
PID 2336 wrote to memory of 4660	2336	secdrv.exe	secdrv.exe
PID 2336 wrote to memory of 4660	2336	secdrv.exe	secdrv.exe
PID 2336 wrote to memory of 4660	2336	secdrv.exe	secdrv.exe
PID 2336 wrote to memory of 4660	2336	secdrv.exe	secdrv.exe
PID 2336 wrote to memory of 4660	2336	secdrv.exe	secdrv.exe
PID 2336 wrote to memory of 3968	2336	secdrv.exe	LookupSvi.exe
PID 2336 wrote to memory of 3968	2336	secdrv.exe	LookupSvi.exe
PID 2336 wrote to memory of 3968	2336	secdrv.exe	LookupSvi.exe
PID 3432 wrote to memory of 3268	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3268	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3268	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3268	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3268	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3268	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3268	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3268	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3452	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3452	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3452	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3452	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3452	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3452	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3452	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3452	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3268	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 3452	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe
PID 3432 wrote to memory of 4720	3432	a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
"C:\Users\Admin\AppData\Local\Temp\a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe
  "C:\Users\Admin\AppData\Local\Temp\a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    PID:4720
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
    3⤵
    PID:3268
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt" /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    PID:3452
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
    3⤵
    PID:4272
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"
    3⤵
    PID:1548
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 2340
    3⤵
    PID:2420
- C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
      4⤵
      Executes dropped EXE
      PID:4660
  - - C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1548 -ip 1548
1⤵
PID:4456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\LookupSvi.exe.log

Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

Filesize
13KB

MD5
cf7e259dd0225ae86a29f5952bcb5b4d

SHA1
4c6b2363a754bcaa07edeee5b4837b464cfb5d5c

SHA256
bcf654651c834ff5f885a6ab272d000aa48acea1ebe68ce146c68c863c4736a8

SHA512
91c469f7b4d3c95177ccb013e3c16fe61fffa1fd631857f44bb335382b6c0c80d8bb178e72140178716312f49efbee45ccbe3467a01099561ab3ddf33b412b3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

Filesize
13KB

MD5
cf7e259dd0225ae86a29f5952bcb5b4d

SHA1
4c6b2363a754bcaa07edeee5b4837b464cfb5d5c

SHA256
bcf654651c834ff5f885a6ab272d000aa48acea1ebe68ce146c68c863c4736a8

SHA512
91c469f7b4d3c95177ccb013e3c16fe61fffa1fd631857f44bb335382b6c0c80d8bb178e72140178716312f49efbee45ccbe3467a01099561ab3ddf33b412b3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

Filesize
13KB

MD5
cf7e259dd0225ae86a29f5952bcb5b4d

SHA1
4c6b2363a754bcaa07edeee5b4837b464cfb5d5c

SHA256
bcf654651c834ff5f885a6ab272d000aa48acea1ebe68ce146c68c863c4736a8

SHA512
91c469f7b4d3c95177ccb013e3c16fe61fffa1fd631857f44bb335382b6c0c80d8bb178e72140178716312f49efbee45ccbe3467a01099561ab3ddf33b412b3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

Filesize
1.2MB

MD5
d60d342c872960e239fc21a6785cb23e

SHA1
b2208b51a0cce67409c0b177f411b7ba6759a0ea

SHA256
a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214

SHA512
74bb867bbe785076cdf320fc7dc0835e6e94c5b4a3cc74696ba96a1632b9064cdc02e62caf8117ce156bdd2bfb14b51862ae8fb23c5b3c3ddb27322b4e1f81c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

Filesize
1.2MB

MD5
d60d342c872960e239fc21a6785cb23e

SHA1
b2208b51a0cce67409c0b177f411b7ba6759a0ea

SHA256
a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214

SHA512
74bb867bbe785076cdf320fc7dc0835e6e94c5b4a3cc74696ba96a1632b9064cdc02e62caf8117ce156bdd2bfb14b51862ae8fb23c5b3c3ddb27322b4e1f81c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

Filesize
1.2MB

MD5
d60d342c872960e239fc21a6785cb23e

SHA1
b2208b51a0cce67409c0b177f411b7ba6759a0ea

SHA256
a447a05c3519b7716ca64524bec450c2fc0402c503abb901b18cfb076aa36214

SHA512
74bb867bbe785076cdf320fc7dc0835e6e94c5b4a3cc74696ba96a1632b9064cdc02e62caf8117ce156bdd2bfb14b51862ae8fb23c5b3c3ddb27322b4e1f81c8

Download Submit
memory/1548-172-0x0000000000000000-mapping.dmp

Download
memory/2024-133-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2024-132-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2024-150-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2336-146-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2336-147-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2336-144-0x0000000000000000-mapping.dmp

Download
memory/2420-175-0x0000000000000000-mapping.dmp

Download
memory/3268-171-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3268-180-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3268-159-0x0000000000000000-mapping.dmp

Download
memory/3268-161-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3432-141-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3432-139-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3432-135-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3432-134-0x0000000000000000-mapping.dmp

Download
memory/3452-178-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-162-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-169-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-177-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-160-0x0000000000000000-mapping.dmp

Download
memory/3968-153-0x0000000000000000-mapping.dmp

Download
memory/3968-157-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3968-158-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4272-176-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4272-168-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4272-167-0x0000000000000000-mapping.dmp

Download
memory/4272-174-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4272-179-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4660-156-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4660-148-0x0000000000000000-mapping.dmp

Download
memory/4672-152-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4672-142-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4672-140-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4672-136-0x0000000000000000-mapping.dmp

Download
memory/4720-164-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads