Analysis
-
max time kernel
186s -
max time network
188s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 15:47
Static task
static1
Behavioral task
behavioral1
Sample
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
Resource
win10v2004-20220812-en
General
-
Target
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
-
Size
723KB
-
MD5
697032b609cad099ec3b347bd0f34cb3
-
SHA1
fc98b5aa7ca186ae9e0dea133438c5e15f3fd077
-
SHA256
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1
-
SHA512
700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0
-
SSDEEP
12288:4vsfrEOhNBJksGrtIgmu6H5F/XunkwDxnYKCw9vweJ2F/MVXxSlM:5EOjBJfG2gm/unkwRYa9v3cFw
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
general123
Signatures
-
NirSoft MailPassView 19 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1140-60-0x0000000000080000-0x000000000010C000-memory.dmp MailPassView behavioral1/memory/1140-62-0x0000000000080000-0x000000000010C000-memory.dmp MailPassView behavioral1/memory/1140-64-0x00000000004859AE-mapping.dmp MailPassView behavioral1/memory/1140-65-0x0000000000080000-0x000000000010C000-memory.dmp MailPassView behavioral1/memory/1140-66-0x0000000000080000-0x000000000010C000-memory.dmp MailPassView behavioral1/memory/1140-70-0x0000000000080000-0x000000000010C000-memory.dmp MailPassView behavioral1/memory/1140-73-0x0000000000080000-0x000000000010C000-memory.dmp MailPassView behavioral1/memory/1084-82-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1084-83-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1084-86-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1084-88-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1084-103-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2008-120-0x00000000004859AE-mapping.dmp MailPassView behavioral1/memory/2008-123-0x0000000000400000-0x000000000048C000-memory.dmp MailPassView behavioral1/memory/2008-125-0x0000000000400000-0x000000000048C000-memory.dmp MailPassView behavioral1/memory/980-146-0x00000000004859AE-mapping.dmp MailPassView behavioral1/memory/980-148-0x00000000001E0000-0x000000000026C000-memory.dmp MailPassView behavioral1/memory/980-152-0x00000000001E0000-0x000000000026C000-memory.dmp MailPassView behavioral1/memory/980-155-0x00000000001E0000-0x000000000026C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 19 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1140-60-0x0000000000080000-0x000000000010C000-memory.dmp WebBrowserPassView behavioral1/memory/1140-62-0x0000000000080000-0x000000000010C000-memory.dmp WebBrowserPassView behavioral1/memory/1140-64-0x00000000004859AE-mapping.dmp WebBrowserPassView behavioral1/memory/1140-65-0x0000000000080000-0x000000000010C000-memory.dmp WebBrowserPassView behavioral1/memory/1140-66-0x0000000000080000-0x000000000010C000-memory.dmp WebBrowserPassView behavioral1/memory/1140-70-0x0000000000080000-0x000000000010C000-memory.dmp WebBrowserPassView behavioral1/memory/1140-73-0x0000000000080000-0x000000000010C000-memory.dmp WebBrowserPassView behavioral1/memory/1260-97-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1260-98-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1260-101-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1260-102-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1260-104-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2008-120-0x00000000004859AE-mapping.dmp WebBrowserPassView behavioral1/memory/2008-123-0x0000000000400000-0x000000000048C000-memory.dmp WebBrowserPassView behavioral1/memory/2008-125-0x0000000000400000-0x000000000048C000-memory.dmp WebBrowserPassView behavioral1/memory/980-146-0x00000000004859AE-mapping.dmp WebBrowserPassView behavioral1/memory/980-148-0x00000000001E0000-0x000000000026C000-memory.dmp WebBrowserPassView behavioral1/memory/980-152-0x00000000001E0000-0x000000000026C000-memory.dmp WebBrowserPassView behavioral1/memory/980-155-0x00000000001E0000-0x000000000026C000-memory.dmp WebBrowserPassView -
Nirsoft 24 IoCs
Processes:
resource yara_rule behavioral1/memory/1140-60-0x0000000000080000-0x000000000010C000-memory.dmp Nirsoft behavioral1/memory/1140-62-0x0000000000080000-0x000000000010C000-memory.dmp Nirsoft behavioral1/memory/1140-64-0x00000000004859AE-mapping.dmp Nirsoft behavioral1/memory/1140-65-0x0000000000080000-0x000000000010C000-memory.dmp Nirsoft behavioral1/memory/1140-66-0x0000000000080000-0x000000000010C000-memory.dmp Nirsoft behavioral1/memory/1140-70-0x0000000000080000-0x000000000010C000-memory.dmp Nirsoft behavioral1/memory/1140-73-0x0000000000080000-0x000000000010C000-memory.dmp Nirsoft behavioral1/memory/1084-82-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1084-83-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1084-86-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1084-88-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1260-97-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1260-98-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1260-101-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1260-102-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1084-103-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1260-104-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2008-120-0x00000000004859AE-mapping.dmp Nirsoft behavioral1/memory/2008-123-0x0000000000400000-0x000000000048C000-memory.dmp Nirsoft behavioral1/memory/2008-125-0x0000000000400000-0x000000000048C000-memory.dmp Nirsoft behavioral1/memory/980-146-0x00000000004859AE-mapping.dmp Nirsoft behavioral1/memory/980-148-0x00000000001E0000-0x000000000026C000-memory.dmp Nirsoft behavioral1/memory/980-152-0x00000000001E0000-0x000000000026C000-memory.dmp Nirsoft behavioral1/memory/980-155-0x00000000001E0000-0x000000000026C000-memory.dmp Nirsoft -
Executes dropped EXE 5 IoCs
Processes:
LookupSvi.exesecdrv.exesecdrv.exeLookupSvi.exeLookupSvi.exepid process 1764 LookupSvi.exe 332 secdrv.exe 2008 secdrv.exe 976 LookupSvi.exe 1364 LookupSvi.exe -
Loads dropped DLL 4 IoCs
Processes:
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exeLookupSvi.exesecdrv.exetakshost.exepid process 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1764 LookupSvi.exe 332 secdrv.exe 1924 takshost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
LookupSvi.exeLookupSvi.exeLookupSvi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" LookupSvi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" LookupSvi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" LookupSvi.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 5 IoCs
Processes:
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exec52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exesecdrv.exetakshost.exedescription pid process target process PID 536 set thread context of 1140 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 1140 set thread context of 1084 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 set thread context of 1260 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 332 set thread context of 2008 332 secdrv.exe secdrv.exe PID 1924 set thread context of 980 1924 takshost.exe takshost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exec52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exeLookupSvi.exesecdrv.exepid process 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1764 LookupSvi.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1764 LookupSvi.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1764 LookupSvi.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1764 LookupSvi.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1764 LookupSvi.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1764 LookupSvi.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1764 LookupSvi.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1764 LookupSvi.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1764 LookupSvi.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1764 LookupSvi.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1764 LookupSvi.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1764 LookupSvi.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 332 secdrv.exe 332 secdrv.exe 332 secdrv.exe 332 secdrv.exe 332 secdrv.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exepid process 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exeLookupSvi.exec52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exesecdrv.exeLookupSvi.exetakshost.exeLookupSvi.exedescription pid process Token: SeDebugPrivilege 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe Token: SeDebugPrivilege 1764 LookupSvi.exe Token: SeDebugPrivilege 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe Token: SeDebugPrivilege 332 secdrv.exe Token: SeDebugPrivilege 976 LookupSvi.exe Token: SeDebugPrivilege 1924 takshost.exe Token: SeDebugPrivilege 1364 LookupSvi.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exepid process 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exec52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exeLookupSvi.exesecdrv.exetakshost.exedescription pid process target process PID 536 wrote to memory of 1140 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 536 wrote to memory of 1140 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 536 wrote to memory of 1140 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 536 wrote to memory of 1140 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 536 wrote to memory of 1140 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 536 wrote to memory of 1140 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 536 wrote to memory of 1140 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 536 wrote to memory of 1140 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 536 wrote to memory of 1140 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 536 wrote to memory of 1764 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe LookupSvi.exe PID 536 wrote to memory of 1764 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe LookupSvi.exe PID 536 wrote to memory of 1764 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe LookupSvi.exe PID 536 wrote to memory of 1764 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe LookupSvi.exe PID 1140 wrote to memory of 1084 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1084 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1084 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1084 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1084 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1084 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1084 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1084 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1084 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1084 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1764 wrote to memory of 332 1764 LookupSvi.exe secdrv.exe PID 1764 wrote to memory of 332 1764 LookupSvi.exe secdrv.exe PID 1764 wrote to memory of 332 1764 LookupSvi.exe secdrv.exe PID 1764 wrote to memory of 332 1764 LookupSvi.exe secdrv.exe PID 1140 wrote to memory of 1260 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1260 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1260 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1260 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1260 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1260 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1260 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1260 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1260 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 1140 wrote to memory of 1260 1140 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 536 wrote to memory of 1924 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe takshost.exe PID 536 wrote to memory of 1924 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe takshost.exe PID 536 wrote to memory of 1924 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe takshost.exe PID 536 wrote to memory of 1924 536 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe takshost.exe PID 332 wrote to memory of 2008 332 secdrv.exe secdrv.exe PID 332 wrote to memory of 2008 332 secdrv.exe secdrv.exe PID 332 wrote to memory of 2008 332 secdrv.exe secdrv.exe PID 332 wrote to memory of 2008 332 secdrv.exe secdrv.exe PID 332 wrote to memory of 2008 332 secdrv.exe secdrv.exe PID 332 wrote to memory of 2008 332 secdrv.exe secdrv.exe PID 332 wrote to memory of 2008 332 secdrv.exe secdrv.exe PID 332 wrote to memory of 2008 332 secdrv.exe secdrv.exe PID 332 wrote to memory of 2008 332 secdrv.exe secdrv.exe PID 332 wrote to memory of 976 332 secdrv.exe LookupSvi.exe PID 332 wrote to memory of 976 332 secdrv.exe LookupSvi.exe PID 332 wrote to memory of 976 332 secdrv.exe LookupSvi.exe PID 332 wrote to memory of 976 332 secdrv.exe LookupSvi.exe PID 1924 wrote to memory of 980 1924 takshost.exe takshost.exe PID 1924 wrote to memory of 980 1924 takshost.exe takshost.exe PID 1924 wrote to memory of 980 1924 takshost.exe takshost.exe PID 1924 wrote to memory of 980 1924 takshost.exe takshost.exe PID 1924 wrote to memory of 980 1924 takshost.exe takshost.exe PID 1924 wrote to memory of 980 1924 takshost.exe takshost.exe PID 1924 wrote to memory of 980 1924 takshost.exe takshost.exe PID 1924 wrote to memory of 980 1924 takshost.exe takshost.exe PID 1924 wrote to memory of 980 1924 takshost.exe takshost.exe PID 1924 wrote to memory of 1364 1924 takshost.exe LookupSvi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe"C:\Users\Admin\AppData\Local\Temp\c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe"C:\Users\Admin\AppData\Local\Temp\c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exeFilesize
723KB
MD5697032b609cad099ec3b347bd0f34cb3
SHA1fc98b5aa7ca186ae9e0dea133438c5e15f3fd077
SHA256c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1
SHA512700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0
-
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exeFilesize
723KB
MD5697032b609cad099ec3b347bd0f34cb3
SHA1fc98b5aa7ca186ae9e0dea133438c5e15f3fd077
SHA256c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1
SHA512700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0
-
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exeFilesize
723KB
MD5697032b609cad099ec3b347bd0f34cb3
SHA1fc98b5aa7ca186ae9e0dea133438c5e15f3fd077
SHA256c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1
SHA512700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0
-
C:\Users\Admin\AppData\Roaming\pid.txtFilesize
4B
MD58248a99e81e752cb9b41da3fc43fbe7f
SHA1715e82fa3b623c04f4eb343985dbbe7555a0be99
SHA256bc10b57514d76124b4120a34db2224067fed660b09408ade0b14b582946ff2fc
SHA51257f76d63385c4ee826f2332324196edf452b9fa77367bbc48737af9dee06d161cb5cf92791121b0c6932703821a59795c5019370760c4a331d7a03cb5567c614
-
C:\Users\Admin\AppData\Roaming\pidloc.txtFilesize
102B
MD507f6f1b0205f03d0642d0b1aa68ec84e
SHA1aea923df4c48aaada4fb12e01fb2cea9f0d578fb
SHA25628c67af2759d30b3a03140ad3b86cbe8eacc5e0ebecd0bebec0c226165a830d6
SHA5121a09bfd65bbf5f8f5b71e8518705ed15f59de3cefb24627ac41aa97577d80df9d9b17c1b3c667530d14dc0a7c034085127bceb55a2415a20324eedaee7e0c086
-
\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
\Users\Admin\AppData\Roaming\Microsoft\secdrv.exeFilesize
723KB
MD5697032b609cad099ec3b347bd0f34cb3
SHA1fc98b5aa7ca186ae9e0dea133438c5e15f3fd077
SHA256c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1
SHA512700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0
-
memory/332-136-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/332-107-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/332-94-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/332-91-0x0000000000000000-mapping.dmp
-
memory/536-54-0x0000000074D61000-0x0000000074D63000-memory.dmpFilesize
8KB
-
memory/536-55-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/536-111-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/536-56-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/976-128-0x0000000000000000-mapping.dmp
-
memory/976-137-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/976-134-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/980-163-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/980-165-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/980-155-0x00000000001E0000-0x000000000026C000-memory.dmpFilesize
560KB
-
memory/980-152-0x00000000001E0000-0x000000000026C000-memory.dmpFilesize
560KB
-
memory/980-148-0x00000000001E0000-0x000000000026C000-memory.dmpFilesize
560KB
-
memory/980-146-0x00000000004859AE-mapping.dmp
-
memory/1084-103-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1084-88-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1084-82-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1084-83-0x0000000000411654-mapping.dmp
-
memory/1084-86-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1140-60-0x0000000000080000-0x000000000010C000-memory.dmpFilesize
560KB
-
memory/1140-87-0x0000000000495000-0x00000000004A6000-memory.dmpFilesize
68KB
-
memory/1140-57-0x0000000000080000-0x000000000010C000-memory.dmpFilesize
560KB
-
memory/1140-70-0x0000000000080000-0x000000000010C000-memory.dmpFilesize
560KB
-
memory/1140-66-0x0000000000080000-0x000000000010C000-memory.dmpFilesize
560KB
-
memory/1140-80-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/1140-58-0x0000000000080000-0x000000000010C000-memory.dmpFilesize
560KB
-
memory/1140-65-0x0000000000080000-0x000000000010C000-memory.dmpFilesize
560KB
-
memory/1140-73-0x0000000000080000-0x000000000010C000-memory.dmpFilesize
560KB
-
memory/1140-95-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/1140-64-0x00000000004859AE-mapping.dmp
-
memory/1140-62-0x0000000000080000-0x000000000010C000-memory.dmpFilesize
560KB
-
memory/1140-106-0x0000000000495000-0x00000000004A6000-memory.dmpFilesize
68KB
-
memory/1260-104-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1260-101-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1260-98-0x0000000000442628-mapping.dmp
-
memory/1260-102-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1260-97-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1364-166-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/1364-158-0x0000000000000000-mapping.dmp
-
memory/1364-164-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/1764-96-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/1764-76-0x0000000000000000-mapping.dmp
-
memory/1764-81-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/1764-108-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/1924-135-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/1924-112-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/1924-109-0x0000000000000000-mapping.dmp
-
memory/2008-138-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/2008-133-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/2008-125-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/2008-123-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/2008-120-0x00000000004859AE-mapping.dmp