Analysis
-
max time kernel
189s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 15:47
Static task
static1
Behavioral task
behavioral1
Sample
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
Resource
win10v2004-20220812-en
General
-
Target
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
-
Size
723KB
-
MD5
697032b609cad099ec3b347bd0f34cb3
-
SHA1
fc98b5aa7ca186ae9e0dea133438c5e15f3fd077
-
SHA256
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1
-
SHA512
700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0
-
SSDEEP
12288:4vsfrEOhNBJksGrtIgmu6H5F/XunkwDxnYKCw9vweJ2F/MVXxSlM:5EOjBJfG2gm/unkwRYa9v3cFw
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
general123
Signatures
-
NirSoft MailPassView 9 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4144-136-0x0000000000400000-0x000000000048C000-memory.dmp MailPassView behavioral2/memory/3912-164-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/3912-165-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3912-167-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3912-168-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3308-170-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/3308-174-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2932-200-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/2932-204-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 10 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4144-136-0x0000000000400000-0x000000000048C000-memory.dmp WebBrowserPassView behavioral2/memory/1300-178-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1300-177-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/1300-180-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1300-182-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2592-184-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/2592-187-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2592-189-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/504-207-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/504-212-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 18 IoCs
Processes:
resource yara_rule behavioral2/memory/4144-136-0x0000000000400000-0x000000000048C000-memory.dmp Nirsoft behavioral2/memory/3912-164-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3912-165-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3912-167-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3912-168-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3308-170-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3308-174-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1300-178-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1300-177-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/1300-180-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1300-182-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2592-184-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2592-187-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2592-189-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2932-200-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2932-204-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/504-207-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/504-212-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 5 IoCs
Processes:
LookupSvi.exesecdrv.exesecdrv.exeLookupSvi.exeLookupSvi.exepid process 4992 LookupSvi.exe 356 secdrv.exe 4284 secdrv.exe 1480 LookupSvi.exe 856 LookupSvi.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exeLookupSvi.exesecdrv.exetakshost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation LookupSvi.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation secdrv.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation takshost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs
Processes:
vbc.exevbc.exevbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
LookupSvi.exeLookupSvi.exeLookupSvi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" LookupSvi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" LookupSvi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" LookupSvi.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 whatismyipaddress.com 56 whatismyipaddress.com 109 whatismyipaddress.com -
Suspicious use of SetThreadContext 9 IoCs
Processes:
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exesecdrv.exesecdrv.exec52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exetakshost.exetakshost.exedescription pid process target process PID 4108 set thread context of 4144 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 356 set thread context of 4284 356 secdrv.exe secdrv.exe PID 4284 set thread context of 3912 4284 secdrv.exe vbc.exe PID 4144 set thread context of 3308 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4284 set thread context of 1300 4284 secdrv.exe vbc.exe PID 4144 set thread context of 2592 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 2424 set thread context of 3252 2424 takshost.exe takshost.exe PID 3252 set thread context of 2932 3252 takshost.exe vbc.exe PID 3252 set thread context of 504 3252 takshost.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exepid process 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exepid process 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
Processes:
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exetakshost.exepid process 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 3252 takshost.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exeLookupSvi.exec52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exesecdrv.exeLookupSvi.exesecdrv.exetakshost.exeLookupSvi.exetakshost.exedescription pid process Token: SeDebugPrivilege 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe Token: SeDebugPrivilege 4992 LookupSvi.exe Token: SeDebugPrivilege 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe Token: SeDebugPrivilege 356 secdrv.exe Token: SeDebugPrivilege 1480 LookupSvi.exe Token: SeDebugPrivilege 4284 secdrv.exe Token: SeDebugPrivilege 2424 takshost.exe Token: SeDebugPrivilege 856 LookupSvi.exe Token: SeDebugPrivilege 3252 takshost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
secdrv.exec52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exetakshost.exepid process 4284 secdrv.exe 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe 3252 takshost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exeLookupSvi.exesecdrv.exesecdrv.exec52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exedescription pid process target process PID 4108 wrote to memory of 4144 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 4108 wrote to memory of 4144 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 4108 wrote to memory of 4144 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 4108 wrote to memory of 4144 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 4108 wrote to memory of 4144 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 4108 wrote to memory of 4144 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 4108 wrote to memory of 4144 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 4108 wrote to memory of 4144 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe PID 4108 wrote to memory of 4992 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe LookupSvi.exe PID 4108 wrote to memory of 4992 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe LookupSvi.exe PID 4108 wrote to memory of 4992 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe LookupSvi.exe PID 4992 wrote to memory of 356 4992 LookupSvi.exe secdrv.exe PID 4992 wrote to memory of 356 4992 LookupSvi.exe secdrv.exe PID 4992 wrote to memory of 356 4992 LookupSvi.exe secdrv.exe PID 4108 wrote to memory of 2424 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe takshost.exe PID 4108 wrote to memory of 2424 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe takshost.exe PID 4108 wrote to memory of 2424 4108 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe takshost.exe PID 356 wrote to memory of 4284 356 secdrv.exe secdrv.exe PID 356 wrote to memory of 4284 356 secdrv.exe secdrv.exe PID 356 wrote to memory of 4284 356 secdrv.exe secdrv.exe PID 356 wrote to memory of 4284 356 secdrv.exe secdrv.exe PID 356 wrote to memory of 4284 356 secdrv.exe secdrv.exe PID 356 wrote to memory of 4284 356 secdrv.exe secdrv.exe PID 356 wrote to memory of 4284 356 secdrv.exe secdrv.exe PID 356 wrote to memory of 4284 356 secdrv.exe secdrv.exe PID 356 wrote to memory of 1480 356 secdrv.exe LookupSvi.exe PID 356 wrote to memory of 1480 356 secdrv.exe LookupSvi.exe PID 356 wrote to memory of 1480 356 secdrv.exe LookupSvi.exe PID 4284 wrote to memory of 3912 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 3912 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 3912 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 3912 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 3912 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 3912 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 3912 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 3912 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 3912 4284 secdrv.exe vbc.exe PID 4144 wrote to memory of 3308 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 3308 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 3308 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 3308 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 3308 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 3308 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 3308 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 3308 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 3308 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4284 wrote to memory of 1300 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 1300 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 1300 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 1300 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 1300 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 1300 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 1300 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 1300 4284 secdrv.exe vbc.exe PID 4284 wrote to memory of 1300 4284 secdrv.exe vbc.exe PID 4144 wrote to memory of 2592 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 2592 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 2592 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 2592 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 2592 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 2592 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 2592 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 2592 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe PID 4144 wrote to memory of 2592 4144 c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe"C:\Users\Admin\AppData\Local\Temp\c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe"C:\Users\Admin\AppData\Local\Temp\c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\LookupSvi.exe.logFilesize
128B
MD5a5dcc7c9c08af7dddd82be5b036a4416
SHA14f998ca1526d199e355ffb435bae111a2779b994
SHA256e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5
SHA51256035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exeFilesize
9KB
MD5f370aafe6181754b110816a54e38082a
SHA1298d4d3309d74fcab8bc2906564ede1c62c07910
SHA25655f11f6cbab2e77d6f49ea6fd94100c64aa0b469aae383b368ffc708dd012e50
SHA512c0d378fcd7cef57bec392a420f0684542644f336619aea586021f103131830dc820136380e2c07c2e93e688cb31970b913fd39d5c5e151e02e08f0f43d5d87f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exeFilesize
723KB
MD5697032b609cad099ec3b347bd0f34cb3
SHA1fc98b5aa7ca186ae9e0dea133438c5e15f3fd077
SHA256c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1
SHA512700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0
-
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exeFilesize
723KB
MD5697032b609cad099ec3b347bd0f34cb3
SHA1fc98b5aa7ca186ae9e0dea133438c5e15f3fd077
SHA256c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1
SHA512700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0
-
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exeFilesize
723KB
MD5697032b609cad099ec3b347bd0f34cb3
SHA1fc98b5aa7ca186ae9e0dea133438c5e15f3fd077
SHA256c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1
SHA512700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0
-
C:\Users\Admin\AppData\Roaming\pid.txtFilesize
4B
MD5605ac7e4c16b8a013b4779b81f883e66
SHA1d494d9da2ea46248e528af1f4da8061e3f245369
SHA256fbc1f6898b3fd1d2d806fcb944fe535ff5f4a1d973d8ef218558dd2e9ae526a3
SHA5128c3338adba5c423598ef3eab334979e66e58e7524e28124431c0bec09270cc3cb50a1d8c57dd44b5f2a904d7d5c3b544d97380b0bbf37b7c72d84328c26b1b0f
-
C:\Users\Admin\AppData\Roaming\pid.txtFilesize
4B
MD541b0db49fd10d95920281dead0710f58
SHA1b8d1c85a1dae8fa175f01bad051f3baccb58e9e0
SHA2561ce7bdf71376bafe03ac77bdbc692d33f8f5a92927186880c72729b96c03f9e4
SHA512287ead4d4a5039c60c2130850ffed1eef731f19b32c634b1062aacc022b943429d8b6743f6af69c18ecbe82b9d66089a3280411661dd7a14e144b878e64cf5dd
-
C:\Users\Admin\AppData\Roaming\pidloc.txtFilesize
51B
MD596a319b6d8e670b12bd261e3e8572472
SHA1c8df87c95722e82a67db072e1cd69ae146bbcad4
SHA25666548457f89b81623f4b45c05f5036de3f4f167f2fded8e1bcea8f1032f18b2b
SHA512ddf343ec129daa6d0d8cddfff7fa072d5c619d50e1ccc85c0a4648e524cb44d3ce4eba720a273d3667927e1a41b558e0b6feef62137312b8b42d07092bea76d7
-
C:\Users\Admin\AppData\Roaming\pidloc.txtFilesize
102B
MD507f6f1b0205f03d0642d0b1aa68ec84e
SHA1aea923df4c48aaada4fb12e01fb2cea9f0d578fb
SHA25628c67af2759d30b3a03140ad3b86cbe8eacc5e0ebecd0bebec0c226165a830d6
SHA5121a09bfd65bbf5f8f5b71e8518705ed15f59de3cefb24627ac41aa97577d80df9d9b17c1b3c667530d14dc0a7c034085127bceb55a2415a20324eedaee7e0c086
-
memory/356-147-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/356-148-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/356-183-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/356-145-0x0000000000000000-mapping.dmp
-
memory/504-212-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/504-207-0x0000000000000000-mapping.dmp
-
memory/856-194-0x0000000000000000-mapping.dmp
-
memory/856-199-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/856-206-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/1300-178-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1300-177-0x0000000000000000-mapping.dmp
-
memory/1300-182-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1300-180-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1480-156-0x0000000000000000-mapping.dmp
-
memory/1480-163-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/1480-176-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/1480-190-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/2424-149-0x0000000000000000-mapping.dmp
-
memory/2424-152-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/2424-169-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/2592-184-0x0000000000000000-mapping.dmp
-
memory/2592-189-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2592-187-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2932-204-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2932-200-0x0000000000000000-mapping.dmp
-
memory/3252-193-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/3252-205-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/3252-191-0x0000000000000000-mapping.dmp
-
memory/3308-174-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3308-170-0x0000000000000000-mapping.dmp
-
memory/3912-165-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3912-164-0x0000000000000000-mapping.dmp
-
memory/3912-167-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3912-168-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4108-151-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/4108-133-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/4108-134-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/4144-136-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/4144-142-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/4144-135-0x0000000000000000-mapping.dmp
-
memory/4144-140-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/4284-153-0x0000000000000000-mapping.dmp
-
memory/4284-162-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/4284-175-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/4992-137-0x0000000000000000-mapping.dmp
-
memory/4992-150-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/4992-141-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB
-
memory/4992-143-0x0000000074E20000-0x00000000753D1000-memory.dmpFilesize
5.7MB