Analysis
-
max time kernel
66s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 11:17
Static task
static1
Behavioral task
behavioral1
Sample
bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe
Resource
win7-20220812-en
General
-
Target
bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe
-
Size
595KB
-
MD5
c72fe8f5bf2b8ba807567c6d14f778b7
-
SHA1
d2508b1cd80dbffae32a25af6b67884cec475ac3
-
SHA256
bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696
-
SHA512
2d5994cd645d4a4a2fbb00ac4c54feed0c8c3690f1bcca8e4c012270a8c9c64186b74dc51aac4a02208cc0be27d79e3d4d3a55b4db5a759ea0b25f3d018457e9
-
SSDEEP
12288:MgnDOegilNv/nXQmvrI+Yd/CG0dubHTyMu4dxq8yA0bfunDaMgSfX2AuW:fDdNXFvX8d0srW4dw80CnD5VmAuW
Malware Config
Signatures
-
NirSoft MailPassView 14 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\zzz.exe MailPassView \Users\Admin\AppData\Local\Temp\zzz.exe MailPassView \Users\Admin\AppData\Local\Temp\zzz.exe MailPassView \Users\Admin\AppData\Local\Temp\zzz.exe MailPassView C:\Users\Admin\AppData\Local\Temp\zzz.exe MailPassView C:\Users\Admin\AppData\Local\Temp\zzz.exe MailPassView \Users\Admin\AppData\Roaming\Windows Update.exe MailPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView behavioral1/memory/1596-77-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1596-78-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1596-81-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1596-82-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1596-83-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 14 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\zzz.exe WebBrowserPassView \Users\Admin\AppData\Local\Temp\zzz.exe WebBrowserPassView \Users\Admin\AppData\Local\Temp\zzz.exe WebBrowserPassView \Users\Admin\AppData\Local\Temp\zzz.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\zzz.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\zzz.exe WebBrowserPassView \Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView behavioral1/memory/828-84-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/828-85-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/828-88-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/828-89-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/828-91-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 19 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\zzz.exe Nirsoft \Users\Admin\AppData\Local\Temp\zzz.exe Nirsoft \Users\Admin\AppData\Local\Temp\zzz.exe Nirsoft \Users\Admin\AppData\Local\Temp\zzz.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\zzz.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\zzz.exe Nirsoft \Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft behavioral1/memory/1596-77-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1596-78-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1596-81-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1596-82-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1596-83-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/828-84-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/828-85-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/828-88-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/828-89-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/828-91-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
zzz.exeWindows Update.exepid process 1636 zzz.exe 268 Windows Update.exe -
Loads dropped DLL 5 IoCs
Processes:
bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exezzz.exepid process 1132 bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe 1132 bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe 1132 bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe 1132 bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe 1636 zzz.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 whatismyipaddress.com 5 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Windows Update.exedescription pid process target process PID 268 set thread context of 1596 268 Windows Update.exe vbc.exe PID 268 set thread context of 828 268 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Windows Update.exepid process 268 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 268 Windows Update.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 956 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 268 Windows Update.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exezzz.exeWindows Update.exedescription pid process target process PID 1132 wrote to memory of 1636 1132 bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe zzz.exe PID 1132 wrote to memory of 1636 1132 bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe zzz.exe PID 1132 wrote to memory of 1636 1132 bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe zzz.exe PID 1132 wrote to memory of 1636 1132 bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe zzz.exe PID 1636 wrote to memory of 268 1636 zzz.exe Windows Update.exe PID 1636 wrote to memory of 268 1636 zzz.exe Windows Update.exe PID 1636 wrote to memory of 268 1636 zzz.exe Windows Update.exe PID 1636 wrote to memory of 268 1636 zzz.exe Windows Update.exe PID 1636 wrote to memory of 268 1636 zzz.exe Windows Update.exe PID 1636 wrote to memory of 268 1636 zzz.exe Windows Update.exe PID 1636 wrote to memory of 268 1636 zzz.exe Windows Update.exe PID 268 wrote to memory of 1596 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 1596 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 1596 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 1596 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 1596 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 1596 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 1596 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 1596 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 1596 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 1596 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 828 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 828 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 828 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 828 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 828 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 828 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 828 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 828 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 828 268 Windows Update.exe vbc.exe PID 268 wrote to memory of 828 268 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe"C:\Users\Admin\AppData\Local\Temp\bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zzz.exe"C:\Users\Admin\AppData\Local\Temp\zzz.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
41B
MD59f088842838e60944c3e28f04e5b933d
SHA166087851be274bd639e91710994324274ec258ed
SHA2562e683191609033732beced3f0dbdcdc632ddc454716ed573dfd86bb74ab46eb0
SHA512c250e9b9ab1aebc9fdd3739069df4a1a7dd784c10011de71066eb3410c8169f2733ea5bc28f04abe045ffe63ba34cbad4d56ef92799959dc5af7cb49908109e6
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\lenin.jpgFilesize
26KB
MD516d78b756d288d3c978cbf49decbfa66
SHA1f512a67bed31a46dbabdaa1a71fe5b25cf3f8dda
SHA256932beb2b03362e909d62dc2d37b849496be355ee0694467d36673731a34e5b33
SHA5122417233adada4bf2dbbd05ffaffcccfce9732f56cd032a36fc20c32f921ceca7864fd8e18c77bcdee18ae73e48f538803b2f0d8f6fabb82e11d486a7d557cb46
-
C:\Users\Admin\AppData\Local\Temp\zzz.exeFilesize
756KB
MD5d1cf1cc4a509d5d98ace7f47b5bf6b55
SHA1fda7a972da8bfc13a48b020e3e82fbe31c01d2d3
SHA25605febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b
SHA512986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8
-
C:\Users\Admin\AppData\Local\Temp\zzz.exeFilesize
756KB
MD5d1cf1cc4a509d5d98ace7f47b5bf6b55
SHA1fda7a972da8bfc13a48b020e3e82fbe31c01d2d3
SHA25605febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b
SHA512986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
756KB
MD5d1cf1cc4a509d5d98ace7f47b5bf6b55
SHA1fda7a972da8bfc13a48b020e3e82fbe31c01d2d3
SHA25605febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b
SHA512986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
756KB
MD5d1cf1cc4a509d5d98ace7f47b5bf6b55
SHA1fda7a972da8bfc13a48b020e3e82fbe31c01d2d3
SHA25605febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b
SHA512986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8
-
\Users\Admin\AppData\Local\Temp\zzz.exeFilesize
756KB
MD5d1cf1cc4a509d5d98ace7f47b5bf6b55
SHA1fda7a972da8bfc13a48b020e3e82fbe31c01d2d3
SHA25605febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b
SHA512986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8
-
\Users\Admin\AppData\Local\Temp\zzz.exeFilesize
756KB
MD5d1cf1cc4a509d5d98ace7f47b5bf6b55
SHA1fda7a972da8bfc13a48b020e3e82fbe31c01d2d3
SHA25605febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b
SHA512986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8
-
\Users\Admin\AppData\Local\Temp\zzz.exeFilesize
756KB
MD5d1cf1cc4a509d5d98ace7f47b5bf6b55
SHA1fda7a972da8bfc13a48b020e3e82fbe31c01d2d3
SHA25605febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b
SHA512986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8
-
\Users\Admin\AppData\Local\Temp\zzz.exeFilesize
756KB
MD5d1cf1cc4a509d5d98ace7f47b5bf6b55
SHA1fda7a972da8bfc13a48b020e3e82fbe31c01d2d3
SHA25605febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b
SHA512986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
756KB
MD5d1cf1cc4a509d5d98ace7f47b5bf6b55
SHA1fda7a972da8bfc13a48b020e3e82fbe31c01d2d3
SHA25605febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b
SHA512986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8
-
memory/268-68-0x0000000000000000-mapping.dmp
-
memory/268-73-0x0000000073400000-0x00000000739AB000-memory.dmpFilesize
5.7MB
-
memory/268-76-0x0000000073400000-0x00000000739AB000-memory.dmpFilesize
5.7MB
-
memory/828-88-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/828-89-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/828-84-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/828-85-0x0000000000442628-mapping.dmp
-
memory/828-91-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1132-63-0x0000000000400000-0x00000000004964F1-memory.dmpFilesize
601KB
-
memory/1132-54-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB
-
memory/1132-55-0x0000000000400000-0x00000000004964F1-memory.dmpFilesize
601KB
-
memory/1596-78-0x0000000000411654-mapping.dmp
-
memory/1596-81-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1596-82-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1596-83-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1596-77-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1636-74-0x0000000073400000-0x00000000739AB000-memory.dmpFilesize
5.7MB
-
memory/1636-66-0x0000000073400000-0x00000000739AB000-memory.dmpFilesize
5.7MB
-
memory/1636-61-0x0000000000000000-mapping.dmp