Analysis
-
max time kernel
132s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 11:17
Static task
static1
Behavioral task
behavioral1
Sample
bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe
Resource
win7-20220812-en
General
-
Target
bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe
-
Size
595KB
-
MD5
c72fe8f5bf2b8ba807567c6d14f778b7
-
SHA1
d2508b1cd80dbffae32a25af6b67884cec475ac3
-
SHA256
bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696
-
SHA512
2d5994cd645d4a4a2fbb00ac4c54feed0c8c3690f1bcca8e4c012270a8c9c64186b74dc51aac4a02208cc0be27d79e3d4d3a55b4db5a759ea0b25f3d018457e9
-
SSDEEP
12288:MgnDOegilNv/nXQmvrI+Yd/CG0dubHTyMu4dxq8yA0bfunDaMgSfX2AuW:fDdNXFvX8d0srW4dw80CnD5VmAuW
Malware Config
Signatures
-
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\zzz.exe MailPassView C:\Users\Admin\AppData\Local\Temp\zzz.exe MailPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView behavioral2/memory/4004-144-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/4004-145-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4004-147-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4004-148-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 9 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\zzz.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\zzz.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView behavioral2/memory/4044-150-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/4044-151-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4044-153-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4044-154-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4044-156-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 13 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\zzz.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\zzz.exe Nirsoft C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft behavioral2/memory/4004-144-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4004-145-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4004-147-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4004-148-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4044-150-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4044-151-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4044-153-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4044-154-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4044-156-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
zzz.exeWindows Update.exepid process 3324 zzz.exe 2656 Windows Update.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exezzz.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation zzz.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 whatismyipaddress.com 17 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Windows Update.exedescription pid process target process PID 2656 set thread context of 4004 2656 Windows Update.exe vbc.exe PID 2656 set thread context of 4044 2656 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exeWindows Update.exepid process 4044 vbc.exe 4044 vbc.exe 2656 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 2656 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 2656 Windows Update.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exezzz.exeWindows Update.exedescription pid process target process PID 5004 wrote to memory of 3324 5004 bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe zzz.exe PID 5004 wrote to memory of 3324 5004 bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe zzz.exe PID 5004 wrote to memory of 3324 5004 bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe zzz.exe PID 3324 wrote to memory of 2656 3324 zzz.exe Windows Update.exe PID 3324 wrote to memory of 2656 3324 zzz.exe Windows Update.exe PID 3324 wrote to memory of 2656 3324 zzz.exe Windows Update.exe PID 2656 wrote to memory of 4004 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4004 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4004 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4004 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4004 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4004 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4004 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4004 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4004 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4044 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4044 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4044 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4044 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4044 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4044 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4044 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4044 2656 Windows Update.exe vbc.exe PID 2656 wrote to memory of 4044 2656 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe"C:\Users\Admin\AppData\Local\Temp\bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zzz.exe"C:\Users\Admin\AppData\Local\Temp\zzz.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
41B
MD59f088842838e60944c3e28f04e5b933d
SHA166087851be274bd639e91710994324274ec258ed
SHA2562e683191609033732beced3f0dbdcdc632ddc454716ed573dfd86bb74ab46eb0
SHA512c250e9b9ab1aebc9fdd3739069df4a1a7dd784c10011de71066eb3410c8169f2733ea5bc28f04abe045ffe63ba34cbad4d56ef92799959dc5af7cb49908109e6
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Local\Temp\zzz.exeFilesize
756KB
MD5d1cf1cc4a509d5d98ace7f47b5bf6b55
SHA1fda7a972da8bfc13a48b020e3e82fbe31c01d2d3
SHA25605febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b
SHA512986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8
-
C:\Users\Admin\AppData\Local\Temp\zzz.exeFilesize
756KB
MD5d1cf1cc4a509d5d98ace7f47b5bf6b55
SHA1fda7a972da8bfc13a48b020e3e82fbe31c01d2d3
SHA25605febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b
SHA512986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
756KB
MD5d1cf1cc4a509d5d98ace7f47b5bf6b55
SHA1fda7a972da8bfc13a48b020e3e82fbe31c01d2d3
SHA25605febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b
SHA512986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
756KB
MD5d1cf1cc4a509d5d98ace7f47b5bf6b55
SHA1fda7a972da8bfc13a48b020e3e82fbe31c01d2d3
SHA25605febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b
SHA512986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8
-
memory/2656-142-0x0000000074860000-0x0000000074E11000-memory.dmpFilesize
5.7MB
-
memory/2656-149-0x0000000074860000-0x0000000074E11000-memory.dmpFilesize
5.7MB
-
memory/2656-138-0x0000000000000000-mapping.dmp
-
memory/3324-137-0x0000000074860000-0x0000000074E11000-memory.dmpFilesize
5.7MB
-
memory/3324-141-0x0000000074860000-0x0000000074E11000-memory.dmpFilesize
5.7MB
-
memory/3324-133-0x0000000000000000-mapping.dmp
-
memory/4004-144-0x0000000000000000-mapping.dmp
-
memory/4004-145-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4004-147-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4004-148-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4044-153-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4044-150-0x0000000000000000-mapping.dmp
-
memory/4044-151-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4044-154-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4044-156-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/5004-136-0x0000000000400000-0x00000000004964F1-memory.dmpFilesize
601KB
-
memory/5004-132-0x0000000000400000-0x00000000004964F1-memory.dmpFilesize
601KB