Analysis
-
max time kernel
155s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 13:53
Static task
static1
Behavioral task
behavioral1
Sample
934034130a3e5900b95896b58f0d75cf98216ada0b150a7e885fad944bd1fc22.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
934034130a3e5900b95896b58f0d75cf98216ada0b150a7e885fad944bd1fc22.exe
Resource
win10v2004-20221111-en
General
-
Target
934034130a3e5900b95896b58f0d75cf98216ada0b150a7e885fad944bd1fc22.exe
-
Size
1.0MB
-
MD5
f5d39ed2c191f84c4372f79dde6a7b72
-
SHA1
b50c2df32fb0d5e182f60394f88f46c82cf78385
-
SHA256
934034130a3e5900b95896b58f0d75cf98216ada0b150a7e885fad944bd1fc22
-
SHA512
27e14414e5f14276901d1752d4d37bd44a469a1ef3ca1e0d46eda9dbd123cc740921ac964c8ff19a8a1743d48c472533008b4d3e216d23614998be0f7e842421
-
SSDEEP
24576:XpxAowehmvjCv/WerTUET2pHwBn/kznW7iGA9fmpiQQKrP2NAkiVtfO:XpLXmbCvuerTNT2pHwB/kzOA9epixKrU
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
chrisdon00
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid process 2596 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
934034130a3e5900b95896b58f0d75cf98216ada0b150a7e885fad944bd1fc22.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 934034130a3e5900b95896b58f0d75cf98216ada0b150a7e885fad944bd1fc22.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 54 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Windows Update.exedescription pid process target process PID 2596 set thread context of 4780 2596 Windows Update.exe vbc.exe PID 2596 set thread context of 4076 2596 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Windows Update.exepid process 2596 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Windows Update.exevbc.exevbc.exedescription pid process Token: SeDebugPrivilege 2596 Windows Update.exe Token: SeDebugPrivilege 4780 vbc.exe Token: SeDebugPrivilege 4076 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 2596 Windows Update.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
934034130a3e5900b95896b58f0d75cf98216ada0b150a7e885fad944bd1fc22.exeWindows Update.exedescription pid process target process PID 2100 wrote to memory of 2596 2100 934034130a3e5900b95896b58f0d75cf98216ada0b150a7e885fad944bd1fc22.exe Windows Update.exe PID 2100 wrote to memory of 2596 2100 934034130a3e5900b95896b58f0d75cf98216ada0b150a7e885fad944bd1fc22.exe Windows Update.exe PID 2100 wrote to memory of 2596 2100 934034130a3e5900b95896b58f0d75cf98216ada0b150a7e885fad944bd1fc22.exe Windows Update.exe PID 2596 wrote to memory of 4780 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4780 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4780 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4780 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4780 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4780 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4780 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4780 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4780 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4076 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4076 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4076 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4076 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4076 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4076 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4076 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4076 2596 Windows Update.exe vbc.exe PID 2596 wrote to memory of 4076 2596 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\934034130a3e5900b95896b58f0d75cf98216ada0b150a7e885fad944bd1fc22.exe"C:\Users\Admin\AppData\Local\Temp\934034130a3e5900b95896b58f0d75cf98216ada0b150a7e885fad944bd1fc22.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD579f405b7de6466686796f4165d3ed20e
SHA19e740677f65c15654397d5f5de489d32473d643b
SHA256e273d1b2974884f29f8ca9bc15c09267b314546142030992072425b0fea78361
SHA51237d75498eb38d4b6b466db3625e02f73296541f69eefb5cbb4aed08b0c20e54b5ae016e898b0cf374a4b5d0d5289a3f0d5561b425755373cc3a78e8cec09a1d4
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
327B
MD51265c5140a2f68b05b92aa1a25a2abb6
SHA1627a660e9d2a41c8c4a662ca44fdb68a1356bc82
SHA256694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9
SHA512ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
1KB
MD501e7975c708365983265ae40d604beb4
SHA1f1c793c9b7a312d355cd944928ba9272bbeec44e
SHA25695d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40
SHA5129c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.0MB
MD5f5d39ed2c191f84c4372f79dde6a7b72
SHA1b50c2df32fb0d5e182f60394f88f46c82cf78385
SHA256934034130a3e5900b95896b58f0d75cf98216ada0b150a7e885fad944bd1fc22
SHA51227e14414e5f14276901d1752d4d37bd44a469a1ef3ca1e0d46eda9dbd123cc740921ac964c8ff19a8a1743d48c472533008b4d3e216d23614998be0f7e842421
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.0MB
MD5f5d39ed2c191f84c4372f79dde6a7b72
SHA1b50c2df32fb0d5e182f60394f88f46c82cf78385
SHA256934034130a3e5900b95896b58f0d75cf98216ada0b150a7e885fad944bd1fc22
SHA51227e14414e5f14276901d1752d4d37bd44a469a1ef3ca1e0d46eda9dbd123cc740921ac964c8ff19a8a1743d48c472533008b4d3e216d23614998be0f7e842421
-
memory/2100-133-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/2100-138-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/2100-132-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/2596-134-0x0000000000000000-mapping.dmp
-
memory/2596-137-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/2596-139-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/4076-147-0x0000000000000000-mapping.dmp
-
memory/4076-148-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4076-149-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4076-150-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4076-151-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4076-153-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4780-144-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4780-143-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4780-146-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4780-142-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4780-141-0x0000000000000000-mapping.dmp