Analysis
-
max time kernel
147s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 14:01
Static task
static1
Behavioral task
behavioral1
Sample
545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe
Resource
win7-20220812-en
General
-
Target
545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe
-
Size
562KB
-
MD5
f886c38a35b5b55226ee4160baf51f43
-
SHA1
36c3a0571a2123f71ad168501857de60790041b7
-
SHA256
545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
-
SHA512
904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
SSDEEP
12288:zmOGmPQkxEB95xE3JWsJIoDSKPVpzNKwP/6XFh61CUnIfm5f03:zmxmPQ55x9KdpzNNPiVvUIp
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/748-135-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/748-135-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/748-135-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft -
Executes dropped EXE 3 IoCs
Processes:
Windows Update.exeWindows Update.exeWindows Update.exepid process 4308 Windows Update.exe 776 Windows Update.exe 3284 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe -
Drops startup file 2 IoCs
Processes:
545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exeWindows Update.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gz68mkaaJQ.lnk 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gz68mkaaJQ.lnk Windows Update.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 41 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1628 set thread context of 748 1628 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 4308 set thread context of 3284 4308 Windows Update.exe Windows Update.exe PID 3284 set thread context of 3084 3284 Windows Update.exe vbc.exe PID 3284 set thread context of 4056 3284 Windows Update.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2332 3084 WerFault.exe vbc.exe 2728 4056 WerFault.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 4308 Windows Update.exe 4308 Windows Update.exe 3284 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Windows Update.exeWindows Update.exedw20.exedescription pid process Token: SeDebugPrivilege 4308 Windows Update.exe Token: SeDebugPrivilege 3284 Windows Update.exe Token: SeRestorePrivilege 1928 dw20.exe Token: SeBackupPrivilege 1928 dw20.exe Token: SeBackupPrivilege 1928 dw20.exe Token: SeBackupPrivilege 1928 dw20.exe Token: SeBackupPrivilege 1928 dw20.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 3284 Windows Update.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exeWindows Update.exeWindows Update.exevbc.exevbc.exedescription pid process target process PID 1628 wrote to memory of 748 1628 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 1628 wrote to memory of 748 1628 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 1628 wrote to memory of 748 1628 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 1628 wrote to memory of 748 1628 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 1628 wrote to memory of 748 1628 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 1628 wrote to memory of 748 1628 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 1628 wrote to memory of 748 1628 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 1628 wrote to memory of 748 1628 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe PID 748 wrote to memory of 4308 748 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe Windows Update.exe PID 748 wrote to memory of 4308 748 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe Windows Update.exe PID 748 wrote to memory of 4308 748 545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe Windows Update.exe PID 4308 wrote to memory of 776 4308 Windows Update.exe Windows Update.exe PID 4308 wrote to memory of 776 4308 Windows Update.exe Windows Update.exe PID 4308 wrote to memory of 776 4308 Windows Update.exe Windows Update.exe PID 4308 wrote to memory of 3284 4308 Windows Update.exe Windows Update.exe PID 4308 wrote to memory of 3284 4308 Windows Update.exe Windows Update.exe PID 4308 wrote to memory of 3284 4308 Windows Update.exe Windows Update.exe PID 4308 wrote to memory of 3284 4308 Windows Update.exe Windows Update.exe PID 4308 wrote to memory of 3284 4308 Windows Update.exe Windows Update.exe PID 4308 wrote to memory of 3284 4308 Windows Update.exe Windows Update.exe PID 4308 wrote to memory of 3284 4308 Windows Update.exe Windows Update.exe PID 4308 wrote to memory of 3284 4308 Windows Update.exe Windows Update.exe PID 3284 wrote to memory of 3084 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 3084 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 3084 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 3084 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 3084 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 3084 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 3084 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 3084 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 4056 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 4056 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 4056 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 4056 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 4056 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 4056 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 4056 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 4056 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 3084 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 4056 3284 Windows Update.exe vbc.exe PID 3284 wrote to memory of 1928 3284 Windows Update.exe dw20.exe PID 3284 wrote to memory of 1928 3284 Windows Update.exe dw20.exe PID 3284 wrote to memory of 1928 3284 Windows Update.exe dw20.exe PID 3084 wrote to memory of 2332 3084 vbc.exe WerFault.exe PID 3084 wrote to memory of 2332 3084 vbc.exe WerFault.exe PID 3084 wrote to memory of 2332 3084 vbc.exe WerFault.exe PID 4056 wrote to memory of 2728 4056 vbc.exe WerFault.exe PID 4056 wrote to memory of 2728 4056 vbc.exe WerFault.exe PID 4056 wrote to memory of 2728 4056 vbc.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe"C:\Users\Admin\AppData\Local\Temp\545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe"C:\Users\Admin\AppData\Local\Temp\545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1886⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1886⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 25725⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3084 -ip 30841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4056 -ip 40561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4056 -ip 40561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5dadcdbfd871a7b4edeb98ad70621ad60
SHA18b0268f5540fd0bc0d71fb2d7b268c85a89a093f
SHA256744e2f63293665e69598dc1fd4164c0ba6de2b5a710e0d60a74c2d3c92f24b33
SHA512e4fbcffe87f4be2e4d4034cbb9b284ec42d2c6766fe246043b9fc9ba1e0c2436fb0159d9a90a562e7cb3fbd09cc699ede517c91a0a4292d26e929d94c795390f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gz68mkaaJQ.lnkFilesize
999B
MD5fe5e567f6d44c48024973d793dd80516
SHA154ae92f8a268b5c8bce31ce5895bcda9b3af247d
SHA25676d110dd4a9e263f3647faf5e1879c05efb3a3a01fc901620ed4943c4ee938fc
SHA512ac2d730e1802c67482861862ce50297cd60391bf3f39c2416d30324d5f98b9385741cc0323a83e14cfa64045ec1221be15b3a6fc9af70336ba3334b6ff8143df
-
C:\Users\Admin\AppData\Roaming\TwLiiVlrzn\gz68mkaaJQ.exeFilesize
562KB
MD5f886c38a35b5b55226ee4160baf51f43
SHA136c3a0571a2123f71ad168501857de60790041b7
SHA256545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
SHA512904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
562KB
MD5f886c38a35b5b55226ee4160baf51f43
SHA136c3a0571a2123f71ad168501857de60790041b7
SHA256545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
SHA512904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
562KB
MD5f886c38a35b5b55226ee4160baf51f43
SHA136c3a0571a2123f71ad168501857de60790041b7
SHA256545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
SHA512904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
562KB
MD5f886c38a35b5b55226ee4160baf51f43
SHA136c3a0571a2123f71ad168501857de60790041b7
SHA256545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
SHA512904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
562KB
MD5f886c38a35b5b55226ee4160baf51f43
SHA136c3a0571a2123f71ad168501857de60790041b7
SHA256545778886ec6aacd7a33e1865c938ca43ebe4be2d7169f2a91fc030be7141823
SHA512904c7a5deb27d25db399b1724f01a9f3cc5665e994bf3cccc93dd496693264da64f10f2f1e6e92aac847089495228ff6401948bf05199c70c322966a84073b6b
-
memory/748-136-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/748-142-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/748-137-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/748-135-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/748-134-0x0000000000000000-mapping.dmp
-
memory/776-144-0x0000000000000000-mapping.dmp
-
memory/1628-132-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/1628-133-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/1928-162-0x0000000000000000-mapping.dmp
-
memory/2332-163-0x0000000000000000-mapping.dmp
-
memory/2728-164-0x0000000000000000-mapping.dmp
-
memory/3084-156-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3084-154-0x0000000000000000-mapping.dmp
-
memory/3284-149-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/3284-153-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/3284-146-0x0000000000000000-mapping.dmp
-
memory/4056-155-0x0000000000000000-mapping.dmp
-
memory/4056-157-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4308-143-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/4308-141-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/4308-138-0x0000000000000000-mapping.dmp