88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76

General

Target

88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
Size

1.0MB
MD5

5a508cf2e1ffb88cc88b9f6ceb1e0881
SHA1

0736f675247788b2ded041194b3de849dd0a0583
SHA256

88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76
SHA512

49bec1bd329ab1ee80eb579232f430b9047a7db75f0f857a3fd82efadab5dc3d001e86e3c3d669abc6dd5488e92fb0cbeddf7e2fb51c378e99de98fa080c0ea1
SSDEEP

24576:9GWLsbfHL29b7SPT3d8Tz4IsS7z7NDo3OLoWgiK0uVa3bz5t6:9GQsLre7SPp8TnsQHNDiOUnwbzC

Score

9^/10

Malware Config

Signatures

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4364-135-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4364-135-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral2/memory/4840-144-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/4840-141-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/4840-153-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/4840-154-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4364-135-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral2/memory/4840-144-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/4840-141-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4840-153-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/4840-154-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

84 whatismyipaddress.com
88 whatismyipaddress.com

flow	ioc
84	whatismyipaddress.com
88	whatismyipaddress.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe

description	pid	process	target process
PID 1720 set thread context of 4364	1720	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
PID 4364 set thread context of 2800	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 set thread context of 3132	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 set thread context of 4840	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 set thread context of 4492	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe

pid	process
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	1720	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
Token: SeDebugPrivilege	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
Token: SeRestorePrivilege	4816	dw20.exe
Token: SeBackupPrivilege	4816	dw20.exe
Token: SeBackupPrivilege	4816	dw20.exe
Token: SeBackupPrivilege	4816	dw20.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe

description	pid	process	target process
PID 1720 wrote to memory of 4364	1720	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
PID 1720 wrote to memory of 4364	1720	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
PID 1720 wrote to memory of 4364	1720	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
PID 1720 wrote to memory of 4364	1720	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
PID 1720 wrote to memory of 4364	1720	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
PID 1720 wrote to memory of 4364	1720	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
PID 1720 wrote to memory of 4364	1720	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
PID 1720 wrote to memory of 4364	1720	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
PID 4364 wrote to memory of 4492	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 4492	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 4492	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 2800	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 2800	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 2800	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 2800	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 2800	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 2800	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 2800	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 2800	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 4840	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 4840	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 4840	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 4840	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 4840	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 4840	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 4840	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 4840	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 3132	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 3132	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 3132	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 3132	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 3132	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 3132	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 3132	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 3132	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 2800	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 3132	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 4840	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 4492	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 4492	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	vbc.exe
PID 4364 wrote to memory of 4816	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	dw20.exe
PID 4364 wrote to memory of 4816	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	dw20.exe
PID 4364 wrote to memory of 4816	4364	88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
"C:\Users\Admin\AppData\Local\Temp\88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe
"C:\Users\Admin\AppData\Local\Temp\88cbd719034317bc55c414335508d3fa73541e899b263c3390a9de30ec241d76.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:4492

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
3⤵
PID:3132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt" /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:4840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 2712
3⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3132 -ip 3132
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2800 -ip 2800
1⤵
PID:5080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-133-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/1720-132-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/1720-136-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2800-142-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2800-139-0x0000000000000000-mapping.dmp

Download
memory/3132-143-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3132-140-0x0000000000000000-mapping.dmp

Download
memory/4364-138-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/4364-137-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/4364-135-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4364-134-0x0000000000000000-mapping.dmp

Download
memory/4492-147-0x0000000000000000-mapping.dmp

Download
memory/4816-152-0x0000000000000000-mapping.dmp

Download
memory/4840-144-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4840-141-0x0000000000000000-mapping.dmp

Download
memory/4840-153-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4840-154-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads