Analysis
-
max time kernel
182s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 20:52
Static task
static1
Behavioral task
behavioral1
Sample
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
Resource
win10v2004-20220812-en
General
-
Target
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
-
Size
851KB
-
MD5
a325f236a67ad2b6358456ab41e1579c
-
SHA1
f3d5e9d5bc62a3d9cd67d988adab2fef3a02ff3f
-
SHA256
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876
-
SHA512
e126a54120273f8e6e7029cb6bee629d867c592201688adeb02f2c3ec9ac458715949eb5bad4ad399b1a532b8980c600a42bd021d39f416f913cc003bf6ed955
-
SSDEEP
12288:Edzgfn7tc9g5pdpfeAvdbzseZtzsUrm4GWbhuAmjKwtC2ccq6/C:EdzM7X5RPNTlrm4GWbh0jKuCa/
Malware Config
Extracted
Protocol: smtp- Host:
mail.krippspharmacy.com - Port:
587 - Username:
mail@krippspharmacy.com - Password:
12Durex@
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 3284 Windows Update.exe 2884 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1332 set thread context of 4944 1332 f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe PID 3284 set thread context of 2884 3284 Windows Update.exe Windows Update.exe PID 2884 set thread context of 4816 2884 Windows Update.exe vbc.exe PID 2884 set thread context of 4048 2884 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Windows Update.exepid process 2884 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Windows Update.exevbc.exevbc.exedescription pid process Token: SeDebugPrivilege 2884 Windows Update.exe Token: SeDebugPrivilege 4816 vbc.exe Token: SeDebugPrivilege 4048 vbc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exef3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1332 wrote to memory of 4944 1332 f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe PID 1332 wrote to memory of 4944 1332 f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe PID 1332 wrote to memory of 4944 1332 f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe PID 1332 wrote to memory of 4944 1332 f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe PID 1332 wrote to memory of 4944 1332 f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe PID 1332 wrote to memory of 4944 1332 f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe PID 1332 wrote to memory of 4944 1332 f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe PID 1332 wrote to memory of 4944 1332 f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe PID 4944 wrote to memory of 3284 4944 f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe Windows Update.exe PID 4944 wrote to memory of 3284 4944 f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe Windows Update.exe PID 4944 wrote to memory of 3284 4944 f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe Windows Update.exe PID 3284 wrote to memory of 2884 3284 Windows Update.exe Windows Update.exe PID 3284 wrote to memory of 2884 3284 Windows Update.exe Windows Update.exe PID 3284 wrote to memory of 2884 3284 Windows Update.exe Windows Update.exe PID 3284 wrote to memory of 2884 3284 Windows Update.exe Windows Update.exe PID 3284 wrote to memory of 2884 3284 Windows Update.exe Windows Update.exe PID 3284 wrote to memory of 2884 3284 Windows Update.exe Windows Update.exe PID 3284 wrote to memory of 2884 3284 Windows Update.exe Windows Update.exe PID 3284 wrote to memory of 2884 3284 Windows Update.exe Windows Update.exe PID 2884 wrote to memory of 4816 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4816 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4816 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4816 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4816 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4816 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4816 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4816 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4816 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4048 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4048 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4048 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4048 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4048 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4048 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4048 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4048 2884 Windows Update.exe vbc.exe PID 2884 wrote to memory of 4048 2884 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe"C:\Users\Admin\AppData\Local\Temp\f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe"C:\Users\Admin\AppData\Local\Temp\f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Windows Update.exe.logFilesize
680B
MD557759fe60eac7d0305440dd783f63f9d
SHA15bc02ad2e03aa79a7dd9aad18eaacf09b649f2a2
SHA2562c69a59f3b25701c3b6ba2bc5e7a406885e2cc4eefdbc9f904d8ead2aedb22f3
SHA512bde22023288b4e67e17f717b537e578ca3e69725469d9bb29959c9502ceb5029cac146faefc81987cf4ce0d194db7101833d43950bc7d1a2630d975ae3a91a23
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe.logFilesize
500B
MD5010e583858b4b6c97cc79a40ea3b682a
SHA1820553512ffb533b9c2c31429fe89d82e4baf508
SHA25696c7b50de55a134534378de700d77dd5ccf780b498d59c631bd19c9e61212ebd
SHA51200f8097e01d9c9f034d908c10f4fdc5d9cd1041c0352b772795ab5e9ae13c9eaf02fe335cc2634b8feebcef771b371d8a1217e04b9d2a8f14b9ed513d5155f8c
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5c23b4dca2fb385a95fe457abf38f8a12
SHA1642fa6a8e90a369c7eefd5a7051d00531823e583
SHA256132d60ed79cc32e5e5da44ef0f444bfb8c0bb66f0f76d39ea8347c65e498fb6d
SHA512bf150f0d98c936610a6ce15eee63e4213c279d17261e1d242abac2a47fce99e861ff14d9d263c3d69128119ad724ddbc4e4af5e4ad900ef79646d8a1641bda0b
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
327B
MD51265c5140a2f68b05b92aa1a25a2abb6
SHA1627a660e9d2a41c8c4a662ca44fdb68a1356bc82
SHA256694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9
SHA512ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
1KB
MD501e7975c708365983265ae40d604beb4
SHA1f1c793c9b7a312d355cd944928ba9272bbeec44e
SHA25695d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40
SHA5129c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
851KB
MD5a325f236a67ad2b6358456ab41e1579c
SHA1f3d5e9d5bc62a3d9cd67d988adab2fef3a02ff3f
SHA256f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876
SHA512e126a54120273f8e6e7029cb6bee629d867c592201688adeb02f2c3ec9ac458715949eb5bad4ad399b1a532b8980c600a42bd021d39f416f913cc003bf6ed955
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
851KB
MD5a325f236a67ad2b6358456ab41e1579c
SHA1f3d5e9d5bc62a3d9cd67d988adab2fef3a02ff3f
SHA256f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876
SHA512e126a54120273f8e6e7029cb6bee629d867c592201688adeb02f2c3ec9ac458715949eb5bad4ad399b1a532b8980c600a42bd021d39f416f913cc003bf6ed955
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
851KB
MD5a325f236a67ad2b6358456ab41e1579c
SHA1f3d5e9d5bc62a3d9cd67d988adab2fef3a02ff3f
SHA256f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876
SHA512e126a54120273f8e6e7029cb6bee629d867c592201688adeb02f2c3ec9ac458715949eb5bad4ad399b1a532b8980c600a42bd021d39f416f913cc003bf6ed955
-
memory/1332-136-0x0000000074880000-0x0000000074E31000-memory.dmpFilesize
5.7MB
-
memory/1332-132-0x0000000074880000-0x0000000074E31000-memory.dmpFilesize
5.7MB
-
memory/2884-150-0x0000000074880000-0x0000000074E31000-memory.dmpFilesize
5.7MB
-
memory/2884-148-0x0000000074880000-0x0000000074E31000-memory.dmpFilesize
5.7MB
-
memory/2884-143-0x0000000000000000-mapping.dmp
-
memory/3284-147-0x0000000074880000-0x0000000074E31000-memory.dmpFilesize
5.7MB
-
memory/3284-138-0x0000000000000000-mapping.dmp
-
memory/3284-142-0x0000000074880000-0x0000000074E31000-memory.dmpFilesize
5.7MB
-
memory/4048-157-0x0000000000000000-mapping.dmp
-
memory/4048-163-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4048-161-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4048-160-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4048-159-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4048-158-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/4816-151-0x0000000000000000-mapping.dmp
-
memory/4816-156-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4816-154-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4816-153-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4816-152-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4944-134-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/4944-137-0x0000000074880000-0x0000000074E31000-memory.dmpFilesize
5.7MB
-
memory/4944-133-0x0000000000000000-mapping.dmp
-
memory/4944-141-0x0000000074880000-0x0000000074E31000-memory.dmpFilesize
5.7MB