Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 08:44
Static task
static1
Behavioral task
behavioral1
Sample
70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe
Resource
win10v2004-20220812-en
General
-
Target
70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe
-
Size
1.8MB
-
MD5
6c5a683b8c5437c9948af6f1f24122ad
-
SHA1
68e2768d5302a42f59cf05c80dbef5177fecc5fe
-
SHA256
70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c
-
SHA512
84a9b4b295be773f589c89db2b5e2d5c58fff1b941d51cfdaae02a7cc4e650bb9becca7fa7d6c3e8b9596b5b29393cf3da2106ec0601785c52bb1a9b12b3179a
-
SSDEEP
24576:H2O/GlzEWEOTFzd02il9LqErkrbF/E7xse1m95l1ypaIdxvHWPSKa7kBEXZN7PNQ:HXOTF+ZvWEk/h95yvd8gkBEJNz5Q
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ghmvnppkfwer.exepid process 4956 ghmvnppkfwer.exe -
Processes:
resource yara_rule C:\Users\Admin\27165oi8gm8ve1\ghmvnppkfwer.exe upx C:\Users\Admin\27165oi8gm8ve1\ghmvnppkfwer.exe upx behavioral2/memory/4956-136-0x0000000000140000-0x00000000001FD000-memory.dmp upx behavioral2/memory/4956-137-0x0000000000140000-0x00000000001FD000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ghmvnppkfwer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\27165O~1 = "C:\\Users\\Admin\\27165O~1\\kuoqauiufyss.vbs" ghmvnppkfwer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce ghmvnppkfwer.exe -
Processes:
ghmvnppkfwer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ghmvnppkfwer.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 whatismyipaddress.com 34 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ghmvnppkfwer.exeRegSvcs.exedescription pid process target process PID 4956 set thread context of 3396 4956 ghmvnppkfwer.exe RegSvcs.exe PID 3396 set thread context of 808 3396 RegSvcs.exe vbc.exe PID 3396 set thread context of 2088 3396 RegSvcs.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
ghmvnppkfwer.exeRegSvcs.exepid process 4956 ghmvnppkfwer.exe 4956 ghmvnppkfwer.exe 4956 ghmvnppkfwer.exe 4956 ghmvnppkfwer.exe 3396 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RegSvcs.exevbc.exevbc.exedescription pid process Token: SeDebugPrivilege 3396 RegSvcs.exe Token: SeDebugPrivilege 808 vbc.exe Token: SeDebugPrivilege 2088 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3396 RegSvcs.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exeghmvnppkfwer.exeRegSvcs.exedescription pid process target process PID 1768 wrote to memory of 4956 1768 70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe ghmvnppkfwer.exe PID 1768 wrote to memory of 4956 1768 70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe ghmvnppkfwer.exe PID 1768 wrote to memory of 4956 1768 70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe ghmvnppkfwer.exe PID 4956 wrote to memory of 3396 4956 ghmvnppkfwer.exe RegSvcs.exe PID 4956 wrote to memory of 3396 4956 ghmvnppkfwer.exe RegSvcs.exe PID 4956 wrote to memory of 3396 4956 ghmvnppkfwer.exe RegSvcs.exe PID 4956 wrote to memory of 3396 4956 ghmvnppkfwer.exe RegSvcs.exe PID 4956 wrote to memory of 3396 4956 ghmvnppkfwer.exe RegSvcs.exe PID 3396 wrote to memory of 808 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 808 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 808 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 808 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 808 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 808 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 808 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 808 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 808 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 2088 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 2088 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 2088 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 2088 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 2088 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 2088 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 2088 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 2088 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 2088 3396 RegSvcs.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe"C:\Users\Admin\AppData\Local\Temp\70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\27165oi8gm8ve1\ghmvnppkfwer.exe"C:\Users\Admin\27165oi8gm8ve1\ghmvnppkfwer.exe" aswwah2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\27165O~1\lrvt.GUBFilesize
1.1MB
MD593bb3f7a0615c8cb593b4c9b566c43c5
SHA1e094f02afc6cebfbf0b95001732b69089f06730f
SHA25667d431f6845b9004edf7dcb2631ef98aed85908b04a4908ab1f3e36daf9bf8ea
SHA51278b571512653c851585206b57b6be7aae6fc6a67d084bbad2e080ad5d40c7a9d82e73618b388c7bf33bddd3a45caec5e3c1792378d6033e006c49cb538568863
-
C:\Users\Admin\27165O~1\soksdjgwow.ZWRFilesize
91B
MD5aaef5dc2893be0610bc316a889ebe622
SHA14a4eced8c28dee38f52697bf00bed5b002935f64
SHA2561e329364bf195adafdca74919179dcb8398f493abbc5de197d409b3d7bd13ca3
SHA5128f8584fd904fd7e46534794da50c8e9329974decca9db0110ef06dd888bf2d64315bf69a21371adfa27f5add5a0e4484d64d8177676c8740c0de654bca38be0f
-
C:\Users\Admin\27165oi8gm8ve1\aswwahFilesize
646.7MB
MD5313f15154c468efde1f2969005b14611
SHA1bd530bb5fe177b66f1d03cff0bb18a98c74d4617
SHA256875942d497aaeb36382d60ea45d8dd87ef40dd83167e44531fc9cb7cf7131eb8
SHA512b8b5d617b9c2f0a10b41cf568dc21db302e196bc940e8318d223f70bf58c9579c35159cd85411c965e85aaad9d8f72b76b6b4cda5f4f72dfca22dfd19b806246
-
C:\Users\Admin\27165oi8gm8ve1\ghmvnppkfwer.exeFilesize
255KB
MD57c00f2416ca6b769f8d65e21660e707e
SHA149a51bd688c2b081a8bf12168eb03f716d3bca64
SHA25689cdd5d690fae929be74743308a7881660c53bcea8a91414658bfbafa2683eb5
SHA512dd83d619e5d8147255dc7a234bc0c3d5b093cd4b4251bdd3a8b805371420d61803f8dbd20ebbf5b3ed6290eb22ff36109596621f6d8c66c83f1e292fb9b9946f
-
C:\Users\Admin\27165oi8gm8ve1\ghmvnppkfwer.exeFilesize
255KB
MD57c00f2416ca6b769f8d65e21660e707e
SHA149a51bd688c2b081a8bf12168eb03f716d3bca64
SHA25689cdd5d690fae929be74743308a7881660c53bcea8a91414658bfbafa2683eb5
SHA512dd83d619e5d8147255dc7a234bc0c3d5b093cd4b4251bdd3a8b805371420d61803f8dbd20ebbf5b3ed6290eb22ff36109596621f6d8c66c83f1e292fb9b9946f
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
1KB
MD501e7975c708365983265ae40d604beb4
SHA1f1c793c9b7a312d355cd944928ba9272bbeec44e
SHA25695d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40
SHA5129c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
327B
MD51265c5140a2f68b05b92aa1a25a2abb6
SHA1627a660e9d2a41c8c4a662ca44fdb68a1356bc82
SHA256694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9
SHA512ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216
-
memory/808-152-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/808-148-0x0000000000000000-mapping.dmp
-
memory/808-154-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/808-151-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/808-150-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/808-149-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/2088-155-0x0000000000000000-mapping.dmp
-
memory/2088-156-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/2088-161-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/2088-159-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/2088-158-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/2088-157-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3396-143-0x0000000005820000-0x0000000005DC4000-memory.dmpFilesize
5.6MB
-
memory/3396-141-0x0000000000D00000-0x0000000000E22000-memory.dmpFilesize
1.1MB
-
memory/3396-140-0x0000000000000000-mapping.dmp
-
memory/3396-142-0x00000000051D0000-0x000000000526C000-memory.dmpFilesize
624KB
-
memory/3396-146-0x0000000005540000-0x0000000005596000-memory.dmpFilesize
344KB
-
memory/3396-144-0x0000000005310000-0x00000000053A2000-memory.dmpFilesize
584KB
-
memory/3396-145-0x00000000052C0000-0x00000000052CA000-memory.dmpFilesize
40KB
-
memory/3396-147-0x00000000083B0000-0x0000000008416000-memory.dmpFilesize
408KB
-
memory/4956-137-0x0000000000140000-0x00000000001FD000-memory.dmpFilesize
756KB
-
memory/4956-132-0x0000000000000000-mapping.dmp
-
memory/4956-136-0x0000000000140000-0x00000000001FD000-memory.dmpFilesize
756KB