Analysis
-
max time kernel
150s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 09:01
Static task
static1
Behavioral task
behavioral1
Sample
f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe
Resource
win7-20221111-en
General
-
Target
f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe
-
Size
784KB
-
MD5
95b7ecc4b249773ac729e67dc217ebc0
-
SHA1
7e85b2c1e4a6bc15ddc6145a0dff883e0236a270
-
SHA256
f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663
-
SHA512
82882c46716faf32110cf57c05619a5381d93bc942a8f491b94d12f0b9081746b86505fbca8367ed77857040f18ca815b949ec2668e87ae1f4b89ecc40a4b8b6
-
SSDEEP
24576:9kduyDzPEZ0SUZkPiQM4G4Ktdj4/vpcS9:quGT1Sik6J4G4KtS/vp7
Malware Config
Extracted
Protocol: smtp- Host:
smtp.zoho.com - Port:
587 - Username:
logs@chopsecurity.ru - Password:
gfdsa321
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/5032-135-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/5032-135-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5032-135-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 90 whatismyipaddress.com 94 whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exedescription pid process target process PID 912 set thread context of 5032 912 f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exepid process 5032 f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exef06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exedescription pid process Token: SeDebugPrivilege 912 f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe Token: SeDebugPrivilege 5032 f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exepid process 5032 f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exedescription pid process target process PID 912 wrote to memory of 5032 912 f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe PID 912 wrote to memory of 5032 912 f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe PID 912 wrote to memory of 5032 912 f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe PID 912 wrote to memory of 5032 912 f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe PID 912 wrote to memory of 5032 912 f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe PID 912 wrote to memory of 5032 912 f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe PID 912 wrote to memory of 5032 912 f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe PID 912 wrote to memory of 5032 912 f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe"C:\Users\Admin\AppData\Local\Temp\f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe"C:\Users\Admin\AppData\Local\Temp\f06272ee388b7f20c3ad638fd10d32b276f66ec473ee39fdc1282ae7d4720663.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/912-132-0x0000000075180000-0x0000000075731000-memory.dmpFilesize
5.7MB
-
memory/912-133-0x0000000075180000-0x0000000075731000-memory.dmpFilesize
5.7MB
-
memory/912-136-0x0000000075180000-0x0000000075731000-memory.dmpFilesize
5.7MB
-
memory/5032-134-0x0000000000000000-mapping.dmp
-
memory/5032-135-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/5032-137-0x0000000075180000-0x0000000075731000-memory.dmpFilesize
5.7MB
-
memory/5032-138-0x0000000075180000-0x0000000075731000-memory.dmpFilesize
5.7MB