Analysis
-
max time kernel
80s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 09:43
Behavioral task
behavioral1
Sample
740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe
Resource
win10v2004-20221111-en
General
-
Target
740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe
-
Size
474KB
-
MD5
7d0ae37fa10214e08bd703fcdc11ef97
-
SHA1
043c1d38de0b9aff3de431b28a0684a930008031
-
SHA256
740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6
-
SHA512
3e3e659e3143ce2b569f0c700216f252c3056d5c0bcccd3a63d379d4fb438cfd574ac98e012fd4c1b7edddea40e6e73bfa05634f865b71c2738da254addf212e
-
SSDEEP
12288:0XmChXYgOwlwB3QsFtbDxC83luFi5kC2Hgqam5Jtta8N/X1Q3jjN:0BIXi49fxB1Si5Xqam5
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
doffice3@mail.ru - Password:
F^^k4@home
Signatures
-
NirSoft MailPassView 12 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/932-60-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/932-61-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/932-62-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/932-63-0x000000000047E8FE-mapping.dmp MailPassView behavioral1/memory/932-65-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/932-67-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1600-76-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1600-77-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1600-80-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1600-82-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1600-84-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1668-91-0x000000000047E8FE-mapping.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/932-60-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/932-61-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/932-62-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/932-63-0x000000000047E8FE-mapping.dmp WebBrowserPassView behavioral1/memory/932-65-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/932-67-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1668-91-0x000000000047E8FE-mapping.dmp WebBrowserPassView -
Nirsoft 12 IoCs
Processes:
resource yara_rule behavioral1/memory/932-60-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/932-61-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/932-62-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/932-63-0x000000000047E8FE-mapping.dmp Nirsoft behavioral1/memory/932-65-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/932-67-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1600-76-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1600-77-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1600-80-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1600-82-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1600-84-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1668-91-0x000000000047E8FE-mapping.dmp Nirsoft -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 whatismyipaddress.com 5 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exetakshost.exedescription pid process target process PID 1700 set thread context of 932 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe PID 932 set thread context of 1600 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe vbc.exe PID 1200 set thread context of 1668 1200 takshost.exe takshost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exetakshost.exepid process 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe 1200 takshost.exe 1200 takshost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exepid process 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exetakshost.exedescription pid process Token: SeDebugPrivilege 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe Token: SeDebugPrivilege 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe Token: SeDebugPrivilege 1200 takshost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exepid process 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exetakshost.exedescription pid process target process PID 1700 wrote to memory of 932 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe PID 1700 wrote to memory of 932 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe PID 1700 wrote to memory of 932 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe PID 1700 wrote to memory of 932 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe PID 1700 wrote to memory of 932 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe PID 1700 wrote to memory of 932 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe PID 1700 wrote to memory of 932 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe PID 1700 wrote to memory of 932 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe PID 1700 wrote to memory of 932 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe PID 1700 wrote to memory of 1200 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe takshost.exe PID 1700 wrote to memory of 1200 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe takshost.exe PID 1700 wrote to memory of 1200 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe takshost.exe PID 1700 wrote to memory of 1200 1700 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe takshost.exe PID 932 wrote to memory of 1672 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe dw20.exe PID 932 wrote to memory of 1672 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe dw20.exe PID 932 wrote to memory of 1672 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe dw20.exe PID 932 wrote to memory of 1672 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe dw20.exe PID 932 wrote to memory of 1600 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe vbc.exe PID 932 wrote to memory of 1600 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe vbc.exe PID 932 wrote to memory of 1600 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe vbc.exe PID 932 wrote to memory of 1600 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe vbc.exe PID 932 wrote to memory of 1600 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe vbc.exe PID 932 wrote to memory of 1600 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe vbc.exe PID 932 wrote to memory of 1600 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe vbc.exe PID 932 wrote to memory of 1600 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe vbc.exe PID 932 wrote to memory of 1600 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe vbc.exe PID 932 wrote to memory of 1600 932 740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe vbc.exe PID 1200 wrote to memory of 1668 1200 takshost.exe takshost.exe PID 1200 wrote to memory of 1668 1200 takshost.exe takshost.exe PID 1200 wrote to memory of 1668 1200 takshost.exe takshost.exe PID 1200 wrote to memory of 1668 1200 takshost.exe takshost.exe PID 1200 wrote to memory of 1668 1200 takshost.exe takshost.exe PID 1200 wrote to memory of 1668 1200 takshost.exe takshost.exe PID 1200 wrote to memory of 1668 1200 takshost.exe takshost.exe PID 1200 wrote to memory of 1668 1200 takshost.exe takshost.exe PID 1200 wrote to memory of 1668 1200 takshost.exe takshost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe"C:\Users\Admin\AppData\Local\Temp\740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe"C:\Users\Admin\AppData\Local\Temp\740d2568f1f56ebac12251775e44e91196282a1caaf6c43386b7fb9c5190c4d6.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 16643⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/932-81-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/932-101-0x00000000004C5000-0x00000000004D6000-memory.dmpFilesize
68KB
-
memory/932-100-0x00000000004C5000-0x00000000004D6000-memory.dmpFilesize
68KB
-
memory/932-57-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/932-58-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/932-60-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/932-61-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/932-62-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/932-63-0x000000000047E8FE-mapping.dmp
-
memory/932-65-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/932-67-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/932-69-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1200-73-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1200-70-0x0000000000000000-mapping.dmp
-
memory/1200-97-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1200-83-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1600-77-0x0000000000411654-mapping.dmp
-
memory/1600-80-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1600-76-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1600-82-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1600-84-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1668-91-0x000000000047E8FE-mapping.dmp
-
memory/1668-98-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1668-99-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1672-74-0x0000000000000000-mapping.dmp
-
memory/1700-72-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1700-54-0x0000000074E41000-0x0000000074E43000-memory.dmpFilesize
8KB
-
memory/1700-56-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB
-
memory/1700-55-0x0000000074160000-0x000000007470B000-memory.dmpFilesize
5.7MB