3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059

Analysis

max time kernel
93s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe
Size

322KB
MD5

a2f8ef5fb42b3df1cf821b0ff65ff49a
SHA1

1e5db5c9ebfffb65385d3d4140aafccd182bb05e
SHA256

3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059
SHA512

ef32373c620992a2668754a94bf8757e2f22cbe38dd25be4fc3d13d01bda12b4a62f087abaca8d5f1702a5576f2a34b32dbee4df360803de03f7cfd28de10b91
SSDEEP

6144:iRSE+VDpJYWmlwnx9u6BMf0Cv3g6dg9wx/Kj64/:2SE+VF9mOx9ukEv3g6dFx/Kj64

Score

9^/10

collection spyware stealer

Malware Config

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mailpv.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\mailpv.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\mailpv.exe	MailPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\passwordfox.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\passwordfox.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\iepv.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\iepv.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\mailpv.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\mailpv.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\mailpv.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

passwordfox.exeiepv.exemailpv.exemailpv.exe

pid process

3652 passwordfox.exe
224 iepv.exe
4524 mailpv.exe
3188 mailpv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3652	passwordfox.exe
224	iepv.exe
4524	mailpv.exe
3188	mailpv.exe

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

mailpv.exemailpv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	mailpv.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	mailpv.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exeiepv.exe

description	pid	process
Token: SeDebugPrivilege	4664	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe
Token: SeDebugPrivilege	224	iepv.exe
Token: SeRestorePrivilege	224	iepv.exe
Token: SeBackupPrivilege	224	iepv.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe

description	pid	process	target process
PID 4664 wrote to memory of 3652	4664	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	passwordfox.exe
PID 4664 wrote to memory of 3652	4664	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	passwordfox.exe
PID 4664 wrote to memory of 3652	4664	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	passwordfox.exe
PID 4664 wrote to memory of 224	4664	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	iepv.exe
PID 4664 wrote to memory of 224	4664	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	iepv.exe
PID 4664 wrote to memory of 224	4664	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	iepv.exe
PID 4664 wrote to memory of 4524	4664	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	mailpv.exe
PID 4664 wrote to memory of 4524	4664	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	mailpv.exe
PID 4664 wrote to memory of 4524	4664	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	mailpv.exe
PID 4664 wrote to memory of 3188	4664	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	mailpv.exe
PID 4664 wrote to memory of 3188	4664	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	mailpv.exe
PID 4664 wrote to memory of 3188	4664	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	mailpv.exe

C:\Users\Admin\AppData\Local\Temp\3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe
"C:\Users\Admin\AppData\Local\Temp\3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Local\Temp\passwordfox.exe
C:\Users\Admin\AppData\Local\Temp\passwordfox.exe /stext C:\Users\Admin\AppData\Local\Temp\firefox.txt
2⤵
- Executes dropped EXE
PID:3652

C:\Users\Admin\AppData\Local\Temp\iepv.exe
C:\Users\Admin\AppData\Local\Temp\iepv.exe /stext C:\Users\Admin\AppData\Local\Temp\ie.txt
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Users\Admin\AppData\Local\Temp\mailpv.exe
C:\Users\Admin\AppData\Local\Temp\mailpv.exe /stext C:\Users\Admin\AppData\Local\Temp\mail.txt
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:4524

C:\Users\Admin\AppData\Local\Temp\mailpv.exe
C:\Users\Admin\AppData\Local\Temp\mailpv.exe /stext C:\Users\Admin\AppData\Local\Temp\mail.txt
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:3188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\firefox.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ie.txt
Filesize
1KB

MD5
d70913819f8f59ed27d9b3e795244b09

SHA1
a240a934d289e177612f419421cbc8ad61603e18

SHA256
eac08ebd3d06b7bf9f20fb4856d81364b7a54f6ee141b151e4b2369fd28328e4

SHA512
3a92ec8181ec40adc729ef0fa08d3555e7011bbe681bcd50830ca6dd6ca8d2f14839eb81a89d51f883231039d86b41b2ea81efd497b0e4f3d974ceda4a22521a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iepv.exe
Filesize
88KB

MD5
96eaf707a7f5e252e0ef640a9f9a41e9

SHA1
1db028b8e2dad98ab25abfa498ffd0e344b8178c

SHA256
9bf3183768ab8133f686e9d59adf9ac7f157a6442026d00fcd49c177deca6de2

SHA512
12f7a815f141c125a50941bace6256de41eb6459f5dae49def6a5d150b816b48b054efa3ef0370d87b546098edb4f6ad2e1d6ebea835eb233bd98f7d225d13c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iepv.exe
Filesize
88KB

MD5
96eaf707a7f5e252e0ef640a9f9a41e9

SHA1
1db028b8e2dad98ab25abfa498ffd0e344b8178c

SHA256
9bf3183768ab8133f686e9d59adf9ac7f157a6442026d00fcd49c177deca6de2

SHA512
12f7a815f141c125a50941bace6256de41eb6459f5dae49def6a5d150b816b48b054efa3ef0370d87b546098edb4f6ad2e1d6ebea835eb233bd98f7d225d13c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mailpv.exe
Filesize
96KB

MD5
3f5aca02abb16dbf86748596e4fa0258

SHA1
1588bfd4e090d3d194879899c02dcc207d5ca257

SHA256
10f703168cc43f60bfd54c69242d3db63d2d60e1114de74956a2439b8a8b3ed0

SHA512
bb96706ec69bee65e94fd5cc5a112e3e50f12d6895444144f7c5190e298960b02a2c922ac249deb2e3fd5f3d23e52b95058cf6262e5599823b576f849fe4b420

Download Submit
C:\Users\Admin\AppData\Local\Temp\mailpv.exe
Filesize
96KB

MD5
3f5aca02abb16dbf86748596e4fa0258

SHA1
1588bfd4e090d3d194879899c02dcc207d5ca257

SHA256
10f703168cc43f60bfd54c69242d3db63d2d60e1114de74956a2439b8a8b3ed0

SHA512
bb96706ec69bee65e94fd5cc5a112e3e50f12d6895444144f7c5190e298960b02a2c922ac249deb2e3fd5f3d23e52b95058cf6262e5599823b576f849fe4b420

Download Submit
C:\Users\Admin\AppData\Local\Temp\mailpv.exe
Filesize
96KB

MD5
3f5aca02abb16dbf86748596e4fa0258

SHA1
1588bfd4e090d3d194879899c02dcc207d5ca257

SHA256
10f703168cc43f60bfd54c69242d3db63d2d60e1114de74956a2439b8a8b3ed0

SHA512
bb96706ec69bee65e94fd5cc5a112e3e50f12d6895444144f7c5190e298960b02a2c922ac249deb2e3fd5f3d23e52b95058cf6262e5599823b576f849fe4b420

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwordfox.exe
Filesize
88KB

MD5
09b98d668124d3894814f57e84da1b25

SHA1
13e3ede7c513d7e6853f99309b83ca01a1de41fd

SHA256
432a3ec81735e216dc8a1d637b92158f261b841155960c621c9c149875de4512

SHA512
2f028fe6333a2a7604d919b11172960623f11acccc03626fb85888cf5c5b3e6eb69850baa1e8088ef2d29b4cef9334d2f6496290946e3309f9b1c0b9e1075615

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwordfox.exe
Filesize
88KB

MD5
09b98d668124d3894814f57e84da1b25

SHA1
13e3ede7c513d7e6853f99309b83ca01a1de41fd

SHA256
432a3ec81735e216dc8a1d637b92158f261b841155960c621c9c149875de4512

SHA512
2f028fe6333a2a7604d919b11172960623f11acccc03626fb85888cf5c5b3e6eb69850baa1e8088ef2d29b4cef9334d2f6496290946e3309f9b1c0b9e1075615

Download Submit
memory/224-137-0x0000000000000000-mapping.dmp

Download
memory/3188-144-0x0000000000000000-mapping.dmp

Download
memory/3652-133-0x0000000000000000-mapping.dmp

Download
memory/4524-141-0x0000000000000000-mapping.dmp

Download
memory/4664-132-0x00007FFBD4160000-0x00007FFBD4B96000-memory.dmp

Filesize
10.2MB

Download