Analysis
-
max time kernel
93s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 10:48
Static task
static1
Behavioral task
behavioral1
Sample
3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe
Resource
win10v2004-20220812-en
General
-
Target
3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe
-
Size
322KB
-
MD5
a2f8ef5fb42b3df1cf821b0ff65ff49a
-
SHA1
1e5db5c9ebfffb65385d3d4140aafccd182bb05e
-
SHA256
3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059
-
SHA512
ef32373c620992a2668754a94bf8757e2f22cbe38dd25be4fc3d13d01bda12b4a62f087abaca8d5f1702a5576f2a34b32dbee4df360803de03f7cfd28de10b91
-
SSDEEP
6144:iRSE+VDpJYWmlwnx9u6BMf0Cv3g6dg9wx/Kj64/:2SE+VF9mOx9ukEv3g6dFx/Kj64
Malware Config
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\mailpv.exe MailPassView C:\Users\Admin\AppData\Local\Temp\mailpv.exe MailPassView C:\Users\Admin\AppData\Local\Temp\mailpv.exe MailPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\passwordfox.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\passwordfox.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\iepv.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\iepv.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\mailpv.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\mailpv.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\mailpv.exe Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
passwordfox.exeiepv.exemailpv.exemailpv.exepid process 3652 passwordfox.exe 224 iepv.exe 4524 mailpv.exe 3188 mailpv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
Processes:
mailpv.exemailpv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts mailpv.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts mailpv.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exeiepv.exedescription pid process Token: SeDebugPrivilege 4664 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe Token: SeDebugPrivilege 224 iepv.exe Token: SeRestorePrivilege 224 iepv.exe Token: SeBackupPrivilege 224 iepv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exedescription pid process target process PID 4664 wrote to memory of 3652 4664 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe passwordfox.exe PID 4664 wrote to memory of 3652 4664 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe passwordfox.exe PID 4664 wrote to memory of 3652 4664 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe passwordfox.exe PID 4664 wrote to memory of 224 4664 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe iepv.exe PID 4664 wrote to memory of 224 4664 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe iepv.exe PID 4664 wrote to memory of 224 4664 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe iepv.exe PID 4664 wrote to memory of 4524 4664 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe mailpv.exe PID 4664 wrote to memory of 4524 4664 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe mailpv.exe PID 4664 wrote to memory of 4524 4664 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe mailpv.exe PID 4664 wrote to memory of 3188 4664 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe mailpv.exe PID 4664 wrote to memory of 3188 4664 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe mailpv.exe PID 4664 wrote to memory of 3188 4664 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe mailpv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe"C:\Users\Admin\AppData\Local\Temp\3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\passwordfox.exeC:\Users\Admin\AppData\Local\Temp\passwordfox.exe /stext C:\Users\Admin\AppData\Local\Temp\firefox.txt2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\iepv.exeC:\Users\Admin\AppData\Local\Temp\iepv.exe /stext C:\Users\Admin\AppData\Local\Temp\ie.txt2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mailpv.exeC:\Users\Admin\AppData\Local\Temp\mailpv.exe /stext C:\Users\Admin\AppData\Local\Temp\mail.txt2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\AppData\Local\Temp\mailpv.exeC:\Users\Admin\AppData\Local\Temp\mailpv.exe /stext C:\Users\Admin\AppData\Local\Temp\mail.txt2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\firefox.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\ie.txtFilesize
1KB
MD5d70913819f8f59ed27d9b3e795244b09
SHA1a240a934d289e177612f419421cbc8ad61603e18
SHA256eac08ebd3d06b7bf9f20fb4856d81364b7a54f6ee141b151e4b2369fd28328e4
SHA5123a92ec8181ec40adc729ef0fa08d3555e7011bbe681bcd50830ca6dd6ca8d2f14839eb81a89d51f883231039d86b41b2ea81efd497b0e4f3d974ceda4a22521a
-
C:\Users\Admin\AppData\Local\Temp\iepv.exeFilesize
88KB
MD596eaf707a7f5e252e0ef640a9f9a41e9
SHA11db028b8e2dad98ab25abfa498ffd0e344b8178c
SHA2569bf3183768ab8133f686e9d59adf9ac7f157a6442026d00fcd49c177deca6de2
SHA51212f7a815f141c125a50941bace6256de41eb6459f5dae49def6a5d150b816b48b054efa3ef0370d87b546098edb4f6ad2e1d6ebea835eb233bd98f7d225d13c0
-
C:\Users\Admin\AppData\Local\Temp\iepv.exeFilesize
88KB
MD596eaf707a7f5e252e0ef640a9f9a41e9
SHA11db028b8e2dad98ab25abfa498ffd0e344b8178c
SHA2569bf3183768ab8133f686e9d59adf9ac7f157a6442026d00fcd49c177deca6de2
SHA51212f7a815f141c125a50941bace6256de41eb6459f5dae49def6a5d150b816b48b054efa3ef0370d87b546098edb4f6ad2e1d6ebea835eb233bd98f7d225d13c0
-
C:\Users\Admin\AppData\Local\Temp\mailpv.exeFilesize
96KB
MD53f5aca02abb16dbf86748596e4fa0258
SHA11588bfd4e090d3d194879899c02dcc207d5ca257
SHA25610f703168cc43f60bfd54c69242d3db63d2d60e1114de74956a2439b8a8b3ed0
SHA512bb96706ec69bee65e94fd5cc5a112e3e50f12d6895444144f7c5190e298960b02a2c922ac249deb2e3fd5f3d23e52b95058cf6262e5599823b576f849fe4b420
-
C:\Users\Admin\AppData\Local\Temp\mailpv.exeFilesize
96KB
MD53f5aca02abb16dbf86748596e4fa0258
SHA11588bfd4e090d3d194879899c02dcc207d5ca257
SHA25610f703168cc43f60bfd54c69242d3db63d2d60e1114de74956a2439b8a8b3ed0
SHA512bb96706ec69bee65e94fd5cc5a112e3e50f12d6895444144f7c5190e298960b02a2c922ac249deb2e3fd5f3d23e52b95058cf6262e5599823b576f849fe4b420
-
C:\Users\Admin\AppData\Local\Temp\mailpv.exeFilesize
96KB
MD53f5aca02abb16dbf86748596e4fa0258
SHA11588bfd4e090d3d194879899c02dcc207d5ca257
SHA25610f703168cc43f60bfd54c69242d3db63d2d60e1114de74956a2439b8a8b3ed0
SHA512bb96706ec69bee65e94fd5cc5a112e3e50f12d6895444144f7c5190e298960b02a2c922ac249deb2e3fd5f3d23e52b95058cf6262e5599823b576f849fe4b420
-
C:\Users\Admin\AppData\Local\Temp\passwordfox.exeFilesize
88KB
MD509b98d668124d3894814f57e84da1b25
SHA113e3ede7c513d7e6853f99309b83ca01a1de41fd
SHA256432a3ec81735e216dc8a1d637b92158f261b841155960c621c9c149875de4512
SHA5122f028fe6333a2a7604d919b11172960623f11acccc03626fb85888cf5c5b3e6eb69850baa1e8088ef2d29b4cef9334d2f6496290946e3309f9b1c0b9e1075615
-
C:\Users\Admin\AppData\Local\Temp\passwordfox.exeFilesize
88KB
MD509b98d668124d3894814f57e84da1b25
SHA113e3ede7c513d7e6853f99309b83ca01a1de41fd
SHA256432a3ec81735e216dc8a1d637b92158f261b841155960c621c9c149875de4512
SHA5122f028fe6333a2a7604d919b11172960623f11acccc03626fb85888cf5c5b3e6eb69850baa1e8088ef2d29b4cef9334d2f6496290946e3309f9b1c0b9e1075615
-
memory/224-137-0x0000000000000000-mapping.dmp
-
memory/3188-144-0x0000000000000000-mapping.dmp
-
memory/3652-133-0x0000000000000000-mapping.dmp
-
memory/4524-141-0x0000000000000000-mapping.dmp
-
memory/4664-132-0x00007FFBD4160000-0x00007FFBD4B96000-memory.dmpFilesize
10.2MB