Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 10:49
Behavioral task
behavioral1
Sample
PI.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PI.exe
Resource
win10v2004-20220901-en
General
-
Target
PI.exe
-
Size
992KB
-
MD5
f915f94f551c0c5371d093dbe27bbfaa
-
SHA1
912941a11e2c924eceb37ac5928ba457a10d8512
-
SHA256
9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
-
SHA512
a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
-
SSDEEP
24576:NaPY8FueJVd/IfHydpi7m4Qt/XZhGPUKcpO+gpqeDySVR+PJ:GTN8Ui7mh/DGSpO+gp5nP
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
diamond7625w@gmail.com - Password:
pdmiawgubaleywef
Signatures
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2320-153-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral2/memory/2160-155-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/2160-156-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2160-158-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2160-159-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2320-153-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView -
Nirsoft 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2320-153-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral2/memory/2160-155-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2160-156-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2160-158-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2160-159-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
IpOverUsbSvrc.exepid process 3760 IpOverUsbSvrc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PI.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation PI.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
IpOverUsbSvrc.exePI.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" PI.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 39 whatismyipaddress.com 41 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PI.exePI.exePI.exePI.exedescription pid process target process PID 2016 set thread context of 760 2016 PI.exe PI.exe PID 760 set thread context of 1644 760 PI.exe PI.exe PID 1644 set thread context of 2320 1644 PI.exe PI.exe PID 2320 set thread context of 2160 2320 PI.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PI.exepid process 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe 2016 PI.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
PI.exePI.exeIpOverUsbSvrc.exePI.exePI.exedescription pid process Token: SeDebugPrivilege 2016 PI.exe Token: SeDebugPrivilege 760 PI.exe Token: SeDebugPrivilege 3760 IpOverUsbSvrc.exe Token: SeDebugPrivilege 1644 PI.exe Token: SeDebugPrivilege 2320 PI.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PI.exepid process 2320 PI.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
PI.exePI.exePI.exePI.exedescription pid process target process PID 2016 wrote to memory of 760 2016 PI.exe PI.exe PID 2016 wrote to memory of 760 2016 PI.exe PI.exe PID 2016 wrote to memory of 760 2016 PI.exe PI.exe PID 2016 wrote to memory of 760 2016 PI.exe PI.exe PID 2016 wrote to memory of 760 2016 PI.exe PI.exe PID 2016 wrote to memory of 760 2016 PI.exe PI.exe PID 2016 wrote to memory of 760 2016 PI.exe PI.exe PID 2016 wrote to memory of 760 2016 PI.exe PI.exe PID 2016 wrote to memory of 3760 2016 PI.exe IpOverUsbSvrc.exe PID 2016 wrote to memory of 3760 2016 PI.exe IpOverUsbSvrc.exe PID 2016 wrote to memory of 3760 2016 PI.exe IpOverUsbSvrc.exe PID 760 wrote to memory of 1644 760 PI.exe PI.exe PID 760 wrote to memory of 1644 760 PI.exe PI.exe PID 760 wrote to memory of 1644 760 PI.exe PI.exe PID 760 wrote to memory of 1644 760 PI.exe PI.exe PID 760 wrote to memory of 1644 760 PI.exe PI.exe PID 760 wrote to memory of 1644 760 PI.exe PI.exe PID 760 wrote to memory of 1644 760 PI.exe PI.exe PID 760 wrote to memory of 1644 760 PI.exe PI.exe PID 1644 wrote to memory of 2320 1644 PI.exe PI.exe PID 1644 wrote to memory of 2320 1644 PI.exe PI.exe PID 1644 wrote to memory of 2320 1644 PI.exe PI.exe PID 1644 wrote to memory of 2320 1644 PI.exe PI.exe PID 1644 wrote to memory of 2320 1644 PI.exe PI.exe PID 1644 wrote to memory of 2320 1644 PI.exe PI.exe PID 1644 wrote to memory of 2320 1644 PI.exe PI.exe PID 1644 wrote to memory of 2320 1644 PI.exe PI.exe PID 2320 wrote to memory of 2160 2320 PI.exe vbc.exe PID 2320 wrote to memory of 2160 2320 PI.exe vbc.exe PID 2320 wrote to memory of 2160 2320 PI.exe vbc.exe PID 2320 wrote to memory of 2160 2320 PI.exe vbc.exe PID 2320 wrote to memory of 2160 2320 PI.exe vbc.exe PID 2320 wrote to memory of 2160 2320 PI.exe vbc.exe PID 2320 wrote to memory of 2160 2320 PI.exe vbc.exe PID 2320 wrote to memory of 2160 2320 PI.exe vbc.exe PID 2320 wrote to memory of 2160 2320 PI.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PI.exe.logFilesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
11KB
MD503c4f3f5cdbc342eb1c0349e001fdd0c
SHA17d45ed19db4eaed16d1985240c98fab7623798e5
SHA256a395cb8bb6cdaa7f0dad2e012fb5107d0d307efea021be048bdd5b67479356bc
SHA512d59ccd1ffffa884c8a7a96979ed19f0f8a586474c23d5b5ab23c235799044042f639e1834ee2e54a205a71caf97898ac8898d0da963fb006e443f3fb8f3c1162
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
11KB
MD503c4f3f5cdbc342eb1c0349e001fdd0c
SHA17d45ed19db4eaed16d1985240c98fab7623798e5
SHA256a395cb8bb6cdaa7f0dad2e012fb5107d0d307efea021be048bdd5b67479356bc
SHA512d59ccd1ffffa884c8a7a96979ed19f0f8a586474c23d5b5ab23c235799044042f639e1834ee2e54a205a71caf97898ac8898d0da963fb006e443f3fb8f3c1162
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
992KB
MD5f915f94f551c0c5371d093dbe27bbfaa
SHA1912941a11e2c924eceb37ac5928ba457a10d8512
SHA2569cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
SHA512a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
992KB
MD5f915f94f551c0c5371d093dbe27bbfaa
SHA1912941a11e2c924eceb37ac5928ba457a10d8512
SHA2569cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
SHA512a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
-
memory/760-133-0x0000000000000000-mapping.dmp
-
memory/760-150-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/760-141-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/760-135-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/760-134-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/1644-149-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/1644-145-0x0000000000000000-mapping.dmp
-
memory/1644-148-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/2016-132-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/2016-143-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/2016-140-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/2160-159-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2160-158-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2160-156-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2160-155-0x0000000000000000-mapping.dmp
-
memory/2320-154-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/2320-153-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/2320-152-0x0000000000000000-mapping.dmp
-
memory/2320-160-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/3760-136-0x0000000000000000-mapping.dmp
-
memory/3760-139-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/3760-142-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB