Analysis
-
max time kernel
103s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 10:49
Static task
static1
Behavioral task
behavioral1
Sample
ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe
Resource
win7-20221111-en
General
-
Target
ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe
-
Size
555KB
-
MD5
8e644834c5e8608399dec73de83ac27d
-
SHA1
dd9291a79e9c9d7caa4bf3a4c64f0ee46cab313e
-
SHA256
ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf
-
SHA512
b83233a2d8dbc54005fa9e1f167b23fa4e89e919ee3b5bd4d41bcaa9585915109ff072f3e24a39b48f2f3f349befd171bfa0bb779114f9e31da490d5a1ca8aa3
-
SSDEEP
12288:dtAPu3CoaZttUyMnh/cIhTzIZZPWE7lOEDitoAEas:d+GyZtUX/cI5UOEpOED9La
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
goodman.man2015@yandex.ru - Password:
trade1234
Signatures
-
NirSoft MailPassView 11 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/708-59-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/708-60-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/708-61-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/708-62-0x000000000047EA7E-mapping.dmp MailPassView behavioral1/memory/708-64-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/708-66-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1020-73-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1020-74-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1020-77-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1020-79-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1020-90-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 12 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/708-59-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/708-60-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/708-61-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/708-62-0x000000000047EA7E-mapping.dmp WebBrowserPassView behavioral1/memory/708-64-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/708-66-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1920-80-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1920-81-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1920-84-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1920-85-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1920-87-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1920-88-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 17 IoCs
Processes:
resource yara_rule behavioral1/memory/708-59-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/708-60-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/708-61-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/708-62-0x000000000047EA7E-mapping.dmp Nirsoft behavioral1/memory/708-64-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/708-66-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1020-73-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1020-74-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1020-77-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1020-79-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1920-80-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1920-81-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1920-84-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1920-85-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1920-87-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1920-88-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1020-90-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Drops startup file 1 IoCs
Processes:
ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Li9FwLi.lnk ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe -
Loads dropped DLL 1 IoCs
Processes:
ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exepid process 1728 ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exeRegAsm.exedescription pid process target process PID 1728 set thread context of 708 1728 ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe RegAsm.exe PID 708 set thread context of 1020 708 RegAsm.exe vbc.exe PID 708 set thread context of 1920 708 RegAsm.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 708 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 708 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exeRegAsm.exedescription pid process target process PID 1728 wrote to memory of 708 1728 ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe RegAsm.exe PID 1728 wrote to memory of 708 1728 ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe RegAsm.exe PID 1728 wrote to memory of 708 1728 ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe RegAsm.exe PID 1728 wrote to memory of 708 1728 ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe RegAsm.exe PID 1728 wrote to memory of 708 1728 ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe RegAsm.exe PID 1728 wrote to memory of 708 1728 ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe RegAsm.exe PID 1728 wrote to memory of 708 1728 ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe RegAsm.exe PID 1728 wrote to memory of 708 1728 ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe RegAsm.exe PID 1728 wrote to memory of 708 1728 ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe RegAsm.exe PID 1728 wrote to memory of 708 1728 ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe RegAsm.exe PID 1728 wrote to memory of 708 1728 ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe RegAsm.exe PID 1728 wrote to memory of 708 1728 ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe RegAsm.exe PID 708 wrote to memory of 1020 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1020 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1020 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1020 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1020 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1020 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1020 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1020 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1020 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1020 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1920 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1920 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1920 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1920 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1920 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1920 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1920 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1920 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1920 708 RegAsm.exe vbc.exe PID 708 wrote to memory of 1920 708 RegAsm.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe"C:\Users\Admin\AppData\Local\Temp\ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\Users\Admin\AppData\Roaming\wzHJklNN\PL94gD8hI.exeFilesize
555KB
MD58e644834c5e8608399dec73de83ac27d
SHA1dd9291a79e9c9d7caa4bf3a4c64f0ee46cab313e
SHA256ea1794cc319e26517a2fec4e2f0aa31c39317fe7ca54fe03bd7bd1f9f49a2baf
SHA512b83233a2d8dbc54005fa9e1f167b23fa4e89e919ee3b5bd4d41bcaa9585915109ff072f3e24a39b48f2f3f349befd171bfa0bb779114f9e31da490d5a1ca8aa3
-
memory/708-72-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/708-59-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/708-86-0x0000000000AD6000-0x0000000000AE7000-memory.dmpFilesize
68KB
-
memory/708-60-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/708-61-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/708-62-0x000000000047EA7E-mapping.dmp
-
memory/708-64-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/708-66-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/708-78-0x0000000000AD6000-0x0000000000AE7000-memory.dmpFilesize
68KB
-
memory/708-69-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/708-56-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/708-57-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1020-90-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1020-79-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1020-73-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1020-77-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1020-74-0x0000000000411654-mapping.dmp
-
memory/1728-54-0x0000000075591000-0x0000000075593000-memory.dmpFilesize
8KB
-
memory/1728-67-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1728-71-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1728-55-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1920-80-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1920-81-0x0000000000442628-mapping.dmp
-
memory/1920-84-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1920-87-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1920-88-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1920-85-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB