Analysis
-
max time kernel
185s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 11:19
Behavioral task
behavioral1
Sample
0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe
Resource
win7-20221111-en
General
-
Target
0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe
-
Size
1007KB
-
MD5
5ae5b9fd23698f70e2b0bbfa91dc4bc3
-
SHA1
d59f364bf8707be6aa529d52d3e695a3be23469b
-
SHA256
0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1
-
SHA512
b9159b28be5c8e3a8651e2a14cba8da59a103db507b2db657a7717bede1ed96f8b72cb66df01eff4d7c2aba4bffc894af7141e81f23e28174606c4ba19bc6949
-
SSDEEP
24576:1Bd5WtFBJDsi+uNaLRILoHKdYH1CeZbi6ezAot3EF8x20C7R1dH:M3Dsi38dDt
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/3952-135-0x0000000000400000-0x00000000004B8000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/3952-135-0x0000000000400000-0x00000000004B8000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3952-135-0x0000000000400000-0x00000000004B8000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 2668 Windows Update.exe 3736 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows Update.exe agile_net C:\Users\Admin\AppData\Roaming\Windows Update.exe agile_net C:\Users\Admin\AppData\Roaming\Windows Update.exe agile_net -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 77 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exeWindows Update.exedescription pid process target process PID 4624 set thread context of 3952 4624 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe PID 2668 set thread context of 3736 2668 Windows Update.exe Windows Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exeWindows Update.exepid process 4624 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe 4624 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe 2668 Windows Update.exe 2668 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exeWindows Update.exeWindows Update.exedescription pid process Token: SeDebugPrivilege 4624 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe Token: SeDebugPrivilege 2668 Windows Update.exe Token: SeDebugPrivilege 3736 Windows Update.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exeWindows Update.exedescription pid process target process PID 4624 wrote to memory of 3952 4624 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe PID 4624 wrote to memory of 3952 4624 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe PID 4624 wrote to memory of 3952 4624 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe PID 4624 wrote to memory of 3952 4624 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe PID 4624 wrote to memory of 3952 4624 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe PID 4624 wrote to memory of 3952 4624 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe PID 4624 wrote to memory of 3952 4624 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe PID 4624 wrote to memory of 3952 4624 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe PID 3952 wrote to memory of 2668 3952 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe Windows Update.exe PID 3952 wrote to memory of 2668 3952 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe Windows Update.exe PID 3952 wrote to memory of 2668 3952 0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe Windows Update.exe PID 2668 wrote to memory of 3736 2668 Windows Update.exe Windows Update.exe PID 2668 wrote to memory of 3736 2668 Windows Update.exe Windows Update.exe PID 2668 wrote to memory of 3736 2668 Windows Update.exe Windows Update.exe PID 2668 wrote to memory of 3736 2668 Windows Update.exe Windows Update.exe PID 2668 wrote to memory of 3736 2668 Windows Update.exe Windows Update.exe PID 2668 wrote to memory of 3736 2668 Windows Update.exe Windows Update.exe PID 2668 wrote to memory of 3736 2668 Windows Update.exe Windows Update.exe PID 2668 wrote to memory of 3736 2668 Windows Update.exe Windows Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe"C:\Users\Admin\AppData\Local\Temp\0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe"C:\Users\Admin\AppData\Local\Temp\0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe.logFilesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Windows Update.exe.logFilesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD55169980e1a9b7e0dce4e906e22d1e94a
SHA102f592b97337f7ae2de70f4e62bac575495d1464
SHA2561afb9082b4092f609cc60c2b93d2c610af9d95e27a811f407b7792978e30b26d
SHA512295cb76af1cba4b368ef9c230b4a608c047f719ea0c37c1fc6c24d88a9bd26336e225dbf778ef14287c0ed3279892e635f307d1f5d52d45f17cda1b326d02b02
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1007KB
MD55ae5b9fd23698f70e2b0bbfa91dc4bc3
SHA1d59f364bf8707be6aa529d52d3e695a3be23469b
SHA2560b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1
SHA512b9159b28be5c8e3a8651e2a14cba8da59a103db507b2db657a7717bede1ed96f8b72cb66df01eff4d7c2aba4bffc894af7141e81f23e28174606c4ba19bc6949
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1007KB
MD55ae5b9fd23698f70e2b0bbfa91dc4bc3
SHA1d59f364bf8707be6aa529d52d3e695a3be23469b
SHA2560b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1
SHA512b9159b28be5c8e3a8651e2a14cba8da59a103db507b2db657a7717bede1ed96f8b72cb66df01eff4d7c2aba4bffc894af7141e81f23e28174606c4ba19bc6949
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1007KB
MD55ae5b9fd23698f70e2b0bbfa91dc4bc3
SHA1d59f364bf8707be6aa529d52d3e695a3be23469b
SHA2560b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1
SHA512b9159b28be5c8e3a8651e2a14cba8da59a103db507b2db657a7717bede1ed96f8b72cb66df01eff4d7c2aba4bffc894af7141e81f23e28174606c4ba19bc6949
-
memory/2668-138-0x0000000000000000-mapping.dmp
-
memory/2668-149-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/2668-143-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/2668-144-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/3736-145-0x0000000000000000-mapping.dmp
-
memory/3736-150-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/3736-152-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/3952-137-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/3952-142-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/3952-135-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/3952-134-0x0000000000000000-mapping.dmp
-
memory/4624-132-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/4624-136-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/4624-133-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB