Analysis
-
max time kernel
81s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 11:40
Static task
static1
Behavioral task
behavioral1
Sample
7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
Resource
win10v2004-20220812-en
General
-
Target
7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
-
Size
612KB
-
MD5
22e87999f93e9368b2272cdd49cf49d7
-
SHA1
68addbfad46359c58eb68dad524db6294838e02a
-
SHA256
7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de
-
SHA512
4fff863181463b78b11523eda50ef67b80ae0964996fe4660db31fafa22f5a203551dbd15836534c3c426d2351ca6038a0d1eaeb1833b03c2ca9eefaff00e3e6
-
SSDEEP
12288:TMF/qkQz5Vj+OMR8HnTgLJuAliyJ5/wd8ln4R0tW1cPOVk:IFvS68HnTgL4yD/wzR0uc
Malware Config
Signatures
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
WScript.exe7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Software Utilizer = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Utilizer.exe" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exedescription pid process target process PID 1184 set thread context of 636 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe PID 636 set thread context of 1528 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 set thread context of 1408 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exepid process 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exevbc.exedescription pid process Token: SeDebugPrivilege 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe Token: SeDebugPrivilege 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe Token: SeDebugPrivilege 1528 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exepid process 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exeexplorer.exe7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exedescription pid process target process PID 1184 wrote to memory of 960 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe explorer.exe PID 1184 wrote to memory of 960 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe explorer.exe PID 1184 wrote to memory of 960 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe explorer.exe PID 1184 wrote to memory of 960 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe explorer.exe PID 1184 wrote to memory of 636 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe PID 1184 wrote to memory of 636 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe PID 1184 wrote to memory of 636 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe PID 1184 wrote to memory of 636 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe PID 1184 wrote to memory of 636 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe PID 1184 wrote to memory of 636 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe PID 1184 wrote to memory of 636 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe PID 1184 wrote to memory of 636 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe PID 1184 wrote to memory of 636 1184 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe PID 1124 wrote to memory of 608 1124 explorer.exe WScript.exe PID 1124 wrote to memory of 608 1124 explorer.exe WScript.exe PID 1124 wrote to memory of 608 1124 explorer.exe WScript.exe PID 636 wrote to memory of 1528 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1528 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1528 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1528 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1528 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1528 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1528 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1528 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1528 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1528 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1408 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1408 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1408 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1408 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1408 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1408 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1408 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1408 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1408 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe PID 636 wrote to memory of 1408 636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe"C:\Users\Admin\AppData\Local\Temp\7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\connection.vbs2⤵
-
C:\Users\Admin\AppData\Local\Temp\7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe"C:\Users\Admin\AppData\Local\Temp\7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\connection.vbs"2⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
327B
MD51265c5140a2f68b05b92aa1a25a2abb6
SHA1627a660e9d2a41c8c4a662ca44fdb68a1356bc82
SHA256694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9
SHA512ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216
-
C:\Users\Admin\AppData\Roaming\connection.vbsFilesize
601B
MD54ba1f714beec868e73bf021b01928e6a
SHA10d1b0f486fea0d3ef4faa31adb1961315d96818c
SHA2562ab87e11c48880a3bc4f97ee5efc8c541024618bb9c4c9fbde172c8ac981d28e
SHA512ba08178f2f0cb71f521cdff848afc60a79420b2df29f6087cbd9c4af1d979f7de2b608d2380c585bfee15ce27594c3b2b95cfa7645e1969a6f9168e880273d1a
-
memory/608-76-0x0000000000000000-mapping.dmp
-
memory/636-66-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/636-71-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/636-61-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/636-60-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/636-63-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/636-65-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/636-67-0x000000000051BB3E-mapping.dmp
-
memory/636-91-0x0000000002445000-0x0000000002456000-memory.dmpFilesize
68KB
-
memory/636-69-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/636-106-0x0000000002445000-0x0000000002456000-memory.dmpFilesize
68KB
-
memory/636-77-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/636-74-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/960-56-0x0000000000000000-mapping.dmp
-
memory/960-58-0x0000000072071000-0x0000000072073000-memory.dmpFilesize
8KB
-
memory/1124-59-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmpFilesize
8KB
-
memory/1184-75-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/1184-54-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/1184-55-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/1408-95-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1408-96-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1408-108-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1408-107-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1408-105-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1408-104-0x0000000000460E2D-mapping.dmp
-
memory/1408-103-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1408-102-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1408-100-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1408-98-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1528-83-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1528-79-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1528-94-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1528-81-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1528-92-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1528-85-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1528-90-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1528-78-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1528-86-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1528-87-0x0000000000462B6D-mapping.dmp