Analysis
-
max time kernel
176s -
max time network
206s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 11:39
Static task
static1
Behavioral task
behavioral1
Sample
4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe
Resource
win10v2004-20221111-en
General
-
Target
4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe
-
Size
569KB
-
MD5
0eab2d9bc5d399eea1b7226ef901b7f9
-
SHA1
ef85ad30b9a0cb932594d55dc167df302735e980
-
SHA256
4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569
-
SHA512
54b60964740f291ffae09053f77227873c707227274625e1b773f85ab727694f51bf47bfc67ecaf420bd4c0b3286ff75555d4ea31aeab4e7e3c61e23c21e13d3
-
SSDEEP
6144:N8bS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9zHk0:mQtqB5urTIoYWBQk1E+VF9mOx9Q0
Malware Config
Signatures
-
NirSoft MailPassView 9 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows Update.exe MailPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView behavioral1/memory/1076-66-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1076-65-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1076-69-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1076-76-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1076-78-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1076-82-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 9 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView behavioral1/memory/896-70-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/896-71-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/896-74-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/896-77-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/896-79-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/896-81-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 15 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft behavioral1/memory/1076-66-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1076-65-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1076-69-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/896-70-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/896-71-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1076-76-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/896-74-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/896-77-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/896-79-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1076-78-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/896-81-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1076-82-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid process 764 Windows Update.exe -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 764 Windows Update.exe -
Loads dropped DLL 1 IoCs
Processes:
4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exepid process 1708 4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Windows Update.exedescription pid process target process PID 764 set thread context of 1076 764 Windows Update.exe vbc.exe PID 764 set thread context of 896 764 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 764 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 764 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exeWindows Update.exedescription pid process target process PID 1708 wrote to memory of 764 1708 4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe Windows Update.exe PID 1708 wrote to memory of 764 1708 4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe Windows Update.exe PID 1708 wrote to memory of 764 1708 4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe Windows Update.exe PID 1708 wrote to memory of 764 1708 4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe Windows Update.exe PID 1708 wrote to memory of 764 1708 4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe Windows Update.exe PID 1708 wrote to memory of 764 1708 4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe Windows Update.exe PID 1708 wrote to memory of 764 1708 4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe Windows Update.exe PID 764 wrote to memory of 1076 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 1076 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 1076 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 1076 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 1076 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 1076 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 1076 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 1076 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 1076 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 1076 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 896 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 896 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 896 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 896 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 896 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 896 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 896 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 896 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 896 764 Windows Update.exe vbc.exe PID 764 wrote to memory of 896 764 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe"C:\Users\Admin\AppData\Local\Temp\4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5e12a16002f4e05508e70655e69895a94
SHA1aa36b5e5ea4e990b4312a0399d0d270ff4b3e21c
SHA256eab0b4afc64da215b7b2c6468e3359de409885b827664e1d84fa18ea5afce8ab
SHA512decbb46473aed8af485917032ce72f1318ca44a94606cde56c27c17160ddecaacc76c5aa5edd5b6f0c3efc25b7a380208b89c777fc81b7fb27e85c8b734458ed
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
569KB
MD50eab2d9bc5d399eea1b7226ef901b7f9
SHA1ef85ad30b9a0cb932594d55dc167df302735e980
SHA2564f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569
SHA51254b60964740f291ffae09053f77227873c707227274625e1b773f85ab727694f51bf47bfc67ecaf420bd4c0b3286ff75555d4ea31aeab4e7e3c61e23c21e13d3
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
569KB
MD50eab2d9bc5d399eea1b7226ef901b7f9
SHA1ef85ad30b9a0cb932594d55dc167df302735e980
SHA2564f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569
SHA51254b60964740f291ffae09053f77227873c707227274625e1b773f85ab727694f51bf47bfc67ecaf420bd4c0b3286ff75555d4ea31aeab4e7e3c61e23c21e13d3
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
569KB
MD50eab2d9bc5d399eea1b7226ef901b7f9
SHA1ef85ad30b9a0cb932594d55dc167df302735e980
SHA2564f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569
SHA51254b60964740f291ffae09053f77227873c707227274625e1b773f85ab727694f51bf47bfc67ecaf420bd4c0b3286ff75555d4ea31aeab4e7e3c61e23c21e13d3
-
memory/764-64-0x0000000074A80000-0x000000007502B000-memory.dmpFilesize
5.7MB
-
memory/764-62-0x0000000074A80000-0x000000007502B000-memory.dmpFilesize
5.7MB
-
memory/764-57-0x0000000000000000-mapping.dmp
-
memory/764-75-0x00000000003D5000-0x00000000003E6000-memory.dmpFilesize
68KB
-
memory/896-81-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/896-79-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/896-77-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/896-74-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/896-70-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/896-71-0x0000000000442628-mapping.dmp
-
memory/1076-69-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1076-76-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1076-65-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1076-66-0x0000000000411654-mapping.dmp
-
memory/1076-78-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1076-82-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1708-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmpFilesize
8KB
-
memory/1708-61-0x0000000074A80000-0x000000007502B000-memory.dmpFilesize
5.7MB
-
memory/1708-55-0x0000000074A80000-0x000000007502B000-memory.dmpFilesize
5.7MB