Analysis
-
max time kernel
151s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 13:25
Static task
static1
Behavioral task
behavioral1
Sample
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
Resource
win10v2004-20220812-en
General
-
Target
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
-
Size
993KB
-
MD5
6d344a5398d29561c114a95da3eee85c
-
SHA1
d90b3e5bf309af06d1dd87c7f79f50d3d322ba5c
-
SHA256
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e
-
SHA512
cefa627232b75149b13fe099d840481daf84d8fcd8e684975b2873c7d0bc42fd4ded8a35303f960ea525ad8d35d772fca1023ececce10f7fc6f32a2b07a021e8
-
SSDEEP
12288:guEbpKb7E7d4Z2gzo5ddjwRLo1UaiZWacmVjy0fIKtklOefmMLzrWS/hJpoUHn:gdKbw7dM2gcxoEQ5W4WlqSj
Malware Config
Signatures
-
NirSoft MailPassView 12 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/960-59-0x0000000000400000-0x000000000048C000-memory.dmp MailPassView behavioral1/memory/960-61-0x0000000000400000-0x000000000048C000-memory.dmp MailPassView behavioral1/memory/960-62-0x0000000000400000-0x000000000048C000-memory.dmp MailPassView behavioral1/memory/960-63-0x00000000004876EE-mapping.dmp MailPassView behavioral1/memory/960-65-0x0000000000400000-0x000000000048C000-memory.dmp MailPassView behavioral1/memory/960-67-0x0000000000400000-0x000000000048C000-memory.dmp MailPassView behavioral1/memory/568-79-0x00000000004876EE-mapping.dmp MailPassView behavioral1/memory/1980-91-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1980-92-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1980-95-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1980-96-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1980-97-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 12 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/960-59-0x0000000000400000-0x000000000048C000-memory.dmp WebBrowserPassView behavioral1/memory/960-61-0x0000000000400000-0x000000000048C000-memory.dmp WebBrowserPassView behavioral1/memory/960-62-0x0000000000400000-0x000000000048C000-memory.dmp WebBrowserPassView behavioral1/memory/960-63-0x00000000004876EE-mapping.dmp WebBrowserPassView behavioral1/memory/960-65-0x0000000000400000-0x000000000048C000-memory.dmp WebBrowserPassView behavioral1/memory/960-67-0x0000000000400000-0x000000000048C000-memory.dmp WebBrowserPassView behavioral1/memory/568-79-0x00000000004876EE-mapping.dmp WebBrowserPassView behavioral1/memory/428-98-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/428-99-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/428-102-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/428-103-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/428-105-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 17 IoCs
Processes:
resource yara_rule behavioral1/memory/960-59-0x0000000000400000-0x000000000048C000-memory.dmp Nirsoft behavioral1/memory/960-61-0x0000000000400000-0x000000000048C000-memory.dmp Nirsoft behavioral1/memory/960-62-0x0000000000400000-0x000000000048C000-memory.dmp Nirsoft behavioral1/memory/960-63-0x00000000004876EE-mapping.dmp Nirsoft behavioral1/memory/960-65-0x0000000000400000-0x000000000048C000-memory.dmp Nirsoft behavioral1/memory/960-67-0x0000000000400000-0x000000000048C000-memory.dmp Nirsoft behavioral1/memory/568-79-0x00000000004876EE-mapping.dmp Nirsoft behavioral1/memory/1980-91-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1980-92-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1980-95-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1980-96-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1980-97-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/428-98-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/428-99-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/428-102-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/428-103-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/428-105-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 whatismyipaddress.com 8 whatismyipaddress.com 9 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exetakshost.exetakshost.exedescription pid process target process PID 916 set thread context of 960 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 1976 set thread context of 568 1976 takshost.exe takshost.exe PID 568 set thread context of 1980 568 takshost.exe vbc.exe PID 568 set thread context of 428 568 takshost.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0FA1771-7028-11ED-AB20-4A12BD72B3C7} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000030311d049604ce4c81fb23bd2036752a00000000020000000000106600000001000020000000220b2b36f2304541efded96fa908161cacb1fdb3facc8bd6e184e4c5b8bd2190000000000e8000000002000020000000b133a8b40788c9865e9a4de3ff1a563a8f849d9198df86aed9ef6a9c069e74792000000071299adbfa5ed49fa088dc97c9802ccafe81d2f400aff5195bd1d7a0fade582d4000000023d9494243ff60ff7f9790ddce51eda61847fd13f270fb2341ee4790abe633dae26b62533179ddeb1af97d6f352c42425dd068ed74175d2377df46208974acb8 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376520644" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04110ce3504d901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000030311d049604ce4c81fb23bd2036752a00000000020000000000106600000001000020000000fed4e6da2265c935fe6f29031c098b561bdbd7776ea8c58474f04f795a63fa15000000000e8000000002000020000000fcac8eaee6d7416b2526ed256108a95d13fd46cad9964186354de8019a2ef8309000000001059de4d3a2508c945821f80735280152a32a7d6d47ce16473eabdd121d43274ef2c629c45e3b91929dbfd7b12c149a0f49dfee6489f62a54e5fa447e74d93ec7188ba94879974298d99d14b6bc26a7256f5fd890aeaaac6b557cd8a7d77d1f4350da140897cbc70a8f94fab16a25c8dcaf27754db9025125b5a44b10c2062a7a6030b5b8b47da8540181bd9b18745e40000000b34156abe9b6bcb2486be9986025965c443198d39253f57745277194d77fea4c8cd0a6077002d072bc702fb3a74340d60f3a90c32b3553a0c0667dd3ec660816 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exetakshost.exepid process 428 vbc.exe 568 takshost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exepid process 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exetakshost.exetakshost.exedescription pid process Token: SeDebugPrivilege 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe Token: SeDebugPrivilege 1976 takshost.exe Token: SeDebugPrivilege 568 takshost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeDllHost.exepid process 392 iexplore.exe 276 DllHost.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
iexplore.exeIEXPLORE.EXEtakshost.exepid process 392 iexplore.exe 392 iexplore.exe 1728 IEXPLORE.EXE 1728 IEXPLORE.EXE 568 takshost.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exetakshost.exed47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exeiexplore.exetakshost.exedescription pid process target process PID 916 wrote to memory of 960 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 916 wrote to memory of 960 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 916 wrote to memory of 960 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 916 wrote to memory of 960 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 916 wrote to memory of 960 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 916 wrote to memory of 960 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 916 wrote to memory of 960 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 916 wrote to memory of 960 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 916 wrote to memory of 960 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe PID 916 wrote to memory of 1976 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe takshost.exe PID 916 wrote to memory of 1976 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe takshost.exe PID 916 wrote to memory of 1976 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe takshost.exe PID 916 wrote to memory of 1976 916 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe takshost.exe PID 1976 wrote to memory of 568 1976 takshost.exe takshost.exe PID 1976 wrote to memory of 568 1976 takshost.exe takshost.exe PID 1976 wrote to memory of 568 1976 takshost.exe takshost.exe PID 1976 wrote to memory of 568 1976 takshost.exe takshost.exe PID 1976 wrote to memory of 568 1976 takshost.exe takshost.exe PID 1976 wrote to memory of 568 1976 takshost.exe takshost.exe PID 1976 wrote to memory of 568 1976 takshost.exe takshost.exe PID 1976 wrote to memory of 568 1976 takshost.exe takshost.exe PID 1976 wrote to memory of 568 1976 takshost.exe takshost.exe PID 960 wrote to memory of 392 960 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe iexplore.exe PID 960 wrote to memory of 392 960 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe iexplore.exe PID 960 wrote to memory of 392 960 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe iexplore.exe PID 960 wrote to memory of 392 960 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe iexplore.exe PID 392 wrote to memory of 1728 392 iexplore.exe IEXPLORE.EXE PID 392 wrote to memory of 1728 392 iexplore.exe IEXPLORE.EXE PID 392 wrote to memory of 1728 392 iexplore.exe IEXPLORE.EXE PID 392 wrote to memory of 1728 392 iexplore.exe IEXPLORE.EXE PID 568 wrote to memory of 1980 568 takshost.exe vbc.exe PID 568 wrote to memory of 1980 568 takshost.exe vbc.exe PID 568 wrote to memory of 1980 568 takshost.exe vbc.exe PID 568 wrote to memory of 1980 568 takshost.exe vbc.exe PID 568 wrote to memory of 1980 568 takshost.exe vbc.exe PID 568 wrote to memory of 1980 568 takshost.exe vbc.exe PID 568 wrote to memory of 1980 568 takshost.exe vbc.exe PID 568 wrote to memory of 1980 568 takshost.exe vbc.exe PID 568 wrote to memory of 1980 568 takshost.exe vbc.exe PID 568 wrote to memory of 1980 568 takshost.exe vbc.exe PID 568 wrote to memory of 428 568 takshost.exe vbc.exe PID 568 wrote to memory of 428 568 takshost.exe vbc.exe PID 568 wrote to memory of 428 568 takshost.exe vbc.exe PID 568 wrote to memory of 428 568 takshost.exe vbc.exe PID 568 wrote to memory of 428 568 takshost.exe vbc.exe PID 568 wrote to memory of 428 568 takshost.exe vbc.exe PID 568 wrote to memory of 428 568 takshost.exe vbc.exe PID 568 wrote to memory of 428 568 takshost.exe vbc.exe PID 568 wrote to memory of 428 568 takshost.exe vbc.exe PID 568 wrote to memory of 428 568 takshost.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe"C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe"C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.03⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:392 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BFile_1.jpgFilesize
12KB
MD5df5ce15d53cef13a938c4ca363f8bf36
SHA1081147197558b40c67ae4112bf3f005abae61e70
SHA256d274f4a4103517844671b358a93c7935823de040b87e46a647963c30270cf6a3
SHA512444eb960de91ddd0774fe3597abe767ad01ca7676564c4d224e099997c7f46f3fc4d921d13086a148e06c856bd28bc31ab945b62a28698f451aef9fcad5da571
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WHLSHT1K.txtFilesize
603B
MD57e70a046897d56fae30d7ca8572e0313
SHA1e92369e5532ea37f039769024f292f865561084b
SHA256d270a2b6dea3bcf8ff20f4543e7a13e85f7825a3e326ece1349d36c43f0c7fbc
SHA512337094dc4806fb9bb8132b96f4e0ec09b68aae0d72e46e516a4f775c74902e07a6b5346f28d816496790b693828bf2cdd8e8ff00e299c8e449b56e3b72f5dac4
-
memory/428-99-0x0000000000442628-mapping.dmp
-
memory/428-102-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/428-103-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/428-98-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/428-105-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/568-86-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/568-90-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/568-79-0x00000000004876EE-mapping.dmp
-
memory/916-54-0x0000000076871000-0x0000000076873000-memory.dmpFilesize
8KB
-
memory/916-55-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/916-70-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/960-62-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/960-67-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/960-61-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/960-63-0x00000000004876EE-mapping.dmp
-
memory/960-59-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/960-57-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/960-56-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/960-65-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/1976-85-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/1976-71-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/1976-68-0x0000000000000000-mapping.dmp
-
memory/1980-97-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1980-96-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1980-95-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1980-92-0x0000000000411654-mapping.dmp
-
memory/1980-91-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB