Analysis
-
max time kernel
167s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 16:14
Static task
static1
Behavioral task
behavioral1
Sample
8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
Resource
win10v2004-20221111-en
General
-
Target
8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
-
Size
1.7MB
-
MD5
2514c34a5985c4663b524b967c85d1c6
-
SHA1
e9ac6338ee778202e5a7ab51fc1a741eb2db4969
-
SHA256
8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b
-
SHA512
5ccec693ccc10c729e1f703ab24c27a321e04b1f4b023e96538bcf53a9d9efb8b37e30c8212494278e2c118a6376f8deb7b10cc55712f4b8d6dc2b004d0b4dff
-
SSDEEP
24576:8LvPkKzbM8FEQxazfhOlbR38mlMzKRv3HoNgg5CxkLoe7i6SR0QOBXLqMc+wTiR1:87k181V38eMevSnwMMxOB7qkwTiR
Malware Config
Extracted
Protocol: smtp- Host:
mail.messagingengine.com - Port:
587 - Username:
azarbaijj@fastmail.com - Password:
qedrks8q9hlo8up1ao7hrljvc7
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\TPAutoConnect.exe" reg.exe -
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/5060-138-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral2/memory/3308-152-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/3308-153-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3308-155-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3308-156-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/5060-138-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral2/memory/4188-157-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/4188-158-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4188-160-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4188-161-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4188-163-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 10 IoCs
Processes:
resource yara_rule behavioral2/memory/5060-138-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral2/memory/3308-152-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/3308-153-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3308-155-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3308-156-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4188-157-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4188-158-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4188-160-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4188-161-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4188-163-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 5060 svhost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exe8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe File created C:\Windows\assembly\Desktop.ini 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 52 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exesvhost.exedescription pid process target process PID 4392 set thread context of 5060 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe svhost.exe PID 5060 set thread context of 3308 5060 svhost.exe vbc.exe PID 5060 set thread context of 4188 5060 svhost.exe vbc.exe -
Drops file in Windows directory 3 IoCs
Processes:
8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exedescription ioc process File opened for modification C:\Windows\assembly 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe File created C:\Windows\assembly\Desktop.ini 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe File opened for modification C:\Windows\assembly\Desktop.ini 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2204 timeout.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exesvhost.exevbc.exepid process 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe 5060 svhost.exe 4188 vbc.exe 4188 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exesvhost.exedescription pid process Token: SeDebugPrivilege 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe Token: SeDebugPrivilege 5060 svhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svhost.exepid process 5060 svhost.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.execmd.exewscript.execmd.execmd.exesvhost.exedescription pid process target process PID 4392 wrote to memory of 4328 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe cmd.exe PID 4392 wrote to memory of 4328 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe cmd.exe PID 4392 wrote to memory of 4328 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe cmd.exe PID 4328 wrote to memory of 4448 4328 cmd.exe wscript.exe PID 4328 wrote to memory of 4448 4328 cmd.exe wscript.exe PID 4328 wrote to memory of 4448 4328 cmd.exe wscript.exe PID 4392 wrote to memory of 5060 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe svhost.exe PID 4392 wrote to memory of 5060 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe svhost.exe PID 4392 wrote to memory of 5060 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe svhost.exe PID 4392 wrote to memory of 5060 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe svhost.exe PID 4392 wrote to memory of 5060 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe svhost.exe PID 4392 wrote to memory of 5060 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe svhost.exe PID 4392 wrote to memory of 5060 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe svhost.exe PID 4392 wrote to memory of 5060 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe svhost.exe PID 4448 wrote to memory of 2316 4448 wscript.exe cmd.exe PID 4448 wrote to memory of 2316 4448 wscript.exe cmd.exe PID 4448 wrote to memory of 2316 4448 wscript.exe cmd.exe PID 2316 wrote to memory of 1636 2316 cmd.exe reg.exe PID 2316 wrote to memory of 1636 2316 cmd.exe reg.exe PID 2316 wrote to memory of 1636 2316 cmd.exe reg.exe PID 4392 wrote to memory of 4332 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe cmd.exe PID 4392 wrote to memory of 4332 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe cmd.exe PID 4392 wrote to memory of 4332 4392 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe cmd.exe PID 4332 wrote to memory of 2204 4332 cmd.exe timeout.exe PID 4332 wrote to memory of 2204 4332 cmd.exe timeout.exe PID 4332 wrote to memory of 2204 4332 cmd.exe timeout.exe PID 5060 wrote to memory of 3308 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 3308 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 3308 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 3308 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 3308 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 3308 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 3308 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 3308 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 3308 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 4188 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 4188 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 4188 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 4188 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 4188 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 4188 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 4188 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 4188 5060 svhost.exe vbc.exe PID 5060 wrote to memory of 4188 5060 svhost.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe"C:\Users\Admin\AppData\Local\Temp\8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\TPAutoConnect.exe" /f5⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FolderName\svhost.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\FolderName\TPAutoConnect.exeFilesize
1.7MB
MD52514c34a5985c4663b524b967c85d1c6
SHA1e9ac6338ee778202e5a7ab51fc1a741eb2db4969
SHA2568efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b
SHA5125ccec693ccc10c729e1f703ab24c27a321e04b1f4b023e96538bcf53a9d9efb8b37e30c8212494278e2c118a6376f8deb7b10cc55712f4b8d6dc2b004d0b4dff
-
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbsFilesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
C:\Users\Admin\AppData\Roaming\FolderName\mata.batFilesize
76B
MD55e57f6f4e3242ad9719ed5e65346e83e
SHA172346d0208c5edeb69f41ddb4374d56d87221dad
SHA2564ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c
SHA5127dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f
-
C:\Users\Admin\AppData\Roaming\FolderName\mata2.batFilesize
288B
MD5f19741e9614de4a81dc619ae9f6d3c4d
SHA172dbbc17dcc76f11bac04507147aa39ee3c2342e
SHA256e8c8ab04f5730e043a220ad833fb4421d173326d5996b475ffc610445a3d62e0
SHA51252826847f6878bb1db500a6dc57396e2c473137b87a6fd9812d593dc6a61c2b3fd93bcb392490d3eec77860afbae5c6219668143403efe1182a1c2f7850a5285
-
C:\Users\Admin\AppData\Roaming\FolderName\svhost.batFilesize
215B
MD5b4f3d9dc2751dc993839aad15ba26450
SHA1f1fcd8280a51dcbf4551ecfd5baa445af9725dfa
SHA25679e27e2950ece03ac4e57e699d7ab62f8c5a18a86a7e770f7398b6daf66350f6
SHA51234c3505cb51c3c96a0c035ce850dd6eb3ce562b9b1a2c24b3dde4d836e1614c6536f20591a17296f103313d3d3c5d846cc0016ced0369989dd6eec0e285dc203
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
memory/1636-145-0x0000000000000000-mapping.dmp
-
memory/2204-148-0x0000000000000000-mapping.dmp
-
memory/2316-144-0x0000000000000000-mapping.dmp
-
memory/3308-153-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3308-152-0x0000000000000000-mapping.dmp
-
memory/3308-156-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3308-155-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4188-157-0x0000000000000000-mapping.dmp
-
memory/4188-158-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4188-163-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4188-161-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4188-160-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4328-134-0x0000000000000000-mapping.dmp
-
memory/4332-146-0x0000000000000000-mapping.dmp
-
memory/4392-132-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/4392-133-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/4392-150-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/4448-136-0x0000000000000000-mapping.dmp
-
memory/5060-138-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/5060-143-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/5060-137-0x0000000000000000-mapping.dmp
-
memory/5060-151-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB