Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 17:19
Static task
static1
Behavioral task
behavioral1
Sample
f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe
Resource
win7-20220812-en
General
-
Target
f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe
-
Size
818KB
-
MD5
6062dc511ee11c084d877c618b6f637e
-
SHA1
e26c5ec4e5998664fdc76b53328edba1ae68dd9c
-
SHA256
f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986
-
SHA512
9047075cbd1cd82e177daa56c187bc8b4a61a21c0c9cd13f2538e7630aef55a270a7852c063f4264dd6dcb73718f8a914eed05a0916404702107a5ce890b7cfd
-
SSDEEP
12288:R8zibupKhPNNIyREr8N4fl59u9CXBLBCi34bK:uWYwHyPl5HXBLCbK
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
kennedey.isaac@yandex.com - Password:
jozo2018
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4424-142-0x0000000002110000-0x00000000021A0000-memory.dmp MailPassView behavioral2/memory/208-162-0x0000000006AA0000-0x0000000006B30000-memory.dmp MailPassView behavioral2/memory/2664-170-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/2664-171-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2664-173-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2664-174-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4424-142-0x0000000002110000-0x00000000021A0000-memory.dmp WebBrowserPassView behavioral2/memory/208-162-0x0000000006AA0000-0x0000000006B30000-memory.dmp WebBrowserPassView behavioral2/memory/4304-175-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/4304-176-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4304-178-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4304-179-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4304-181-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
Processes:
resource yara_rule behavioral2/memory/4424-142-0x0000000002110000-0x00000000021A0000-memory.dmp Nirsoft behavioral2/memory/208-162-0x0000000006AA0000-0x0000000006B30000-memory.dmp Nirsoft behavioral2/memory/2664-170-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/2664-171-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2664-173-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2664-174-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4304-175-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4304-176-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4304-178-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4304-179-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4304-181-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 1344 Windows Update.exe 208 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 whatismyipaddress.com 25 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exeWindows Update.exeWindows Update.exedescription pid process target process PID 5068 set thread context of 4424 5068 f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe PID 1344 set thread context of 208 1344 Windows Update.exe Windows Update.exe PID 208 set thread context of 2664 208 Windows Update.exe vbc.exe PID 208 set thread context of 4304 208 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 4304 vbc.exe 4304 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 208 Windows Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exeWindows Update.exeWindows Update.exepid process 5068 f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe 1344 Windows Update.exe 208 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exef377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exeWindows Update.exeWindows Update.exedescription pid process target process PID 5068 wrote to memory of 4424 5068 f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe PID 5068 wrote to memory of 4424 5068 f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe PID 5068 wrote to memory of 4424 5068 f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe PID 4424 wrote to memory of 1344 4424 f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe Windows Update.exe PID 4424 wrote to memory of 1344 4424 f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe Windows Update.exe PID 4424 wrote to memory of 1344 4424 f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe Windows Update.exe PID 1344 wrote to memory of 208 1344 Windows Update.exe Windows Update.exe PID 1344 wrote to memory of 208 1344 Windows Update.exe Windows Update.exe PID 1344 wrote to memory of 208 1344 Windows Update.exe Windows Update.exe PID 208 wrote to memory of 2664 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 2664 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 2664 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 2664 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 2664 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 2664 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 2664 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 2664 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 2664 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 4304 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 4304 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 4304 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 4304 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 4304 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 4304 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 4304 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 4304 208 Windows Update.exe vbc.exe PID 208 wrote to memory of 4304 208 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe"C:\Users\Admin\AppData\Local\Temp\f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exeC:\Users\Admin\AppData\Local\Temp\f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD57e29fd778f687f6d25f960a23f513445
SHA19959c6bbd29ec671830c1df4248afae2e29bec08
SHA256c29d4b40e9009d928dca0d15daff985dd908d1940a65a2247aa2c23232f89966
SHA51252c2f8bb94cd1d7944bfaa83adb12181a1108c37fe307e137150cfc569c71dd1f21c06ebad7e338b9407aca5e03294ab49d15b0e44e130b28a4a8cb6f46a0bba
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
818KB
MD56062dc511ee11c084d877c618b6f637e
SHA1e26c5ec4e5998664fdc76b53328edba1ae68dd9c
SHA256f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986
SHA5129047075cbd1cd82e177daa56c187bc8b4a61a21c0c9cd13f2538e7630aef55a270a7852c063f4264dd6dcb73718f8a914eed05a0916404702107a5ce890b7cfd
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
818KB
MD56062dc511ee11c084d877c618b6f637e
SHA1e26c5ec4e5998664fdc76b53328edba1ae68dd9c
SHA256f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986
SHA5129047075cbd1cd82e177daa56c187bc8b4a61a21c0c9cd13f2538e7630aef55a270a7852c063f4264dd6dcb73718f8a914eed05a0916404702107a5ce890b7cfd
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
818KB
MD56062dc511ee11c084d877c618b6f637e
SHA1e26c5ec4e5998664fdc76b53328edba1ae68dd9c
SHA256f377b662db76cfcf5509a41f8e09674c55bd71e251745e5ff5d1328a2c015986
SHA5129047075cbd1cd82e177daa56c187bc8b4a61a21c0c9cd13f2538e7630aef55a270a7852c063f4264dd6dcb73718f8a914eed05a0916404702107a5ce890b7cfd
-
memory/208-154-0x0000000000000000-mapping.dmp
-
memory/208-169-0x0000000074DA0000-0x0000000075351000-memory.dmpFilesize
5.7MB
-
memory/208-168-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/208-166-0x0000000074DA0000-0x0000000075351000-memory.dmpFilesize
5.7MB
-
memory/208-165-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/208-162-0x0000000006AA0000-0x0000000006B30000-memory.dmpFilesize
576KB
-
memory/1344-156-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/1344-147-0x0000000000000000-mapping.dmp
-
memory/2664-171-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2664-174-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2664-173-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2664-170-0x0000000000000000-mapping.dmp
-
memory/4304-181-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4304-179-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4304-178-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4304-176-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4304-175-0x0000000000000000-mapping.dmp
-
memory/4424-146-0x0000000074DA0000-0x0000000075351000-memory.dmpFilesize
5.7MB
-
memory/4424-139-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/4424-142-0x0000000002110000-0x00000000021A0000-memory.dmpFilesize
576KB
-
memory/4424-145-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/4424-153-0x0000000074DA0000-0x0000000075351000-memory.dmpFilesize
5.7MB
-
memory/4424-135-0x0000000000000000-mapping.dmp
-
memory/4424-152-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/5068-136-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/5068-134-0x00000000024C0000-0x00000000024C7000-memory.dmpFilesize
28KB