Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2023, 15:00
Behavioral task
behavioral1
Sample
Vietcombank_Ban Sao Thanh Toan_Pdf.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Vietcombank_Ban Sao Thanh Toan_Pdf.exe
Resource
win10v2004-20221111-en
General
-
Target
Vietcombank_Ban Sao Thanh Toan_Pdf.exe
-
Size
23KB
-
MD5
357dc7fc40a74f7db969a2bd89188d6d
-
SHA1
4afed0569b36c95f96bac367232cae88eb201e64
-
SHA256
bc6b7187bcc579a4fd0e7ffc54bb1a5fb9fa47a3d781bce55a8c4d9ba4df0139
-
SHA512
da23f8e01dfd78874bd274ae7cca8593ca7be0c12d3de0061630e6c737cbc87433451536ed992491568221b82548eff353bc19c7e3e6383a49d3e6a0ae261c8a
-
SSDEEP
96:P99U6k5sBsdf2XLGMRE7ng2deOFVkAwGuTFKfEPfPNAgARricsGb7kvrBzNt:Pb6KLGMWkOMAluTFCEvNesG+D
Malware Config
Extracted
purecrypter
http://savory.com.bd/sav/Ezxucmj.bmp
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Vietcombank_Ban Sao Thanh Toan_Pdf.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Vietcombank_Ban Sao Thanh Toan_Pdf.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Vietcombank_Ban Sao Thanh Toan_Pdf.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Vietcombank_Ban Sao Thanh Toan_Pdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc\\vlc.exe\"" Vietcombank_Ban Sao Thanh Toan_Pdf.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 api.ipify.org 32 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2572 set thread context of 3600 2572 Vietcombank_Ban Sao Thanh Toan_Pdf.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1244 powershell.exe 1244 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2572 Vietcombank_Ban Sao Thanh Toan_Pdf.exe Token: SeDebugPrivilege 1244 powershell.exe Token: SeDebugPrivilege 3600 Vietcombank_Ban Sao Thanh Toan_Pdf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3600 Vietcombank_Ban Sao Thanh Toan_Pdf.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2572 wrote to memory of 1244 2572 Vietcombank_Ban Sao Thanh Toan_Pdf.exe 85 PID 2572 wrote to memory of 1244 2572 Vietcombank_Ban Sao Thanh Toan_Pdf.exe 85 PID 2572 wrote to memory of 1244 2572 Vietcombank_Ban Sao Thanh Toan_Pdf.exe 85 PID 2572 wrote to memory of 3600 2572 Vietcombank_Ban Sao Thanh Toan_Pdf.exe 88 PID 2572 wrote to memory of 3600 2572 Vietcombank_Ban Sao Thanh Toan_Pdf.exe 88 PID 2572 wrote to memory of 3600 2572 Vietcombank_Ban Sao Thanh Toan_Pdf.exe 88 PID 2572 wrote to memory of 3600 2572 Vietcombank_Ban Sao Thanh Toan_Pdf.exe 88 PID 2572 wrote to memory of 3600 2572 Vietcombank_Ban Sao Thanh Toan_Pdf.exe 88 PID 2572 wrote to memory of 3600 2572 Vietcombank_Ban Sao Thanh Toan_Pdf.exe 88 PID 2572 wrote to memory of 3600 2572 Vietcombank_Ban Sao Thanh Toan_Pdf.exe 88 PID 2572 wrote to memory of 3600 2572 Vietcombank_Ban Sao Thanh Toan_Pdf.exe 88 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Vietcombank_Ban Sao Thanh Toan_Pdf.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Vietcombank_Ban Sao Thanh Toan_Pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3600
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Vietcombank_Ban Sao Thanh Toan_Pdf.exe.log
Filesize1KB
MD52e49a0dc2cc777cf418322c4466c896e
SHA1d1c48311da63a8124b58ca948b0d64409e927d2d
SHA256b6e3216891c905bc01dfa776fb8f50aadd5b51b997551eb32ad5e21a53574041
SHA512b03923994a5b5b0c8ea0905a19a820eda810ded3687e965ee280641eb6b9dd8bf36ce3984bb04712199fcaffc28cacbbadcc872e12b2bda7f491091aa656156a