Overview

overview

9

Static

static

1

6b1f65c529...cb.exe

windows7-x64

9

6b1f65c529...cb.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2023, 08:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6b1f65c5297138a312c83c277c258bcb.exe

  • Size

    876KB

  • MD5

    6b1f65c5297138a312c83c277c258bcb

  • SHA1

    3817bad277aa50016e08eed35e92d4a3b5247633

  • SHA256

    c2e98978063f02f9769d8372d10abc3fe734cd7e686c6ab5dedb08dd57076b17

  • SHA512

    213008ba436056bbeac9434f72d318c0af1a4fd4f7c082da3c32b0c1d801f3ae31208be3b2cd6e6cdaefa7728575757e7987230fb1d79895f214d4fa7b491bb1

  • SSDEEP

    24576:GKm0WEPfv82Kww5Y3awdtWs8RPrK7LBmH0I:hmtUv4bY3hh8lrB

Score
9/10
collection

Malware Config

Signatures

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Drops startup file 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b1f65c5297138a312c83c277c258bcb.exe
    "C:\Users\Admin\AppData\Local\Temp\6b1f65c5297138a312c83c277c258bcb.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Users\Admin\AppData\Local\Temp\6b1f65c5297138a312c83c277c258bcb.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2C5F.tmp"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2076
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp346F.tmp"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:3352

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp2C5F.tmp
          Filesize

          4KB

          MD5

          9945b47a62f116c5707cfe39eba4e3a3

          SHA1

          3a891690b33791216df5ca70ff15c288b8ec3223

          SHA256

          bec9bca76621ea0f0db461945ca513d00aba466d4cf882a437a8de82075784f1

          SHA512

          7c0ba560d4332ca00c6b2e3e938c50e7006b0775ba2eec3ff287adf656de508795be097a6a12d9f3cb9a43ac63c0f52f2574ad1cdebe868fd4ac02e683687e48

          Download Submit

        • memory/2076-139-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB

          Download

        • memory/2076-136-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB

          Download

        • memory/2076-138-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB

          Download

        • memory/2076-140-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB

          Download

        • memory/3352-143-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3352-145-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3352-146-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3696-134-0x00000000753D0000-0x0000000075981000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3696-133-0x00000000753D0000-0x0000000075981000-memory.dmp

          Filesize

          5.7MB

          Download