4dc1d7f5403f147bc8bd69fe671d86c1a990ed0c3727d07b757ef95fbcd232b9

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/03/2023, 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HSBC Payment Advice_pdf.exe
Size

380KB
MD5

77cdc00597ec524e4d445a274a55a053
SHA1

6d0d79d464dac3a5ee563f5afabae73b0317fe20
SHA256

4dc1d7f5403f147bc8bd69fe671d86c1a990ed0c3727d07b757ef95fbcd232b9
SHA512

c1da4c0b0b2995363700be3f0f6bb1268abce7356929846291a8727046af2f92385454dd1aea940ed2ae537fbad5e8ea205c7b3b1bad11c8d067deb0a38f47bb
SSDEEP

6144:sYa6sMA6sjf9FmJT0NBu8FpCUmAUwL1/ghd9AoFGBZZdwEhT:sYCnHjf9FA0zzFpRNgBAOGDZWEd

Score

8^/10

spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	320	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\International\Geo\Nation	vvzosluykp.exe

Executes dropped EXE 2 IoCs

pid	Process
1956	vvzosluykp.exe
2012	vvzosluykp.exe

Loads dropped DLL 4 IoCs

pid	Process
1696	HSBC Payment Advice_pdf.exe
1696	HSBC Payment Advice_pdf.exe
1956	vvzosluykp.exe
320	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1956 set thread context of 2012	1956	vvzosluykp.exe	28
PID 2012 set thread context of 1228	2012	vvzosluykp.exe	9
PID 320 set thread context of 1228	320	cmd.exe	9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2012	vvzosluykp.exe
2012	vvzosluykp.exe
2012	vvzosluykp.exe
2012	vvzosluykp.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1228	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1956	vvzosluykp.exe
2012	vvzosluykp.exe
2012	vvzosluykp.exe
2012	vvzosluykp.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe
320	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	vvzosluykp.exe
Token: SeDebugPrivilege	320	cmd.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1956	1696	HSBC Payment Advice_pdf.exe	27
PID 1696 wrote to memory of 1956	1696	HSBC Payment Advice_pdf.exe	27
PID 1696 wrote to memory of 1956	1696	HSBC Payment Advice_pdf.exe	27
PID 1696 wrote to memory of 1956	1696	HSBC Payment Advice_pdf.exe	27
PID 1956 wrote to memory of 2012	1956	vvzosluykp.exe	28
PID 1956 wrote to memory of 2012	1956	vvzosluykp.exe	28
PID 1956 wrote to memory of 2012	1956	vvzosluykp.exe	28
PID 1956 wrote to memory of 2012	1956	vvzosluykp.exe	28
PID 1956 wrote to memory of 2012	1956	vvzosluykp.exe	28
PID 1228 wrote to memory of 320	1228	Explorer.EXE	29
PID 1228 wrote to memory of 320	1228	Explorer.EXE	29
PID 1228 wrote to memory of 320	1228	Explorer.EXE	29
PID 1228 wrote to memory of 320	1228	Explorer.EXE	29
PID 320 wrote to memory of 340	320	cmd.exe	32
PID 320 wrote to memory of 340	320	cmd.exe	32
PID 320 wrote to memory of 340	320	cmd.exe	32
PID 320 wrote to memory of 340	320	cmd.exe	32
PID 320 wrote to memory of 340	320	cmd.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\HSBC Payment Advice_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\HSBC Payment Advice_pdf.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\vvzosluykp.exe
    "C:\Users\Admin\AppData\Local\Temp\vvzosluykp.exe" C:\Users\Admin\AppData\Local\Temp\tcierbayyx.w
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\vvzosluykp.exe
      "C:\Users\Admin\AppData\Local\Temp\vvzosluykp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eivtzolure.ewv

Filesize
205KB

MD5
6ee1765b846c05a265f228d9d3cafaa6

SHA1
b901fa5dad01abd6d3770641f40c15f5fd5f8c26

SHA256
4306cf72fd5bc403a379beaa76b0d7fe6e395cbe0731fd794a58eb7b098ea155

SHA512
7b696dccf255938200f481b1a23a24875cf7160c031e769cab3b0627bbb34fab19a23250d5a9bdb503c970b72bae907e299015c07777cd111b49a2b719d947a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcierbayyx.w

Filesize
5KB

MD5
20b31645bcf70da6d175a19a89fc94e7

SHA1
5a26a35b0e660ba3aca245e0f999ece974302b38

SHA256
e612dc2385a49115c4df88c10bdf3535a83daef27f7293f15f15a1ad7784d4d3

SHA512
abdac4a7c6980dc7624f9b278d5b04b2ec46e44f1f050b68a3fb5fcc18339b31897eff005fc3fe4f120d041a4323faf1d65cb17a14a49a4e4b4159b22e9932dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvzosluykp.exe

Filesize
60KB

MD5
b43f5aa7e768abb0f4ed72288c5b76b3

SHA1
92b6620384eb0c218ff16bf9adff940928734809

SHA256
3bf3ed6a245662efc963da4b085f256f10d18f0215187e535e376d749c04e05a

SHA512
8a6e5c7367e5899c68c58c2594f7307ff80284332a3f0cf69fcab24bc4da236cd45751eb172d725b7b21d197d20146dc78acad23aaa0ce96f9a2dffb3c90834e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvzosluykp.exe

Filesize
60KB

MD5
b43f5aa7e768abb0f4ed72288c5b76b3

SHA1
92b6620384eb0c218ff16bf9adff940928734809

SHA256
3bf3ed6a245662efc963da4b085f256f10d18f0215187e535e376d749c04e05a

SHA512
8a6e5c7367e5899c68c58c2594f7307ff80284332a3f0cf69fcab24bc4da236cd45751eb172d725b7b21d197d20146dc78acad23aaa0ce96f9a2dffb3c90834e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvzosluykp.exe

Filesize
60KB

MD5
b43f5aa7e768abb0f4ed72288c5b76b3

SHA1
92b6620384eb0c218ff16bf9adff940928734809

SHA256
3bf3ed6a245662efc963da4b085f256f10d18f0215187e535e376d749c04e05a

SHA512
8a6e5c7367e5899c68c58c2594f7307ff80284332a3f0cf69fcab24bc4da236cd45751eb172d725b7b21d197d20146dc78acad23aaa0ce96f9a2dffb3c90834e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvzosluykp.exe

Filesize
60KB

MD5
b43f5aa7e768abb0f4ed72288c5b76b3

SHA1
92b6620384eb0c218ff16bf9adff940928734809

SHA256
3bf3ed6a245662efc963da4b085f256f10d18f0215187e535e376d749c04e05a

SHA512
8a6e5c7367e5899c68c58c2594f7307ff80284332a3f0cf69fcab24bc4da236cd45751eb172d725b7b21d197d20146dc78acad23aaa0ce96f9a2dffb3c90834e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvxhmhu.zip

Filesize
444KB

MD5
d71848944418c67f6eb230682f9a969a

SHA1
11d37a0eccbaf9995c6b236ff1a99d174a2566bd

SHA256
efff0464180fcb34ec33e7835086ea58adc84bc3f0b08a7323ef1d58b258e59e

SHA512
7baef376fb5f87e43124f79f81fe45567b7926be277a05abbbfe74bdbbe8dc49c238999e432fb4c457dff23ca78915d2a899bdde9a2ee79b77c655c17ebe706d

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
849KB

MD5
87f9e5a6318ac1ec5ee05aa94a919d7a

SHA1
7a9956e8de89603dba99772da29493d3fd0fe37d

SHA256
7705b87603e0d772e1753441001fcf1ac2643ee41bf14a8177de2c056628665c

SHA512
c45c03176142918e34f746711e83384572bd6a8ed0a005600aa4a18cf22eade06c76eda190b37db49ec1971c4649e086affd19eee108c5f405df27c0c8cb23d2

Download Submit
\Users\Admin\AppData\Local\Temp\vvzosluykp.exe

Filesize
60KB

MD5
b43f5aa7e768abb0f4ed72288c5b76b3

SHA1
92b6620384eb0c218ff16bf9adff940928734809

SHA256
3bf3ed6a245662efc963da4b085f256f10d18f0215187e535e376d749c04e05a

SHA512
8a6e5c7367e5899c68c58c2594f7307ff80284332a3f0cf69fcab24bc4da236cd45751eb172d725b7b21d197d20146dc78acad23aaa0ce96f9a2dffb3c90834e

Download Submit
\Users\Admin\AppData\Local\Temp\vvzosluykp.exe

Filesize
60KB

MD5
b43f5aa7e768abb0f4ed72288c5b76b3

SHA1
92b6620384eb0c218ff16bf9adff940928734809

SHA256
3bf3ed6a245662efc963da4b085f256f10d18f0215187e535e376d749c04e05a

SHA512
8a6e5c7367e5899c68c58c2594f7307ff80284332a3f0cf69fcab24bc4da236cd45751eb172d725b7b21d197d20146dc78acad23aaa0ce96f9a2dffb3c90834e

Download Submit
\Users\Admin\AppData\Local\Temp\vvzosluykp.exe

Filesize
60KB

MD5
b43f5aa7e768abb0f4ed72288c5b76b3

SHA1
92b6620384eb0c218ff16bf9adff940928734809

SHA256
3bf3ed6a245662efc963da4b085f256f10d18f0215187e535e376d749c04e05a

SHA512
8a6e5c7367e5899c68c58c2594f7307ff80284332a3f0cf69fcab24bc4da236cd45751eb172d725b7b21d197d20146dc78acad23aaa0ce96f9a2dffb3c90834e

Download Submit
memory/320-81-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/320-85-0x0000000000460000-0x00000000004EF000-memory.dmp

Filesize
572KB

Download
memory/320-301-0x0000000061E00000-0x0000000061EC1000-memory.dmp

Filesize
772KB

Download
memory/320-297-0x0000000061E00000-0x0000000061EC1000-memory.dmp

Filesize
772KB

Download
memory/320-78-0x000000004A0B0000-0x000000004A0FC000-memory.dmp

Filesize
304KB

Download
memory/320-79-0x000000004A0B0000-0x000000004A0FC000-memory.dmp

Filesize
304KB

Download
memory/320-80-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/320-82-0x0000000002040000-0x0000000002343000-memory.dmp

Filesize
3.0MB

Download
memory/1228-83-0x00000000043C0000-0x0000000004497000-memory.dmp

Filesize
860KB

Download
memory/1228-130-0x00000000043C0000-0x0000000004497000-memory.dmp

Filesize
860KB

Download
memory/1228-77-0x0000000003E80000-0x0000000003F43000-memory.dmp

Filesize
780KB

Download
memory/2012-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-75-0x0000000000CA0000-0x0000000000FA3000-memory.dmp

Filesize
3.0MB

Download
memory/2012-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-76-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download