Analysis
-
max time kernel
112s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
09-06-2023 22:49
Static task
static1
Behavioral task
behavioral1
Sample
034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe
Resource
win7-20230220-en
General
-
Target
034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe
-
Size
421KB
-
MD5
0a2b49b01d618678868d19636000c625
-
SHA1
38d83bff735ab583975d95c462e81e33741aa0da
-
SHA256
034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f
-
SHA512
2336cf5a155e0395cab155917999ff3b9b79b30c913513b528d74f56acff0473e66c6fe3e9ab9d1198835aeb4b772b82c8457d718538c6292581ec8dfaec5a0b
-
SSDEEP
6144:wZuuObR8sVImcyYJnup+8ejV0rXkSjHFBTVm0+HhGsv7EqElNldmkHOKwKyWhwHE:nV+mzLsc/TwlMsDVE9d4HjjKjN
Malware Config
Signatures
-
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe MailPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe MailPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe MailPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe MailPassView behavioral1/memory/1944-82-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1944-84-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1944-87-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1944-90-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe WebBrowserPassView behavioral1/memory/1676-91-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1676-93-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1676-97-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe Nirsoft behavioral1/memory/1944-82-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1944-84-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1944-87-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1944-90-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1676-91-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1676-93-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1676-97-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
PAYMENT.sfx.exePAYMENT.exepid process 876 PAYMENT.sfx.exe 1740 PAYMENT.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exePAYMENT.sfx.exepid process 872 cmd.exe 876 PAYMENT.sfx.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 whatismyipaddress.com 5 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
PAYMENT.exedescription pid process target process PID 1740 set thread context of 1944 1740 PAYMENT.exe vbc.exe PID 1740 set thread context of 1676 1740 PAYMENT.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PAYMENT.exepid process 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe 1740 PAYMENT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PAYMENT.exedescription pid process Token: SeDebugPrivilege 1740 PAYMENT.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PAYMENT.exepid process 1740 PAYMENT.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.execmd.exePAYMENT.sfx.exePAYMENT.exedescription pid process target process PID 1048 wrote to memory of 872 1048 034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe cmd.exe PID 1048 wrote to memory of 872 1048 034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe cmd.exe PID 1048 wrote to memory of 872 1048 034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe cmd.exe PID 1048 wrote to memory of 872 1048 034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe cmd.exe PID 872 wrote to memory of 876 872 cmd.exe PAYMENT.sfx.exe PID 872 wrote to memory of 876 872 cmd.exe PAYMENT.sfx.exe PID 872 wrote to memory of 876 872 cmd.exe PAYMENT.sfx.exe PID 872 wrote to memory of 876 872 cmd.exe PAYMENT.sfx.exe PID 876 wrote to memory of 1740 876 PAYMENT.sfx.exe PAYMENT.exe PID 876 wrote to memory of 1740 876 PAYMENT.sfx.exe PAYMENT.exe PID 876 wrote to memory of 1740 876 PAYMENT.sfx.exe PAYMENT.exe PID 876 wrote to memory of 1740 876 PAYMENT.sfx.exe PAYMENT.exe PID 1740 wrote to memory of 1944 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1944 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1944 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1944 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1944 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1944 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1944 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1944 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1944 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1944 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1676 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1676 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1676 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1676 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1676 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1676 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1676 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1676 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1676 1740 PAYMENT.exe vbc.exe PID 1740 wrote to memory of 1676 1740 PAYMENT.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe"C:\Users\Admin\AppData\Local\Temp\034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\uy5er3w92wq.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PAYMENT.sfx.exePAYMENT.sfx.exe -phdsa32w8hh556 -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PAYMENT.sfx.exeFilesize
353KB
MD50d41db7f519edbaf94ef1a9758277922
SHA17bd810e5e1eaca7d95a1018f7511b95cde2c3ddb
SHA256d95aea380c8460380f31a3647e74c71be30f234f800fc0423817365853d08133
SHA512b0cc5404a490a8eb55ee09ad658a8aa1973134a2028cace1bc20cdfdeb1cd81ce2636a22b04aac8076428ce1aa29ecad943ca1f546ed2506df51b15885fc7599
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PAYMENT.sfx.exeFilesize
353KB
MD50d41db7f519edbaf94ef1a9758277922
SHA17bd810e5e1eaca7d95a1018f7511b95cde2c3ddb
SHA256d95aea380c8460380f31a3647e74c71be30f234f800fc0423817365853d08133
SHA512b0cc5404a490a8eb55ee09ad658a8aa1973134a2028cace1bc20cdfdeb1cd81ce2636a22b04aac8076428ce1aa29ecad943ca1f546ed2506df51b15885fc7599
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\uy5er3w92wq.batFilesize
40B
MD5e6cd8ea602d1579a98bb1e28f0e7d41c
SHA1a0f2bac9a3bdc7cfc93c423139fc8362403a98ec
SHA256f229d2fd8c7b71f420e0c15b9e69118c21f2779d4e1dcc242409dffce1e959da
SHA5123b426ed9ea945cb3d42df0584970a646e14d7bd269530cd18b1c9896aebe7fb54b58fd4353b236c6b1f4ca675cf4a8b516f767361f358ac04afdad7613388895
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\uy5er3w92wq.batFilesize
40B
MD5e6cd8ea602d1579a98bb1e28f0e7d41c
SHA1a0f2bac9a3bdc7cfc93c423139fc8362403a98ec
SHA256f229d2fd8c7b71f420e0c15b9e69118c21f2779d4e1dcc242409dffce1e959da
SHA5123b426ed9ea945cb3d42df0584970a646e14d7bd269530cd18b1c9896aebe7fb54b58fd4353b236c6b1f4ca675cf4a8b516f767361f358ac04afdad7613388895
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exeFilesize
520KB
MD551a65fd9c7d2ac354e07a3ccf1f701b2
SHA1a52da29f6aa612b4dcb33fec4eaf801e45927b2c
SHA25624d2ccc6308ea383cebd3906fe2c440c783eb0eb87d1e36954cdb739a770f288
SHA512e58e067353d1affb65519d4ca95d5a09d9ab385798278e86c1f6ca9b327e49fac186e5420f7eb411ded9d468a0b1eb6a9e3a2421696d776957ee14be33a41f87
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exeFilesize
520KB
MD551a65fd9c7d2ac354e07a3ccf1f701b2
SHA1a52da29f6aa612b4dcb33fec4eaf801e45927b2c
SHA25624d2ccc6308ea383cebd3906fe2c440c783eb0eb87d1e36954cdb739a770f288
SHA512e58e067353d1affb65519d4ca95d5a09d9ab385798278e86c1f6ca9b327e49fac186e5420f7eb411ded9d468a0b1eb6a9e3a2421696d776957ee14be33a41f87
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exeFilesize
520KB
MD551a65fd9c7d2ac354e07a3ccf1f701b2
SHA1a52da29f6aa612b4dcb33fec4eaf801e45927b2c
SHA25624d2ccc6308ea383cebd3906fe2c440c783eb0eb87d1e36954cdb739a770f288
SHA512e58e067353d1affb65519d4ca95d5a09d9ab385798278e86c1f6ca9b327e49fac186e5420f7eb411ded9d468a0b1eb6a9e3a2421696d776957ee14be33a41f87
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\Users\Admin\AppData\Local\Temp\RarSFX0\PAYMENT.sfx.exeFilesize
353KB
MD50d41db7f519edbaf94ef1a9758277922
SHA17bd810e5e1eaca7d95a1018f7511b95cde2c3ddb
SHA256d95aea380c8460380f31a3647e74c71be30f234f800fc0423817365853d08133
SHA512b0cc5404a490a8eb55ee09ad658a8aa1973134a2028cace1bc20cdfdeb1cd81ce2636a22b04aac8076428ce1aa29ecad943ca1f546ed2506df51b15885fc7599
-
\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exeFilesize
520KB
MD551a65fd9c7d2ac354e07a3ccf1f701b2
SHA1a52da29f6aa612b4dcb33fec4eaf801e45927b2c
SHA25624d2ccc6308ea383cebd3906fe2c440c783eb0eb87d1e36954cdb739a770f288
SHA512e58e067353d1affb65519d4ca95d5a09d9ab385798278e86c1f6ca9b327e49fac186e5420f7eb411ded9d468a0b1eb6a9e3a2421696d776957ee14be33a41f87
-
memory/876-81-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1048-80-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1676-91-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1676-93-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1676-97-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1740-85-0x0000000000250000-0x0000000000290000-memory.dmpFilesize
256KB
-
memory/1740-86-0x0000000000250000-0x0000000000290000-memory.dmpFilesize
256KB
-
memory/1740-77-0x0000000000250000-0x0000000000290000-memory.dmpFilesize
256KB
-
memory/1740-100-0x0000000000250000-0x0000000000290000-memory.dmpFilesize
256KB
-
memory/1740-107-0x0000000000250000-0x0000000000290000-memory.dmpFilesize
256KB
-
memory/1740-112-0x0000000000250000-0x0000000000290000-memory.dmpFilesize
256KB
-
memory/1944-84-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1944-87-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1944-90-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1944-82-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB