Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-06-2023 22:49
Static task
static1
Behavioral task
behavioral1
Sample
034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe
Resource
win7-20230220-en
General
-
Target
034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe
-
Size
421KB
-
MD5
0a2b49b01d618678868d19636000c625
-
SHA1
38d83bff735ab583975d95c462e81e33741aa0da
-
SHA256
034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f
-
SHA512
2336cf5a155e0395cab155917999ff3b9b79b30c913513b528d74f56acff0473e66c6fe3e9ab9d1198835aeb4b772b82c8457d718538c6292581ec8dfaec5a0b
-
SSDEEP
6144:wZuuObR8sVImcyYJnup+8ejV0rXkSjHFBTVm0+HhGsv7EqElNldmkHOKwKyWhwHE:nV+mzLsc/TwlMsDVE9d4HjjKjN
Malware Config
Extracted
Protocol: smtp- Host:
mail.tcci.org.sa - Port:
587 - Username:
[email protected] - Password:
Cream3040
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe MailPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe MailPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe MailPassView behavioral2/memory/3856-160-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3856-162-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3856-164-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe WebBrowserPassView behavioral2/memory/3460-169-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3460-171-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3460-178-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 9 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe Nirsoft behavioral2/memory/3856-160-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3856-162-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3856-164-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3460-169-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3460-171-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3460-178-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exePAYMENT.sfx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation 034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation PAYMENT.sfx.exe -
Executes dropped EXE 2 IoCs
Processes:
PAYMENT.sfx.exePAYMENT.exepid process 964 PAYMENT.sfx.exe 1852 PAYMENT.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 whatismyipaddress.com 14 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
PAYMENT.exedescription pid process target process PID 1852 set thread context of 3856 1852 PAYMENT.exe vbc.exe PID 1852 set thread context of 3460 1852 PAYMENT.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PAYMENT.exepid process 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe 1852 PAYMENT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PAYMENT.exedescription pid process Token: SeDebugPrivilege 1852 PAYMENT.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PAYMENT.exepid process 1852 PAYMENT.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.execmd.exePAYMENT.sfx.exePAYMENT.exedescription pid process target process PID 4112 wrote to memory of 2140 4112 034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe cmd.exe PID 4112 wrote to memory of 2140 4112 034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe cmd.exe PID 4112 wrote to memory of 2140 4112 034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe cmd.exe PID 2140 wrote to memory of 964 2140 cmd.exe PAYMENT.sfx.exe PID 2140 wrote to memory of 964 2140 cmd.exe PAYMENT.sfx.exe PID 2140 wrote to memory of 964 2140 cmd.exe PAYMENT.sfx.exe PID 964 wrote to memory of 1852 964 PAYMENT.sfx.exe PAYMENT.exe PID 964 wrote to memory of 1852 964 PAYMENT.sfx.exe PAYMENT.exe PID 964 wrote to memory of 1852 964 PAYMENT.sfx.exe PAYMENT.exe PID 1852 wrote to memory of 3856 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3856 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3856 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3856 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3856 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3856 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3856 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3856 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3856 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3460 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3460 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3460 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3460 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3460 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3460 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3460 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3460 1852 PAYMENT.exe vbc.exe PID 1852 wrote to memory of 3460 1852 PAYMENT.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe"C:\Users\Admin\AppData\Local\Temp\034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\uy5er3w92wq.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PAYMENT.sfx.exePAYMENT.sfx.exe -phdsa32w8hh556 -dC:\Users\Admin\AppData\Local\Temp3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PAYMENT.sfx.exeFilesize
353KB
MD50d41db7f519edbaf94ef1a9758277922
SHA17bd810e5e1eaca7d95a1018f7511b95cde2c3ddb
SHA256d95aea380c8460380f31a3647e74c71be30f234f800fc0423817365853d08133
SHA512b0cc5404a490a8eb55ee09ad658a8aa1973134a2028cace1bc20cdfdeb1cd81ce2636a22b04aac8076428ce1aa29ecad943ca1f546ed2506df51b15885fc7599
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PAYMENT.sfx.exeFilesize
353KB
MD50d41db7f519edbaf94ef1a9758277922
SHA17bd810e5e1eaca7d95a1018f7511b95cde2c3ddb
SHA256d95aea380c8460380f31a3647e74c71be30f234f800fc0423817365853d08133
SHA512b0cc5404a490a8eb55ee09ad658a8aa1973134a2028cace1bc20cdfdeb1cd81ce2636a22b04aac8076428ce1aa29ecad943ca1f546ed2506df51b15885fc7599
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\uy5er3w92wq.batFilesize
40B
MD5e6cd8ea602d1579a98bb1e28f0e7d41c
SHA1a0f2bac9a3bdc7cfc93c423139fc8362403a98ec
SHA256f229d2fd8c7b71f420e0c15b9e69118c21f2779d4e1dcc242409dffce1e959da
SHA5123b426ed9ea945cb3d42df0584970a646e14d7bd269530cd18b1c9896aebe7fb54b58fd4353b236c6b1f4ca675cf4a8b516f767361f358ac04afdad7613388895
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exeFilesize
520KB
MD551a65fd9c7d2ac354e07a3ccf1f701b2
SHA1a52da29f6aa612b4dcb33fec4eaf801e45927b2c
SHA25624d2ccc6308ea383cebd3906fe2c440c783eb0eb87d1e36954cdb739a770f288
SHA512e58e067353d1affb65519d4ca95d5a09d9ab385798278e86c1f6ca9b327e49fac186e5420f7eb411ded9d468a0b1eb6a9e3a2421696d776957ee14be33a41f87
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exeFilesize
520KB
MD551a65fd9c7d2ac354e07a3ccf1f701b2
SHA1a52da29f6aa612b4dcb33fec4eaf801e45927b2c
SHA25624d2ccc6308ea383cebd3906fe2c440c783eb0eb87d1e36954cdb739a770f288
SHA512e58e067353d1affb65519d4ca95d5a09d9ab385798278e86c1f6ca9b327e49fac186e5420f7eb411ded9d468a0b1eb6a9e3a2421696d776957ee14be33a41f87
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exeFilesize
520KB
MD551a65fd9c7d2ac354e07a3ccf1f701b2
SHA1a52da29f6aa612b4dcb33fec4eaf801e45927b2c
SHA25624d2ccc6308ea383cebd3906fe2c440c783eb0eb87d1e36954cdb739a770f288
SHA512e58e067353d1affb65519d4ca95d5a09d9ab385798278e86c1f6ca9b327e49fac186e5420f7eb411ded9d468a0b1eb6a9e3a2421696d776957ee14be33a41f87
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
memory/964-165-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1852-167-0x00000000014B0000-0x00000000014C0000-memory.dmpFilesize
64KB
-
memory/1852-166-0x00000000014B0000-0x00000000014C0000-memory.dmpFilesize
64KB
-
memory/1852-206-0x00000000014B0000-0x00000000014C0000-memory.dmpFilesize
64KB
-
memory/1852-203-0x00000000014B0000-0x00000000014C0000-memory.dmpFilesize
64KB
-
memory/1852-155-0x00000000014B0000-0x00000000014C0000-memory.dmpFilesize
64KB
-
memory/1852-156-0x00000000014B0000-0x00000000014C0000-memory.dmpFilesize
64KB
-
memory/3460-178-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3460-169-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3460-171-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3856-160-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3856-164-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3856-163-0x0000000000420000-0x00000000004E9000-memory.dmpFilesize
804KB
-
memory/3856-162-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4112-159-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB