Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
09-06-2023 23:24
Static task
static1
Behavioral task
behavioral1
Sample
47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe
Resource
win7-20230220-en
General
-
Target
47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe
-
Size
421KB
-
MD5
d7785eb032bdc8df551ceda9933688d0
-
SHA1
5e454bd1f8097155f40bec0d64c60f4aae1c988c
-
SHA256
47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47
-
SHA512
f71fcaee801179df15c505a77da079aebe45d80c325bc7f60d4afdd2ed25e1589fa6d20ba6414f2adee05c49add6e337dcf29c0ff3cf6b44c531b8e6d4308c16
-
SSDEEP
6144:wZuuObR8sVImcyYJnuptejV0rXkSfvyXwXtYV/wADJ2oC9IAyBDxnlYAVjk10k9j:nV+mzLgkvywC2ok9OpC0k9a3hAeXAZ
Malware Config
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe MailPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe MailPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe MailPassView behavioral2/memory/4368-159-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4368-161-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4368-163-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe WebBrowserPassView behavioral2/memory/5052-168-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/5052-170-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/5052-177-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 9 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe Nirsoft behavioral2/memory/4368-159-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4368-161-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4368-163-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/5052-168-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/5052-170-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/5052-177-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exePayment.sfx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation Payment.sfx.exe -
Executes dropped EXE 2 IoCs
Processes:
Payment.sfx.exePayment.exepid process 4592 Payment.sfx.exe 4496 Payment.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 whatismyipaddress.com 16 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Payment.exedescription pid process target process PID 4496 set thread context of 4368 4496 Payment.exe vbc.exe PID 4496 set thread context of 5052 4496 Payment.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Payment.exepid process 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe 4496 Payment.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Payment.exedw20.exedescription pid process Token: SeDebugPrivilege 4496 Payment.exe Token: SeRestorePrivilege 4428 dw20.exe Token: SeBackupPrivilege 4428 dw20.exe Token: SeBackupPrivilege 4428 dw20.exe Token: SeBackupPrivilege 4428 dw20.exe Token: SeBackupPrivilege 4428 dw20.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Payment.exepid process 4496 Payment.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.execmd.exePayment.sfx.exePayment.exedescription pid process target process PID 2724 wrote to memory of 1936 2724 47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe cmd.exe PID 2724 wrote to memory of 1936 2724 47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe cmd.exe PID 2724 wrote to memory of 1936 2724 47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe cmd.exe PID 1936 wrote to memory of 4592 1936 cmd.exe Payment.sfx.exe PID 1936 wrote to memory of 4592 1936 cmd.exe Payment.sfx.exe PID 1936 wrote to memory of 4592 1936 cmd.exe Payment.sfx.exe PID 4592 wrote to memory of 4496 4592 Payment.sfx.exe Payment.exe PID 4592 wrote to memory of 4496 4592 Payment.sfx.exe Payment.exe PID 4592 wrote to memory of 4496 4592 Payment.sfx.exe Payment.exe PID 4496 wrote to memory of 4368 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 4368 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 4368 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 4368 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 4368 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 4368 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 4368 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 4368 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 4368 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 5052 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 5052 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 5052 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 5052 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 5052 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 5052 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 5052 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 5052 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 5052 4496 Payment.exe vbc.exe PID 4496 wrote to memory of 4428 4496 Payment.exe dw20.exe PID 4496 wrote to memory of 4428 4496 Payment.exe dw20.exe PID 4496 wrote to memory of 4428 4496 Payment.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe"C:\Users\Admin\AppData\Local\Temp\47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\6t5reddsswas.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Payment.sfx.exePayment.sfx.exe -phy6er34w55 -dC:\Users\Admin\AppData\Local\Temp3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 23885⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\6t5reddsswas.batFilesize
37B
MD5c1c7b88c2e498633661fd417629642e4
SHA131f71ea8ed60a6be976892aeb577449b83cac656
SHA256400295a410683b336d989f0d3f4143909eed33c82a0b6e2bc177b8a468044408
SHA512528079b772f0ca5e059782b7b93c4f3799bdb895dd1b2e8185b975b1b6cd9ed1e49df3d01717cf55d735e089e8f416b4a8a4c396a64ab5e3772d135bd7457cfd
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Payment.sfx.exeFilesize
353KB
MD5161991a5baa0cdd7b0276afc55c15824
SHA1accb43eba8d28d58536eae0f29fbc5f2108a106c
SHA256bc1ae4c61d7e9206193494018615e96c56d9002115ef74ccd706e51a9bf7848c
SHA512e0f9ba4a73cd452947bf813f88721469ccd147cc5caabf5edd20ffebd199d73fe0d54b226a29fd8eed72f8b72ba368fec46b724faa7767a55b437a9ec9283f17
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Payment.sfx.exeFilesize
353KB
MD5161991a5baa0cdd7b0276afc55c15824
SHA1accb43eba8d28d58536eae0f29fbc5f2108a106c
SHA256bc1ae4c61d7e9206193494018615e96c56d9002115ef74ccd706e51a9bf7848c
SHA512e0f9ba4a73cd452947bf813f88721469ccd147cc5caabf5edd20ffebd199d73fe0d54b226a29fd8eed72f8b72ba368fec46b724faa7767a55b437a9ec9283f17
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exeFilesize
521KB
MD5b8a34d1b414d8d8aec00b99032692d38
SHA13a8ce329277832b268d395eb8b4971eb63cdbbe9
SHA256524bb37a61523b7e6f1d5757c0ca08bd745913343c002f579ba3336a786beaca
SHA512ab76a40d79442b657ddb0e738d39d25f5334e12723ab94ed31bb189c14ef3eb8e931f098dec3b16380494af79e8d618f89d059b132d1c4d88ba6e3142bdd697a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exeFilesize
521KB
MD5b8a34d1b414d8d8aec00b99032692d38
SHA13a8ce329277832b268d395eb8b4971eb63cdbbe9
SHA256524bb37a61523b7e6f1d5757c0ca08bd745913343c002f579ba3336a786beaca
SHA512ab76a40d79442b657ddb0e738d39d25f5334e12723ab94ed31bb189c14ef3eb8e931f098dec3b16380494af79e8d618f89d059b132d1c4d88ba6e3142bdd697a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exeFilesize
521KB
MD5b8a34d1b414d8d8aec00b99032692d38
SHA13a8ce329277832b268d395eb8b4971eb63cdbbe9
SHA256524bb37a61523b7e6f1d5757c0ca08bd745913343c002f579ba3336a786beaca
SHA512ab76a40d79442b657ddb0e738d39d25f5334e12723ab94ed31bb189c14ef3eb8e931f098dec3b16380494af79e8d618f89d059b132d1c4d88ba6e3142bdd697a
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
memory/2724-208-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2724-164-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4368-163-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4368-161-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4368-159-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4496-166-0x0000000001240000-0x0000000001250000-memory.dmpFilesize
64KB
-
memory/4496-167-0x0000000001240000-0x0000000001250000-memory.dmpFilesize
64KB
-
memory/4496-156-0x0000000001240000-0x0000000001250000-memory.dmpFilesize
64KB
-
memory/4496-155-0x0000000001240000-0x0000000001250000-memory.dmpFilesize
64KB
-
memory/4592-165-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4592-206-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/5052-168-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/5052-170-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/5052-176-0x0000000000460000-0x0000000000529000-memory.dmpFilesize
804KB
-
memory/5052-177-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB