Analysis
-
max time kernel
155s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14-06-2023 02:56
Static task
static1
Behavioral task
behavioral1
Sample
d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe
Resource
win10v2004-20230220-en
General
-
Target
d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe
-
Size
505KB
-
MD5
31fdba408133d245e8761d8960b8e568
-
SHA1
cd2cef468d33024c2dea149f50e0faf7b907130d
-
SHA256
d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d
-
SHA512
4b144469a74903cb0c8af0a52aaedf3e5b6676ef2c036cd74081c75e3e7d7869d0f4bd14c5914caf68ebc088285fdbda2e74571093c646c17d03179a783a8594
-
SSDEEP
6144:sNxbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9F7I:CxQtqB5urTIoYWBQk1E+VF9mOx9q
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
painnerlogger092@gmail.com - Password:
pxfvdhixclsqroly
Signatures
-
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows Update.exe MailPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe MailPassView behavioral1/memory/908-70-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/908-72-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/908-73-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/908-75-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe WebBrowserPassView behavioral1/memory/744-76-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/744-78-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/744-82-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe Nirsoft behavioral1/memory/908-70-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/908-72-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/908-73-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/908-75-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/744-76-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/744-78-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/744-82-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 580 Windows Update.exe -
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid process 580 Windows Update.exe -
Loads dropped DLL 1 IoCs
Processes:
d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exepid process 924 d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 whatismyipaddress.com 3 whatismyipaddress.com 5 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Windows Update.exedescription pid process target process PID 580 set thread context of 908 580 Windows Update.exe vbc.exe PID 580 set thread context of 744 580 Windows Update.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows Update.exepid process 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe 580 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 580 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 580 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exeWindows Update.exedescription pid process target process PID 924 wrote to memory of 580 924 d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe Windows Update.exe PID 924 wrote to memory of 580 924 d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe Windows Update.exe PID 924 wrote to memory of 580 924 d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe Windows Update.exe PID 924 wrote to memory of 580 924 d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe Windows Update.exe PID 924 wrote to memory of 580 924 d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe Windows Update.exe PID 924 wrote to memory of 580 924 d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe Windows Update.exe PID 924 wrote to memory of 580 924 d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe Windows Update.exe PID 580 wrote to memory of 908 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 908 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 908 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 908 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 908 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 908 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 908 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 908 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 908 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 908 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 744 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 744 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 744 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 744 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 744 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 744 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 744 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 744 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 744 580 Windows Update.exe vbc.exe PID 580 wrote to memory of 744 580 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe"C:\Users\Admin\AppData\Local\Temp\d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD53e584bc9e5182d81e22464ca9d69f641
SHA1c8456dea7d64d6edb0e109078ec589bdf5eaaff0
SHA25671d301b79fcbfe0aaa3b5434c6bad96dfcd874b9f943adaf5563b31880548369
SHA5123bfbc10b1c29fbc26af2730b2237aa0257f5221036270dddaf484bca1488bd1f9927bc63bbff4fa813fa866535122cc722a8def2cd561a34bf0f41808d8b75d7
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
505KB
MD531fdba408133d245e8761d8960b8e568
SHA1cd2cef468d33024c2dea149f50e0faf7b907130d
SHA256d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d
SHA5124b144469a74903cb0c8af0a52aaedf3e5b6676ef2c036cd74081c75e3e7d7869d0f4bd14c5914caf68ebc088285fdbda2e74571093c646c17d03179a783a8594
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
505KB
MD531fdba408133d245e8761d8960b8e568
SHA1cd2cef468d33024c2dea149f50e0faf7b907130d
SHA256d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d
SHA5124b144469a74903cb0c8af0a52aaedf3e5b6676ef2c036cd74081c75e3e7d7869d0f4bd14c5914caf68ebc088285fdbda2e74571093c646c17d03179a783a8594
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeFilesize
505KB
MD531fdba408133d245e8761d8960b8e568
SHA1cd2cef468d33024c2dea149f50e0faf7b907130d
SHA256d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d
SHA5124b144469a74903cb0c8af0a52aaedf3e5b6676ef2c036cd74081c75e3e7d7869d0f4bd14c5914caf68ebc088285fdbda2e74571093c646c17d03179a783a8594
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
505KB
MD531fdba408133d245e8761d8960b8e568
SHA1cd2cef468d33024c2dea149f50e0faf7b907130d
SHA256d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d
SHA5124b144469a74903cb0c8af0a52aaedf3e5b6676ef2c036cd74081c75e3e7d7869d0f4bd14c5914caf68ebc088285fdbda2e74571093c646c17d03179a783a8594
-
memory/580-63-0x0000000000100000-0x0000000000140000-memory.dmpFilesize
256KB
-
memory/580-69-0x0000000000100000-0x0000000000140000-memory.dmpFilesize
256KB
-
memory/580-83-0x0000000000100000-0x0000000000140000-memory.dmpFilesize
256KB
-
memory/580-74-0x0000000000100000-0x0000000000140000-memory.dmpFilesize
256KB
-
memory/744-76-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/744-82-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/744-78-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/908-70-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/908-75-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/908-73-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/908-72-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/924-54-0x0000000000540000-0x0000000000580000-memory.dmpFilesize
256KB