Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2023 08:52
Static task
static1
Behavioral task
behavioral1
Sample
ba02abc98927e0f1c.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
ba02abc98927e0f1c.exe
Resource
win10v2004-20230621-en
General
-
Target
ba02abc98927e0f1c.exe
-
Size
657KB
-
MD5
0d34b9d96f2ae523a367698eb41392aa
-
SHA1
6ab2270dc35817ee1f15bb5dfacf096bb9d1219f
-
SHA256
ba02abc98927e0f1cf76a734d5ed290155ac8ab3a2a0f8b665a8a3d459adb805
-
SHA512
54d18748fe442c129c6b78956363f5187532def9c32683ea3f3b8b69896eb9cf5ef26e2c6c7e78f7fcb27a7b22cd4b1fdba37e42e29c96537c1ac140150d559b
-
SSDEEP
12288:J/a3HealIvHubbP8LxyX9bkR1MA6HXyUys/07KD/tK2F4QKl1qOILE4nGYCNx:JinIeEkt21MAmivgpD/tK2F43lA7RGYI
Malware Config
Extracted
Protocol: smtp- Host:
mail.tcci.org.sa - Port:
587 - Username:
fahad.s@tcci.org.sa - Password:
Brown3044
Signatures
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/456-152-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral2/memory/3660-162-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3660-164-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3660-166-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/456-152-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral2/memory/3132-170-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3132-171-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/3132-173-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral2/memory/456-152-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral2/memory/3660-162-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3660-164-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3660-166-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3132-170-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3132-171-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/3132-173-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ba02abc98927e0f1c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation ba02abc98927e0f1c.exe -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 1484 Windows Update.exe 456 Windows Update.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
ba02abc98927e0f1c.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini ba02abc98927e0f1c.exe File created C:\Windows\assembly\Desktop.ini ba02abc98927e0f1c.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 whatismyipaddress.com 32 whatismyipaddress.com -
Drops file in System32 directory 8 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{6724CC8B-2CC8-4B91-B166-BA531DEDD4F2}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3DDC4AAA-882E-4913-A63B-EB41E90BE900}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{35E97D52-E005-4D7A-A154-94BFDBFA5176}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5E5C855E-A502-45B9-8199-E53C64570B30}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8B3C87D6-90B7-43EF-BB0B-7EFECBB48DC7}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{96398BE4-E868-4577-AC18-3490C826BB4F}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{732CC94B-B32C-470B-A522-AD7994335B4D}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{1D684D0E-15C3-4243-B3D8-F8209DEBA778}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
ba02abc98927e0f1c.exeWindows Update.exeWindows Update.exedescription pid process target process PID 4304 set thread context of 4172 4304 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 1484 set thread context of 456 1484 Windows Update.exe Windows Update.exe PID 456 set thread context of 3660 456 Windows Update.exe vbc.exe PID 456 set thread context of 3132 456 Windows Update.exe vbc.exe -
Drops file in Windows directory 3 IoCs
Processes:
ba02abc98927e0f1c.exedescription ioc process File opened for modification C:\Windows\assembly ba02abc98927e0f1c.exe File created C:\Windows\assembly\Desktop.ini ba02abc98927e0f1c.exe File opened for modification C:\Windows\assembly\Desktop.ini ba02abc98927e0f1c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ba02abc98927e0f1c.exeWindows Update.exeWindows Update.exepid process 4304 ba02abc98927e0f1c.exe 4304 ba02abc98927e0f1c.exe 4304 ba02abc98927e0f1c.exe 4304 ba02abc98927e0f1c.exe 4304 ba02abc98927e0f1c.exe 1484 Windows Update.exe 1484 Windows Update.exe 1484 Windows Update.exe 1484 Windows Update.exe 1484 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 1484 Windows Update.exe 1484 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe 456 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ba02abc98927e0f1c.exeWindows Update.exeWindows Update.exedescription pid process Token: SeDebugPrivilege 4304 ba02abc98927e0f1c.exe Token: SeDebugPrivilege 1484 Windows Update.exe Token: SeDebugPrivilege 456 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 456 Windows Update.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
ba02abc98927e0f1c.exeba02abc98927e0f1c.exeWindows Update.exeWindows Update.exedescription pid process target process PID 4304 wrote to memory of 4172 4304 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 4304 wrote to memory of 4172 4304 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 4304 wrote to memory of 4172 4304 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 4304 wrote to memory of 4172 4304 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 4304 wrote to memory of 4172 4304 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 4304 wrote to memory of 4172 4304 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 4304 wrote to memory of 4172 4304 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 4304 wrote to memory of 4172 4304 ba02abc98927e0f1c.exe ba02abc98927e0f1c.exe PID 4172 wrote to memory of 1484 4172 ba02abc98927e0f1c.exe Windows Update.exe PID 4172 wrote to memory of 1484 4172 ba02abc98927e0f1c.exe Windows Update.exe PID 4172 wrote to memory of 1484 4172 ba02abc98927e0f1c.exe Windows Update.exe PID 1484 wrote to memory of 456 1484 Windows Update.exe Windows Update.exe PID 1484 wrote to memory of 456 1484 Windows Update.exe Windows Update.exe PID 1484 wrote to memory of 456 1484 Windows Update.exe Windows Update.exe PID 1484 wrote to memory of 456 1484 Windows Update.exe Windows Update.exe PID 1484 wrote to memory of 456 1484 Windows Update.exe Windows Update.exe PID 1484 wrote to memory of 456 1484 Windows Update.exe Windows Update.exe PID 1484 wrote to memory of 456 1484 Windows Update.exe Windows Update.exe PID 1484 wrote to memory of 456 1484 Windows Update.exe Windows Update.exe PID 456 wrote to memory of 3660 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3660 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3660 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3660 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3660 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3660 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3660 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3660 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3660 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3132 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3132 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3132 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3132 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3132 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3132 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3132 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3132 456 Windows Update.exe vbc.exe PID 456 wrote to memory of 3132 456 Windows Update.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba02abc98927e0f1c.exe"C:\Users\Admin\AppData\Local\Temp\ba02abc98927e0f1c.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ba02abc98927e0f1c.exe"C:\Users\Admin\AppData\Local\Temp\ba02abc98927e0f1c.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
55B
MD57de0b47e0f9e5127362586a19471497f
SHA1185113393dbea643d5a78cbe9040522d1827126d
SHA256d1d82428b8391b11570fe2577b3d0e820de6ad3fc3565b5fb80ae537e4283bca
SHA5120201fe83c38ed559f149458f213da3e57a20589c6ee1afb8f06016a40fcbd698c996896b7b4fb67572b318092bf7bac18bfd5d951a350bfcf173c450d48eac0c
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
657KB
MD50d34b9d96f2ae523a367698eb41392aa
SHA16ab2270dc35817ee1f15bb5dfacf096bb9d1219f
SHA256ba02abc98927e0f1cf76a734d5ed290155ac8ab3a2a0f8b665a8a3d459adb805
SHA51254d18748fe442c129c6b78956363f5187532def9c32683ea3f3b8b69896eb9cf5ef26e2c6c7e78f7fcb27a7b22cd4b1fdba37e42e29c96537c1ac140150d559b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
657KB
MD50d34b9d96f2ae523a367698eb41392aa
SHA16ab2270dc35817ee1f15bb5dfacf096bb9d1219f
SHA256ba02abc98927e0f1cf76a734d5ed290155ac8ab3a2a0f8b665a8a3d459adb805
SHA51254d18748fe442c129c6b78956363f5187532def9c32683ea3f3b8b69896eb9cf5ef26e2c6c7e78f7fcb27a7b22cd4b1fdba37e42e29c96537c1ac140150d559b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
657KB
MD50d34b9d96f2ae523a367698eb41392aa
SHA16ab2270dc35817ee1f15bb5dfacf096bb9d1219f
SHA256ba02abc98927e0f1cf76a734d5ed290155ac8ab3a2a0f8b665a8a3d459adb805
SHA51254d18748fe442c129c6b78956363f5187532def9c32683ea3f3b8b69896eb9cf5ef26e2c6c7e78f7fcb27a7b22cd4b1fdba37e42e29c96537c1ac140150d559b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
657KB
MD50d34b9d96f2ae523a367698eb41392aa
SHA16ab2270dc35817ee1f15bb5dfacf096bb9d1219f
SHA256ba02abc98927e0f1cf76a734d5ed290155ac8ab3a2a0f8b665a8a3d459adb805
SHA51254d18748fe442c129c6b78956363f5187532def9c32683ea3f3b8b69896eb9cf5ef26e2c6c7e78f7fcb27a7b22cd4b1fdba37e42e29c96537c1ac140150d559b
-
memory/456-169-0x0000000001A00000-0x0000000001A10000-memory.dmpFilesize
64KB
-
memory/456-168-0x0000000001A00000-0x0000000001A10000-memory.dmpFilesize
64KB
-
memory/456-152-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/456-154-0x0000000001A00000-0x0000000001A10000-memory.dmpFilesize
64KB
-
memory/456-159-0x0000000001A00000-0x0000000001A10000-memory.dmpFilesize
64KB
-
memory/1484-155-0x00000000012D0000-0x00000000012E0000-memory.dmpFilesize
64KB
-
memory/3132-170-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3132-171-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3132-173-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3660-162-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3660-164-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3660-165-0x0000000000420000-0x00000000004E9000-memory.dmpFilesize
804KB
-
memory/3660-166-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4172-141-0x0000000000C10000-0x0000000000C20000-memory.dmpFilesize
64KB
-
memory/4172-138-0x0000000000C10000-0x0000000000C20000-memory.dmpFilesize
64KB
-
memory/4304-137-0x0000000000F10000-0x0000000000F20000-memory.dmpFilesize
64KB