Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2023 08:19
Static task
static1
Behavioral task
behavioral1
Sample
PO894exeexeexeexeexeexeex.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
PO894exeexeexeexeexeexeex.exe
Resource
win10v2004-20230703-en
General
-
Target
PO894exeexeexeexeexeexeex.exe
-
Size
1.5MB
-
MD5
9ae482062c306491334cb178fe919a3e
-
SHA1
c2f76bc7512dfc45621fc7f23f8b2deb6c45f5f0
-
SHA256
1f998c6032159b469178389d2cc6debf14c810bd11b3be86a374ee7608d11cac
-
SHA512
8dcd3ad324ada81ac3c40618b3754aa850f9fbdd4ee26105a28bdd39b62ae0625688827eae5499de6358779f150c7c2f790a136d010b7d55169203253a81bddb
-
SSDEEP
24576:PXXQKVZnyHJ/mUgHrxpyUdjYxZi/nLzy+yNzbMCms016w33yd2OluON4fA9uCG:PHQ4nypujrxp5YxZ8LzlyZAd/L3yd2O8
Malware Config
Extracted
Protocol: ftp- Host:
ftp.lucd.ru - Port:
21 - Username:
[email protected] - Password:
doll@@2020
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
PO894exeexeexeexeexeexeex.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions PO894exeexeexeexeexeexeex.exe -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4820-145-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral2/memory/4936-153-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4936-155-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4936-157-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4820-145-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral2/memory/4728-160-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4728-162-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4728-169-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral2/memory/4820-145-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral2/memory/4936-153-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4936-155-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4936-157-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4728-160-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4728-162-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4728-169-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
PO894exeexeexeexeexeexeex.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools PO894exeexeexeexeexeexeex.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PO894exeexeexeexeexeexeex.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PO894exeexeexeexeexeexeex.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PO894exeexeexeexeexeexeex.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PO894exeexeexeexeexeexeex.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation PO894exeexeexeexeexeexeex.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PO894exeexeexeexeexeexeex.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" PO894exeexeexeexeexeexeex.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 whatismyipaddress.com 23 whatismyipaddress.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PO894exeexeexeexeexeexeex.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PO894exeexeexeexeexeexeex.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PO894exeexeexeexeexeexeex.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO894exeexeexeexeexeexeex.exePO894exeexeexeexeexeexeex.exedescription pid process target process PID 4108 set thread context of 4820 4108 PO894exeexeexeexeexeexeex.exe PO894exeexeexeexeexeexeex.exe PID 4820 set thread context of 4936 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 set thread context of 4728 4820 PO894exeexeexeexeexeexeex.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PO894exeexeexeexeexeexeex.exevbc.exePO894exeexeexeexeexeexeex.exepid process 4108 PO894exeexeexeexeexeexeex.exe 4728 vbc.exe 4728 vbc.exe 4820 PO894exeexeexeexeexeexeex.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO894exeexeexeexeexeexeex.exePO894exeexeexeexeexeexeex.exedescription pid process Token: SeDebugPrivilege 4108 PO894exeexeexeexeexeexeex.exe Token: SeDebugPrivilege 4820 PO894exeexeexeexeexeexeex.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PO894exeexeexeexeexeexeex.exepid process 4820 PO894exeexeexeexeexeexeex.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
PO894exeexeexeexeexeexeex.exePO894exeexeexeexeexeexeex.exedescription pid process target process PID 4108 wrote to memory of 416 4108 PO894exeexeexeexeexeexeex.exe schtasks.exe PID 4108 wrote to memory of 416 4108 PO894exeexeexeexeexeexeex.exe schtasks.exe PID 4108 wrote to memory of 416 4108 PO894exeexeexeexeexeexeex.exe schtasks.exe PID 4108 wrote to memory of 4820 4108 PO894exeexeexeexeexeexeex.exe PO894exeexeexeexeexeexeex.exe PID 4108 wrote to memory of 4820 4108 PO894exeexeexeexeexeexeex.exe PO894exeexeexeexeexeexeex.exe PID 4108 wrote to memory of 4820 4108 PO894exeexeexeexeexeexeex.exe PO894exeexeexeexeexeexeex.exe PID 4108 wrote to memory of 4820 4108 PO894exeexeexeexeexeexeex.exe PO894exeexeexeexeexeexeex.exe PID 4108 wrote to memory of 4820 4108 PO894exeexeexeexeexeexeex.exe PO894exeexeexeexeexeexeex.exe PID 4108 wrote to memory of 4820 4108 PO894exeexeexeexeexeexeex.exe PO894exeexeexeexeexeexeex.exe PID 4108 wrote to memory of 4820 4108 PO894exeexeexeexeexeexeex.exe PO894exeexeexeexeexeexeex.exe PID 4108 wrote to memory of 4820 4108 PO894exeexeexeexeexeexeex.exe PO894exeexeexeexeexeexeex.exe PID 4820 wrote to memory of 4936 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4936 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4936 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4936 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4936 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4936 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4936 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4936 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4936 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4728 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4728 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4728 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4728 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4728 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4728 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4728 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4728 4820 PO894exeexeexeexeexeexeex.exe vbc.exe PID 4820 wrote to memory of 4728 4820 PO894exeexeexeexeexeexeex.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO894exeexeexeexeexeexeex.exe"C:\Users\Admin\AppData\Local\Temp\PO894exeexeexeexeexeexeex.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vIAIAyAXewJvJh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6AFA.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PO894exeexeexeexeexeexeex.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO894exeexeexeexeexeexeex.exe.logFilesize
1KB
MD55200da2e50f24d5d543c3f10674acdcb
SHA1b574a3336839882d799c0a7f635ea238efb934ee
SHA256d2d81c1c9d35bc66149beaa77029bee68664d8512fc1efe373180bab77d61026
SHA51224722a7de3250a6027a411c8b79d0720554c4efd59553f54b94ab77dc21efbf3191e0912901db475f08a6e9c1855d9e9594504d80d27300097418f4384a9d9cb
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Local\Temp\tmp6AFA.tmpFilesize
1KB
MD587fe385924210725f741b4c62437cf91
SHA1c27497e61d86b7bf31c556b3cd9d5f7a4fb8e212
SHA256bcd37e17bce3ca7a3bafa2f52b24d6c720fd1f05b775dbaad7bba78e8a2b289a
SHA5122ce22c4cea1e442002a3f54e9d2e1a67c2332ed925b938362a13b716224ec8e2c9427a9bab03a560cd277371fbbf9920be98b8d9ab5a31bfa751b98f3d4bfcda
-
memory/4108-136-0x0000000005290000-0x0000000005322000-memory.dmpFilesize
584KB
-
memory/4108-137-0x0000000005140000-0x000000000514A000-memory.dmpFilesize
40KB
-
memory/4108-138-0x0000000005420000-0x0000000005476000-memory.dmpFilesize
344KB
-
memory/4108-139-0x00000000051D0000-0x00000000051E0000-memory.dmpFilesize
64KB
-
memory/4108-140-0x00000000051D0000-0x00000000051E0000-memory.dmpFilesize
64KB
-
memory/4108-141-0x00000000082C0000-0x0000000008326000-memory.dmpFilesize
408KB
-
memory/4108-135-0x0000000005840000-0x0000000005DE4000-memory.dmpFilesize
5.6MB
-
memory/4108-133-0x0000000000620000-0x00000000007A0000-memory.dmpFilesize
1.5MB
-
memory/4108-134-0x00000000051F0000-0x000000000528C000-memory.dmpFilesize
624KB
-
memory/4728-160-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4728-169-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4728-162-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4820-148-0x00000000059B0000-0x00000000059C0000-memory.dmpFilesize
64KB
-
memory/4820-158-0x00000000059B0000-0x00000000059C0000-memory.dmpFilesize
64KB
-
memory/4820-159-0x00000000059B0000-0x00000000059C0000-memory.dmpFilesize
64KB
-
memory/4820-145-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/4820-170-0x00000000059B0000-0x00000000059C0000-memory.dmpFilesize
64KB
-
memory/4936-157-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4936-156-0x0000000000420000-0x00000000004E9000-memory.dmpFilesize
804KB
-
memory/4936-155-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4936-153-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB