Analysis Overview
SHA256
9a319a59a74ea745259643aa20057803be6a52de1f86d20261987ffceede9c6f
Threat Level: Known bad
The file 9b8e1997fa6a66bc23a203c92c175f77 was found to be: Known bad.
Malicious Activity Summary
HawkEye
NirSoft WebBrowserPassView
Nirsoft
NirSoft MailPassView
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Deletes itself
Accesses Microsoft Outlook accounts
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-12-27 01:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-27 01:40
Reported
2023-12-28 20:34
Platform
win7-20231129-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
HawkEye
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Costa Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1976 set thread context of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\Costa Order.exe | C:\Users\Admin\AppData\Local\Temp\Costa Order.exe |
| PID 2716 set thread context of 2008 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
| PID 2008 set thread context of 2412 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2008 set thread context of 1600 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Costa Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Costa Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Costa Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Costa Order.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Costa Order.exe
"C:\Users\Admin\AppData\Local\Temp\Costa Order.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Users\Admin\AppData\Local\Temp\Costa Order.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\Costa Order.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\Costa Order.exe
"{path}"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"{path}"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.16.155.36:80 | whatismyipaddress.com | tcp |
| US | 104.16.155.36:443 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | safeconnectplus.com | udp |
| US | 192.185.106.46:587 | safeconnectplus.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
memory/1976-1-0x0000000074690000-0x0000000074D7E000-memory.dmp
memory/1976-0-0x00000000001D0000-0x00000000002C6000-memory.dmp
memory/1976-2-0x0000000004C40000-0x0000000004C80000-memory.dmp
memory/1976-3-0x0000000000620000-0x0000000000628000-memory.dmp
memory/1976-4-0x0000000074690000-0x0000000074D7E000-memory.dmp
memory/1976-5-0x0000000004C40000-0x0000000004C80000-memory.dmp
memory/1976-6-0x0000000008000000-0x00000000080C8000-memory.dmp
memory/1976-7-0x0000000005DA0000-0x0000000005E34000-memory.dmp
memory/2824-20-0x0000000074690000-0x0000000074D7E000-memory.dmp
memory/2824-21-0x0000000004D10000-0x0000000004D50000-memory.dmp
memory/1976-19-0x0000000074690000-0x0000000074D7E000-memory.dmp
memory/2716-30-0x0000000001370000-0x0000000001466000-memory.dmp
memory/2716-32-0x0000000074690000-0x0000000074D7E000-memory.dmp
memory/2824-31-0x0000000074690000-0x0000000074D7E000-memory.dmp
memory/2716-33-0x0000000004E80000-0x0000000004EC0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | 44d9e6b0b74c4e180e3949830899711f |
| SHA1 | 85b1977443c4c64e564c871bb94637ac6d585a6a |
| SHA256 | 60e4b01a2ad5c441e4313408b47355764523894c9411502c9f04770dd8a746c2 |
| SHA512 | 77b884f86cf7a193ba2a94efcacb79235013a2ea631f3cfcb23d8778400873fec7bdcc05f4946e2bb5abd2db31804c116c6dbb219c6ce77342f906a9533fec8c |
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | a0f7e52c55b8a86b6d3d3b36fe24cd58 |
| SHA1 | 933a1e9ea6be61725dce0f19a148161e499ac2bd |
| SHA256 | 3105b2a9fb72bc81a680edd7f3ea2f088536af7867b40bbf6a70315e5ddb0402 |
| SHA512 | e775d2d129cf908feb03f9bc0ecc5f4376cf89c5fe29e50cc43a601392692cb5328d14474f40ffa2166c82514375a520b1d7b03d2042de12644c1de24378bcea |
memory/2824-18-0x0000000000400000-0x0000000000488000-memory.dmp
memory/2824-16-0x0000000000400000-0x0000000000488000-memory.dmp
memory/2824-14-0x0000000000400000-0x0000000000488000-memory.dmp
memory/2824-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2824-11-0x0000000000400000-0x0000000000488000-memory.dmp
memory/2824-10-0x0000000000400000-0x0000000000488000-memory.dmp
memory/2824-9-0x0000000000400000-0x0000000000488000-memory.dmp
memory/2824-8-0x0000000000400000-0x0000000000488000-memory.dmp
memory/2716-34-0x0000000074690000-0x0000000074D7E000-memory.dmp
memory/2716-35-0x0000000004E80000-0x0000000004EC0000-memory.dmp
\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | bc4e444c2dd7463dc563119593bc7764 |
| SHA1 | d54092772dd1d8ca8b20b84f44e0931d089d79d7 |
| SHA256 | fd95b0eb1d2a5650592de694cda956d9dcf0b1c3312fcb3273571f858762ae15 |
| SHA512 | e78aedccca55ffd1ec5aa8f0c236443d442e1661d041007c54a6aba767f3970495772d2ea7916056b5cc8c0107451acb58da612f2d4dd1574205470f12850742 |
memory/2716-46-0x0000000074690000-0x0000000074D7E000-memory.dmp
memory/2008-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2008-50-0x0000000074610000-0x0000000074CFE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
| MD5 | 0ead9cdf8737b31ffb70b56dfb236c93 |
| SHA1 | fa867eb89ce3debeb4603a834d9a569b2283ea51 |
| SHA256 | 0e4a39c0b77d1c2b426b44f5dd329d19b1af44f8455a01758abc1e410c2d8fa5 |
| SHA512 | c27f580ea00648dac6f7e349131d8c4892a08b29073ae3f819ac821ede668be232f728e8ae73d19d8f2700d25453ff8f24851886030be3545c55d3097994cc94 |
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
| MD5 | bb17d25610d1ea80ff97249d56582042 |
| SHA1 | 5ef617d3403327eaac62387d41dec31aa191402f |
| SHA256 | 4c771ec8ecca9f0b3f25646e0a6d9c19f5990e6da320bbdcceb29557723f869d |
| SHA512 | 9894d21122b315003f96930e27b252ec380110a9b35b6adfee5a9f9fbbb6beb0ec3d752ced0353fa526cc374f909594818ec6e57ba72805b080872ffdc1d2088 |
memory/2008-56-0x00000000007F0000-0x00000000007F8000-memory.dmp
memory/2412-57-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2412-59-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2412-60-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2412-62-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2008-63-0x0000000074610000-0x0000000074CFE000-memory.dmp
memory/1600-64-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1600-66-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1600-70-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1600-67-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 465c77771d1bb4fb38eebf678e7ce6c0 |
| SHA1 | 362b1bbb0627c4d3a6fd5dae8814daa66dde6f85 |
| SHA256 | c4069e081490bc3f1c97f0fcfffc5f87ee7ba7369424782b57a349af223cadbb |
| SHA512 | c1ce434436467b0c1a5bf31409e17c4528c8c2512d02326fe765970b2386e771f416017263d246b44c1bf29373266d3aac44f3152dd6599e9136399e40d74b91 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | f3b1e99319122833aeca60439d2721cf |
| SHA1 | 2f3b9e7d7bfcf27927e581858cabbdc4e18846ce |
| SHA256 | 67dfa4923535e8462d272602f559ba6b81a9912becca5beca30a59b5f6eeb516 |
| SHA512 | dc403fcd599f1cf2e9802a7b913a3326811b978e499a5711e03c43092f35e696eab348e1aabed4d359afa7ff7094f4808096518845b8849867acd4a14f2f979c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\Local\Temp\TarA124.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-27 01:40
Reported
2023-12-28 20:34
Platform
win10v2004-20231222-en
Max time kernel
94s
Max time network
122s
Command Line
Signatures
HawkEye
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Costa Order.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2448 set thread context of 4888 | N/A | C:\Users\Admin\AppData\Local\Temp\Costa Order.exe | C:\Users\Admin\AppData\Local\Temp\Costa Order.exe |
| PID 2608 set thread context of 2224 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
| PID 2224 set thread context of 2824 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2224 set thread context of 3488 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Costa Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Costa Order.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Costa Order.exe
"C:\Users\Admin\AppData\Local\Temp\Costa Order.exe"
C:\Users\Admin\AppData\Local\Temp\Costa Order.exe
"{path}"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"{path}"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.16.154.36:80 | whatismyipaddress.com | tcp |
| US | 104.16.154.36:443 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 36.154.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | safeconnectplus.com | udp |
| US | 192.185.106.46:587 | safeconnectplus.com | tcp |
| US | 8.8.8.8:53 | 46.106.185.192.in-addr.arpa | udp |
Files
memory/2448-1-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/2448-0-0x00000000001A0000-0x0000000000296000-memory.dmp
memory/2448-2-0x0000000005150000-0x00000000056F4000-memory.dmp
memory/2448-3-0x0000000004C80000-0x0000000004D12000-memory.dmp
memory/2448-4-0x0000000004D90000-0x0000000004DA0000-memory.dmp
memory/2448-5-0x0000000004D40000-0x0000000004D4A000-memory.dmp
memory/2448-7-0x0000000007990000-0x0000000007A2C000-memory.dmp
memory/2448-6-0x0000000004F30000-0x0000000004F38000-memory.dmp
memory/2448-8-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/2448-9-0x0000000004D90000-0x0000000004DA0000-memory.dmp
memory/2448-10-0x0000000007D70000-0x0000000007E38000-memory.dmp
memory/2448-11-0x00000000061E0000-0x0000000006274000-memory.dmp
memory/4888-12-0x0000000000400000-0x0000000000488000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Costa Order.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/4888-15-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/2448-16-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/4888-18-0x00000000058A0000-0x00000000058F6000-memory.dmp
memory/4888-17-0x00000000057A0000-0x00000000057B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | 083ef62f8378a3c95f63afa05d9b288b |
| SHA1 | 55b388a270e2a19474ba1d182d514e192b4b864c |
| SHA256 | 35d9966bdebaa721d0ce770f73d9ac619ee96c56273873f9c4b896c7d1d7d45b |
| SHA512 | 8880c53d5137888f6bf30147ce35a162a2178e914e6482837e76de06dc158da7e504a1fabf9852f538a7218759cbfa28eb5116923118e5bedcb2d7ad35b9493f |
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | 4832f9ab7b648fbc5f30664239219ee8 |
| SHA1 | 913db19a143b90b950436ebce4f6bc765a91f134 |
| SHA256 | 205f901e2b99e94e298c3d22530db4bc2db48080d48ed622e4bf4ae644a61636 |
| SHA512 | a47ba3c0ebb4ac5bcadf6ba9a96ebc61ff6e7a3ea8c69c972b24a84332578347a00b70976a84ce51b45f12b26d84e6837cfca6bd1b412250e878ea1b93d94e27 |
memory/2608-32-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/4888-31-0x0000000074600000-0x0000000074DB0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | 948a612d9df5d2a116244d0d71399dfb |
| SHA1 | f1f60d42647b1644a240c8115a62eada7b97bfc8 |
| SHA256 | 0467457cf44fffb1c9a30865665f32e9291d983bcdcdbbfb0b4a82f7e971d5a1 |
| SHA512 | 0bae8e270303ff5e445cb88d2e61199cd570bc68fa2111311bcb9f60241050d9df173affd1a2de264d2a25245067d5595a67f50454f09a73ab921327b52aa42d |
memory/2608-33-0x0000000005AF0000-0x0000000005B00000-memory.dmp
memory/2608-34-0x0000000074600000-0x0000000074DB0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | bc4e444c2dd7463dc563119593bc7764 |
| SHA1 | d54092772dd1d8ca8b20b84f44e0931d089d79d7 |
| SHA256 | fd95b0eb1d2a5650592de694cda956d9dcf0b1c3312fcb3273571f858762ae15 |
| SHA512 | e78aedccca55ffd1ec5aa8f0c236443d442e1661d041007c54a6aba767f3970495772d2ea7916056b5cc8c0107451acb58da612f2d4dd1574205470f12850742 |
memory/2224-38-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/2608-39-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/2224-40-0x0000000005580000-0x0000000005590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
| MD5 | 0ead9cdf8737b31ffb70b56dfb236c93 |
| SHA1 | fa867eb89ce3debeb4603a834d9a569b2283ea51 |
| SHA256 | 0e4a39c0b77d1c2b426b44f5dd329d19b1af44f8455a01758abc1e410c2d8fa5 |
| SHA512 | c27f580ea00648dac6f7e349131d8c4892a08b29073ae3f819ac821ede668be232f728e8ae73d19d8f2700d25453ff8f24851886030be3545c55d3097994cc94 |
memory/2224-44-0x00000000077F0000-0x0000000007856000-memory.dmp
memory/2224-47-0x0000000008370000-0x0000000008378000-memory.dmp
memory/2824-48-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2824-50-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2824-51-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2824-52-0x0000000000420000-0x00000000004E9000-memory.dmp
memory/3488-54-0x0000000000400000-0x0000000000458000-memory.dmp
memory/3488-56-0x0000000000400000-0x0000000000458000-memory.dmp
memory/3488-57-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
| MD5 | f94dc819ca773f1e3cb27abbc9e7fa27 |
| SHA1 | 9a7700efadc5ea09ab288544ef1e3cd876255086 |
| SHA256 | a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92 |
| SHA512 | 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196 |
memory/3488-64-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2224-65-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/2224-66-0x0000000005580000-0x0000000005590000-memory.dmp