Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 07:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1283a766780b0e9b91773e20e2d09ff2.exe
Resource
win7-20231215-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
1283a766780b0e9b91773e20e2d09ff2.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
1283a766780b0e9b91773e20e2d09ff2.exe
-
Size
748KB
-
MD5
1283a766780b0e9b91773e20e2d09ff2
-
SHA1
6d78f649d4a08be0d2d2aaabb4b5dc1404d73515
-
SHA256
ca6cb9054e9d8bebe61f3074096a2e3c664a9b6f0353e5c0b306d4701926acb4
-
SHA512
e8e07b9930562e04dc1ec907ddd00d38bfcf03b2f370f098efd7d92d211c6a91e4e52b034432837c534e5d8e14c29edd281c86a0563c6ba93bdda72e3eb9e66d
-
SSDEEP
12288:dSDAs7ivGyiRB1toFaAGWaRn0K8joqcp5T718jC:oDAsCYB1toFpGj8joqcp5T7s
Malware Config
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3848-35-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/3848-37-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/3848-36-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Nirsoft 26 IoCs
resource yara_rule behavioral2/memory/4928-19-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/5068-29-0x0000000000400000-0x0000000000425000-memory.dmp Nirsoft behavioral2/memory/3848-35-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/3188-62-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4160-83-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral2/memory/4160-86-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral2/memory/4160-84-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral2/memory/4160-82-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral2/memory/4536-76-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral2/memory/4536-74-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral2/memory/1728-69-0x0000000000400000-0x0000000000410000-memory.dmp Nirsoft behavioral2/memory/1728-68-0x0000000000400000-0x0000000000410000-memory.dmp Nirsoft behavioral2/memory/1728-66-0x0000000000400000-0x0000000000410000-memory.dmp Nirsoft behavioral2/memory/3188-64-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3188-63-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3188-61-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/392-55-0x0000000000400000-0x000000000043E000-memory.dmp Nirsoft behavioral2/memory/392-52-0x0000000000400000-0x000000000043E000-memory.dmp Nirsoft behavioral2/memory/2808-46-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/2808-44-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/2808-42-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/3848-37-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/3848-36-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/5068-30-0x0000000000400000-0x0000000000425000-memory.dmp Nirsoft behavioral2/memory/5068-28-0x0000000000400000-0x0000000000425000-memory.dmp Nirsoft behavioral2/memory/4928-21-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4564-9-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/4928-19-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/5068-27-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/5068-29-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/3848-35-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2808-39-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/3188-62-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/4536-71-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/4160-81-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/4160-83-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/4160-86-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/4160-84-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/4160-82-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/4160-79-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/4536-76-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/4536-74-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/4536-73-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3188-64-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/3188-63-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/3188-61-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/3188-60-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/3188-58-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/392-55-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/392-52-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/392-51-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/392-49-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2808-46-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/2808-44-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/4564-43-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/2808-42-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/2808-41-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/3848-37-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3848-36-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3848-34-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3848-32-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/5068-30-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/5068-28-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/5068-25-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/4928-21-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/4928-18-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/4928-16-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/4564-11-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/4564-10-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/4564-7-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/4564-89-0x0000000000400000-0x00000000004AE000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 1283a766780b0e9b91773e20e2d09ff2.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 1283a766780b0e9b91773e20e2d09ff2.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 596 set thread context of 3852 596 1283a766780b0e9b91773e20e2d09ff2.exe 70 PID 3852 set thread context of 4564 3852 1283a766780b0e9b91773e20e2d09ff2.exe 69 PID 4564 set thread context of 4928 4564 1283a766780b0e9b91773e20e2d09ff2.exe 68 PID 4564 set thread context of 5068 4564 1283a766780b0e9b91773e20e2d09ff2.exe 67 PID 4564 set thread context of 3848 4564 1283a766780b0e9b91773e20e2d09ff2.exe 66 PID 4564 set thread context of 2808 4564 1283a766780b0e9b91773e20e2d09ff2.exe 65 PID 4564 set thread context of 392 4564 1283a766780b0e9b91773e20e2d09ff2.exe 64 PID 4564 set thread context of 3188 4564 1283a766780b0e9b91773e20e2d09ff2.exe 63 PID 4564 set thread context of 1728 4564 1283a766780b0e9b91773e20e2d09ff2.exe 62 PID 4564 set thread context of 4536 4564 1283a766780b0e9b91773e20e2d09ff2.exe 61 PID 4564 set thread context of 4160 4564 1283a766780b0e9b91773e20e2d09ff2.exe 60 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5068 1283a766780b0e9b91773e20e2d09ff2.exe 5068 1283a766780b0e9b91773e20e2d09ff2.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 5068 1283a766780b0e9b91773e20e2d09ff2.exe Token: SeDebugPrivilege 3188 1283a766780b0e9b91773e20e2d09ff2.exe Token: SeRestorePrivilege 3188 1283a766780b0e9b91773e20e2d09ff2.exe Token: SeBackupPrivilege 3188 1283a766780b0e9b91773e20e2d09ff2.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 596 1283a766780b0e9b91773e20e2d09ff2.exe 3852 1283a766780b0e9b91773e20e2d09ff2.exe 4564 1283a766780b0e9b91773e20e2d09ff2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 596 wrote to memory of 3852 596 1283a766780b0e9b91773e20e2d09ff2.exe 70 PID 596 wrote to memory of 3852 596 1283a766780b0e9b91773e20e2d09ff2.exe 70 PID 596 wrote to memory of 3852 596 1283a766780b0e9b91773e20e2d09ff2.exe 70 PID 596 wrote to memory of 3852 596 1283a766780b0e9b91773e20e2d09ff2.exe 70 PID 596 wrote to memory of 3852 596 1283a766780b0e9b91773e20e2d09ff2.exe 70 PID 596 wrote to memory of 3852 596 1283a766780b0e9b91773e20e2d09ff2.exe 70 PID 596 wrote to memory of 3852 596 1283a766780b0e9b91773e20e2d09ff2.exe 70 PID 596 wrote to memory of 3852 596 1283a766780b0e9b91773e20e2d09ff2.exe 70 PID 3852 wrote to memory of 4564 3852 1283a766780b0e9b91773e20e2d09ff2.exe 69 PID 3852 wrote to memory of 4564 3852 1283a766780b0e9b91773e20e2d09ff2.exe 69 PID 3852 wrote to memory of 4564 3852 1283a766780b0e9b91773e20e2d09ff2.exe 69 PID 3852 wrote to memory of 4564 3852 1283a766780b0e9b91773e20e2d09ff2.exe 69 PID 3852 wrote to memory of 4564 3852 1283a766780b0e9b91773e20e2d09ff2.exe 69 PID 3852 wrote to memory of 4564 3852 1283a766780b0e9b91773e20e2d09ff2.exe 69 PID 3852 wrote to memory of 4564 3852 1283a766780b0e9b91773e20e2d09ff2.exe 69 PID 3852 wrote to memory of 4564 3852 1283a766780b0e9b91773e20e2d09ff2.exe 69 PID 4564 wrote to memory of 4928 4564 1283a766780b0e9b91773e20e2d09ff2.exe 68 PID 4564 wrote to memory of 4928 4564 1283a766780b0e9b91773e20e2d09ff2.exe 68 PID 4564 wrote to memory of 4928 4564 1283a766780b0e9b91773e20e2d09ff2.exe 68 PID 4564 wrote to memory of 4928 4564 1283a766780b0e9b91773e20e2d09ff2.exe 68 PID 4564 wrote to memory of 4928 4564 1283a766780b0e9b91773e20e2d09ff2.exe 68 PID 4564 wrote to memory of 4928 4564 1283a766780b0e9b91773e20e2d09ff2.exe 68 PID 4564 wrote to memory of 4928 4564 1283a766780b0e9b91773e20e2d09ff2.exe 68 PID 4564 wrote to memory of 4928 4564 1283a766780b0e9b91773e20e2d09ff2.exe 68 PID 4564 wrote to memory of 5068 4564 1283a766780b0e9b91773e20e2d09ff2.exe 67 PID 4564 wrote to memory of 5068 4564 1283a766780b0e9b91773e20e2d09ff2.exe 67 PID 4564 wrote to memory of 5068 4564 1283a766780b0e9b91773e20e2d09ff2.exe 67 PID 4564 wrote to memory of 5068 4564 1283a766780b0e9b91773e20e2d09ff2.exe 67 PID 4564 wrote to memory of 5068 4564 1283a766780b0e9b91773e20e2d09ff2.exe 67 PID 4564 wrote to memory of 5068 4564 1283a766780b0e9b91773e20e2d09ff2.exe 67 PID 4564 wrote to memory of 5068 4564 1283a766780b0e9b91773e20e2d09ff2.exe 67 PID 4564 wrote to memory of 5068 4564 1283a766780b0e9b91773e20e2d09ff2.exe 67 PID 4564 wrote to memory of 3848 4564 1283a766780b0e9b91773e20e2d09ff2.exe 66 PID 4564 wrote to memory of 3848 4564 1283a766780b0e9b91773e20e2d09ff2.exe 66 PID 4564 wrote to memory of 3848 4564 1283a766780b0e9b91773e20e2d09ff2.exe 66 PID 4564 wrote to memory of 3848 4564 1283a766780b0e9b91773e20e2d09ff2.exe 66 PID 4564 wrote to memory of 3848 4564 1283a766780b0e9b91773e20e2d09ff2.exe 66 PID 4564 wrote to memory of 3848 4564 1283a766780b0e9b91773e20e2d09ff2.exe 66 PID 4564 wrote to memory of 3848 4564 1283a766780b0e9b91773e20e2d09ff2.exe 66 PID 4564 wrote to memory of 3848 4564 1283a766780b0e9b91773e20e2d09ff2.exe 66 PID 4564 wrote to memory of 2808 4564 1283a766780b0e9b91773e20e2d09ff2.exe 65 PID 4564 wrote to memory of 2808 4564 1283a766780b0e9b91773e20e2d09ff2.exe 65 PID 4564 wrote to memory of 2808 4564 1283a766780b0e9b91773e20e2d09ff2.exe 65 PID 4564 wrote to memory of 2808 4564 1283a766780b0e9b91773e20e2d09ff2.exe 65 PID 4564 wrote to memory of 2808 4564 1283a766780b0e9b91773e20e2d09ff2.exe 65 PID 4564 wrote to memory of 2808 4564 1283a766780b0e9b91773e20e2d09ff2.exe 65 PID 4564 wrote to memory of 2808 4564 1283a766780b0e9b91773e20e2d09ff2.exe 65 PID 4564 wrote to memory of 2808 4564 1283a766780b0e9b91773e20e2d09ff2.exe 65 PID 4564 wrote to memory of 392 4564 1283a766780b0e9b91773e20e2d09ff2.exe 64 PID 4564 wrote to memory of 392 4564 1283a766780b0e9b91773e20e2d09ff2.exe 64 PID 4564 wrote to memory of 392 4564 1283a766780b0e9b91773e20e2d09ff2.exe 64 PID 4564 wrote to memory of 392 4564 1283a766780b0e9b91773e20e2d09ff2.exe 64 PID 4564 wrote to memory of 392 4564 1283a766780b0e9b91773e20e2d09ff2.exe 64 PID 4564 wrote to memory of 392 4564 1283a766780b0e9b91773e20e2d09ff2.exe 64 PID 4564 wrote to memory of 392 4564 1283a766780b0e9b91773e20e2d09ff2.exe 64 PID 4564 wrote to memory of 392 4564 1283a766780b0e9b91773e20e2d09ff2.exe 64 PID 4564 wrote to memory of 3188 4564 1283a766780b0e9b91773e20e2d09ff2.exe 63 PID 4564 wrote to memory of 3188 4564 1283a766780b0e9b91773e20e2d09ff2.exe 63 PID 4564 wrote to memory of 3188 4564 1283a766780b0e9b91773e20e2d09ff2.exe 63 PID 4564 wrote to memory of 3188 4564 1283a766780b0e9b91773e20e2d09ff2.exe 63 PID 4564 wrote to memory of 3188 4564 1283a766780b0e9b91773e20e2d09ff2.exe 63 PID 4564 wrote to memory of 3188 4564 1283a766780b0e9b91773e20e2d09ff2.exe 63 PID 4564 wrote to memory of 3188 4564 1283a766780b0e9b91773e20e2d09ff2.exe 63 PID 4564 wrote to memory of 3188 4564 1283a766780b0e9b91773e20e2d09ff2.exe 63
Processes
-
C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe"C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe"C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3852
-
-
C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe/stext "C:\Users\Admin\AppData\Local\Temp\opra.dat"1⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe/stext "C:\Users\Admin\AppData\Local\Temp\ffox.dat"1⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe/stext "C:\Users\Admin\AppData\Local\Temp\ptsg.dat"1⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe/stext "C:\Users\Admin\AppData\Local\Temp\iexp.dat"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe/stext "C:\Users\Admin\AppData\Local\Temp\chro.dat"1⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe/stext "C:\Users\Admin\AppData\Local\Temp\dial.dat"1⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe/stext "C:\Users\Admin\AppData\Local\Temp\mail.dat"1⤵
- Accesses Microsoft Outlook accounts
PID:3848
-
C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe/stext "C:\Users\Admin\AppData\Local\Temp\mess.dat"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe/stext "C:\Users\Admin\AppData\Local\Temp\offc.dat"1⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe"C:\Users\Admin\AppData\Local\Temp\1283a766780b0e9b91773e20e2d09ff2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564