e63436e7026f7c9b9200281885ff224f376f81c0bf9245612ef3a677b64fc8b9

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19c5365e0cbaff6b1c694860a1062ba7.exe
Size

296KB
MD5

19c5365e0cbaff6b1c694860a1062ba7
SHA1

1297985e6dcade31a9078542a6337307c97c1e0d
SHA256

e63436e7026f7c9b9200281885ff224f376f81c0bf9245612ef3a677b64fc8b9
SHA512

33db9e142ac8e8a4231f63259f65c25d089b1ea7fde4918a773c4b4642f4edc5910f2817656c984937aa55f85a1b1771949483ec6a0a03570e2566adbc928780
SSDEEP

6144:gfvsEPA3WKXYvaPrgt0YJb4ZMkZGnvdWalvQAxH3aaBQ3jx0wnW5iBTQk7o7/:0irgPJ0MjlvnaaBQzxbngiBD7C

Score

9^/10

collection

Malware Config

Signatures

Nirsoft 3 IoCs

resource	yara_rule
behavioral1/memory/2548-43-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/2548-42-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/2548-38-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	19c5365e0cbaff6b1c694860a1062ba7.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 1916	2384	19c5365e0cbaff6b1c694860a1062ba7.exe	29
PID 1916 set thread context of 2548	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	32
PID 1916 set thread context of 2868	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	30
PID 1916 set thread context of 2724	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	31
PID 1916 set thread context of 2816	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	33
PID 1916 set thread context of 1828	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	34
PID 1916 set thread context of 1660	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	35
PID 1916 set thread context of 2788	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	36

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	19c5365e0cbaff6b1c694860a1062ba7.exe
Token: SeDebugPrivilege	2724	19c5365e0cbaff6b1c694860a1062ba7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1916	2384	19c5365e0cbaff6b1c694860a1062ba7.exe	29
PID 2384 wrote to memory of 1916	2384	19c5365e0cbaff6b1c694860a1062ba7.exe	29
PID 2384 wrote to memory of 1916	2384	19c5365e0cbaff6b1c694860a1062ba7.exe	29
PID 2384 wrote to memory of 1916	2384	19c5365e0cbaff6b1c694860a1062ba7.exe	29
PID 2384 wrote to memory of 1916	2384	19c5365e0cbaff6b1c694860a1062ba7.exe	29
PID 2384 wrote to memory of 1916	2384	19c5365e0cbaff6b1c694860a1062ba7.exe	29
PID 2384 wrote to memory of 1916	2384	19c5365e0cbaff6b1c694860a1062ba7.exe	29
PID 2384 wrote to memory of 1916	2384	19c5365e0cbaff6b1c694860a1062ba7.exe	29
PID 2384 wrote to memory of 1916	2384	19c5365e0cbaff6b1c694860a1062ba7.exe	29
PID 2384 wrote to memory of 1916	2384	19c5365e0cbaff6b1c694860a1062ba7.exe	29
PID 2384 wrote to memory of 1916	2384	19c5365e0cbaff6b1c694860a1062ba7.exe	29
PID 1916 wrote to memory of 2548	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	32
PID 1916 wrote to memory of 2548	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	32
PID 1916 wrote to memory of 2548	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	32
PID 1916 wrote to memory of 2548	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	32
PID 1916 wrote to memory of 2548	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	32
PID 1916 wrote to memory of 2548	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	32
PID 1916 wrote to memory of 2548	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	32
PID 1916 wrote to memory of 2548	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	32
PID 1916 wrote to memory of 2548	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	32
PID 1916 wrote to memory of 2548	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	32
PID 1916 wrote to memory of 2868	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	30
PID 1916 wrote to memory of 2868	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	30
PID 1916 wrote to memory of 2868	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	30
PID 1916 wrote to memory of 2868	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	30
PID 1916 wrote to memory of 2868	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	30
PID 1916 wrote to memory of 2868	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	30
PID 1916 wrote to memory of 2868	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	30
PID 1916 wrote to memory of 2868	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	30
PID 1916 wrote to memory of 2868	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	30
PID 1916 wrote to memory of 2868	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	30
PID 1916 wrote to memory of 2724	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	31
PID 1916 wrote to memory of 2724	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	31
PID 1916 wrote to memory of 2724	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	31
PID 1916 wrote to memory of 2724	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	31
PID 1916 wrote to memory of 2724	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	31
PID 1916 wrote to memory of 2724	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	31
PID 1916 wrote to memory of 2724	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	31
PID 1916 wrote to memory of 2724	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	31
PID 1916 wrote to memory of 2724	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	31
PID 1916 wrote to memory of 2724	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	31
PID 1916 wrote to memory of 2816	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	33
PID 1916 wrote to memory of 2816	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	33
PID 1916 wrote to memory of 2816	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	33
PID 1916 wrote to memory of 2816	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	33
PID 1916 wrote to memory of 2816	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	33
PID 1916 wrote to memory of 2816	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	33
PID 1916 wrote to memory of 2816	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	33
PID 1916 wrote to memory of 2816	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	33
PID 1916 wrote to memory of 2816	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	33
PID 1916 wrote to memory of 2816	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	33
PID 1916 wrote to memory of 1828	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	34
PID 1916 wrote to memory of 1828	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	34
PID 1916 wrote to memory of 1828	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	34
PID 1916 wrote to memory of 1828	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	34
PID 1916 wrote to memory of 1828	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	34
PID 1916 wrote to memory of 1828	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	34
PID 1916 wrote to memory of 1828	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	34
PID 1916 wrote to memory of 1828	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	34
PID 1916 wrote to memory of 1828	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	34
PID 1916 wrote to memory of 1828	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	34
PID 1916 wrote to memory of 1660	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	35
PID 1916 wrote to memory of 1660	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	35
PID 1916 wrote to memory of 1660	1916	19c5365e0cbaff6b1c694860a1062ba7.exe	35

C:\Users\Admin\AppData\Local\Temp\19c5365e0cbaff6b1c694860a1062ba7.exe
"C:\Users\Admin\AppData\Local\Temp\19c5365e0cbaff6b1c694860a1062ba7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\19c5365e0cbaff6b1c694860a1062ba7.exe
  C:\Users\Admin\AppData\Local\Temp\19c5365e0cbaff6b1c694860a1062ba7.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\19c5365e0cbaff6b1c694860a1062ba7.exe
    /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
    3⤵
    PID:2868
- - C:\Users\Admin\AppData\Local\Temp\19c5365e0cbaff6b1c694860a1062ba7.exe
    /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\19c5365e0cbaff6b1c694860a1062ba7.exe
    /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Users\Admin\AppData\Local\Temp\19c5365e0cbaff6b1c694860a1062ba7.exe
    /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2816
- - C:\Users\Admin\AppData\Local\Temp\19c5365e0cbaff6b1c694860a1062ba7.exe
    /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
    3⤵
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\19c5365e0cbaff6b1c694860a1062ba7.exe
    /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
    3⤵
    PID:1660
- - C:\Users\Admin\AppData\Local\Temp\19c5365e0cbaff6b1c694860a1062ba7.exe
    /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
    3⤵
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
33B

MD5
fec8656dbc9772ee24163ae3d57f41d9

SHA1
4e82071ada9bdc0002decba8b18b22a6dfdd127d

SHA256
7a3295b2c8c4797b8e5b4616bcc19bca30266371a54666855cbc67d443a3e4f4

SHA512
7c5965e41515a34db05c442587607bb51b6a3a8662df39513474f0d12c1236d882989d8c8bc99d24be27531c0e0df76af8c4beaf45e041767ab6ba2c72fc9326

Download Submit
memory/1828-128-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1916-16-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-181-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-8-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-6-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-4-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-17-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-19-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1916-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-182-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/1916-10-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-177-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-175-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/1916-12-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-18-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2384-15-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2548-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2548-27-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2548-42-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2548-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2548-38-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2548-35-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2548-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2548-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2548-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2868-45-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2868-64-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2868-63-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2868-58-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2868-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2868-47-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2868-49-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2868-52-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download