Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 01:00
Static task
static1
Behavioral task
behavioral1
Sample
ORDER SHEET/ORDER SHEET 1.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ORDER SHEET/ORDER SHEET 1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
ORDER SHEET/ORDER SHEET 2.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
ORDER SHEET/ORDER SHEET 2.exe
Resource
win10v2004-20240426-en
General
-
Target
ORDER SHEET/ORDER SHEET 1.exe
-
Size
550KB
-
MD5
dd178d434937b7482e5a9f7c1a807d24
-
SHA1
10e0dd5f0b95babf7072bf35dbd786ad408def16
-
SHA256
84053f784641d90e9b053ffcb2e07e95e84f2f647317a4dd716ebca9fc9ac539
-
SHA512
9073b5817779a12d6eb5091ed69f6ca28ac5c92dbe6dadce66b0a098a2c8289b42c189589ce8a94593baab0f381b491dc9af291cb68f8c787e356a746780c56d
-
SSDEEP
12288:2rUQtoZo1W5EChbp0aKXRTyRdIYSkF9jO8ng1wNfv4fa9/K:2QiomnGfUTyLIYSg9m1+map
Malware Config
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2920-19-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/2920-21-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/2920-22-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral2/memory/2920-19-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/2920-21-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/2920-22-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
pid Process 4180 filename.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" filename.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 checkip.dyndns.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4180 set thread context of 2920 4180 filename.exe 93 PID 4180 set thread context of 220 4180 filename.exe 94 -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3576 ORDER SHEET 1.exe 3576 ORDER SHEET 1.exe 4180 filename.exe 4180 filename.exe 220 vbc.exe 220 vbc.exe 220 vbc.exe 220 vbc.exe 220 vbc.exe 220 vbc.exe 220 vbc.exe 220 vbc.exe 220 vbc.exe 220 vbc.exe 220 vbc.exe 220 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3576 ORDER SHEET 1.exe Token: SeDebugPrivilege 4180 filename.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4180 filename.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3576 wrote to memory of 4648 3576 ORDER SHEET 1.exe 84 PID 3576 wrote to memory of 4648 3576 ORDER SHEET 1.exe 84 PID 3576 wrote to memory of 4648 3576 ORDER SHEET 1.exe 84 PID 4648 wrote to memory of 4180 4648 cmd.exe 86 PID 4648 wrote to memory of 4180 4648 cmd.exe 86 PID 4648 wrote to memory of 4180 4648 cmd.exe 86 PID 4180 wrote to memory of 4676 4180 filename.exe 88 PID 4180 wrote to memory of 4676 4180 filename.exe 88 PID 4180 wrote to memory of 4676 4180 filename.exe 88 PID 4676 wrote to memory of 4868 4676 cmd.exe 90 PID 4676 wrote to memory of 4868 4676 cmd.exe 90 PID 4676 wrote to memory of 4868 4676 cmd.exe 90 PID 4180 wrote to memory of 2920 4180 filename.exe 93 PID 4180 wrote to memory of 2920 4180 filename.exe 93 PID 4180 wrote to memory of 2920 4180 filename.exe 93 PID 4180 wrote to memory of 2920 4180 filename.exe 93 PID 4180 wrote to memory of 2920 4180 filename.exe 93 PID 4180 wrote to memory of 2920 4180 filename.exe 93 PID 4180 wrote to memory of 2920 4180 filename.exe 93 PID 4180 wrote to memory of 2920 4180 filename.exe 93 PID 4180 wrote to memory of 2920 4180 filename.exe 93 PID 4180 wrote to memory of 220 4180 filename.exe 94 PID 4180 wrote to memory of 220 4180 filename.exe 94 PID 4180 wrote to memory of 220 4180 filename.exe 94 PID 4180 wrote to memory of 220 4180 filename.exe 94 PID 4180 wrote to memory of 220 4180 filename.exe 94 PID 4180 wrote to memory of 220 4180 filename.exe 94 PID 4180 wrote to memory of 220 4180 filename.exe 94 PID 4180 wrote to memory of 220 4180 filename.exe 94 PID 4180 wrote to memory of 220 4180 filename.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER SHEET\ORDER SHEET 1.exe"C:\Users\Admin\AppData\Local\Temp\ORDER SHEET\ORDER SHEET 1.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\filename.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\filename.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:4868
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
PID:2920
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\holderwb.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:220
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD573ddf6cd83c2ad8a2fbb2383e322ffbc
SHA105270f8bb7b5cc6ab9a61ae7453d047379089147
SHA2560ef9194c6e90b23c416316fc5a15f549ee5b2472014fcd7648d72ca9a865b409
SHA512714db1956faa795005b15324b9604105881d6b484fe899876fe0df85783c61a72f556a875833af8625625212503b95eea2eb353a1d98f6a7af47a3658ea5262d
-
Filesize
550KB
MD5dd178d434937b7482e5a9f7c1a807d24
SHA110e0dd5f0b95babf7072bf35dbd786ad408def16
SHA25684053f784641d90e9b053ffcb2e07e95e84f2f647317a4dd716ebca9fc9ac539
SHA5129073b5817779a12d6eb5091ed69f6ca28ac5c92dbe6dadce66b0a098a2c8289b42c189589ce8a94593baab0f381b491dc9af291cb68f8c787e356a746780c56d