Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 21:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
VirusShare_c521f79249320c77b5b20007f871fbb1.exe
Resource
win7-20240221-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
VirusShare_c521f79249320c77b5b20007f871fbb1.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
VirusShare_c521f79249320c77b5b20007f871fbb1.exe
-
Size
951KB
-
MD5
c521f79249320c77b5b20007f871fbb1
-
SHA1
8b772e27c77fd4880b79fe8466bff21e21e1aa2a
-
SHA256
2cd607fb44480b61c90e5107a3131231936c99a7b766dbed4df4c6fed325ae0f
-
SHA512
f471c23576f61e2066e09c44ae3beab374153fdafebfb6cc03e140942c15d3fa273394848dd3a4ba0bd07c7883b678d0d2dcbc1be1ea5a381882b101e55107bb
-
SSDEEP
24576:9Sr69b1sIzdkdUDuCppG/HNs2HRT3s4ni4gSUf4:B9b1xdySu84lsMRzVniLw
Malware Config
Signatures
-
NirSoft MailPassView 12 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2636-33-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/2636-35-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/2636-39-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/2636-37-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/2636-42-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/2636-49-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/2636-48-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/2636-51-0x0000000000400000-0x0000000004B18000-memory.dmp MailPassView behavioral1/memory/2920-64-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2920-62-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2920-61-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2920-66-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 12 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/2636-33-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/2636-35-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/2636-39-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/2636-37-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/2636-42-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/2636-49-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/2636-48-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/2636-51-0x0000000000400000-0x0000000004B18000-memory.dmp WebBrowserPassView behavioral1/memory/2668-87-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2668-85-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2668-84-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2668-91-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 16 IoCs
Processes:
resource yara_rule behavioral1/memory/2636-33-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/2636-35-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/2636-39-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/2636-37-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/2636-42-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/2636-49-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/2636-48-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/2636-51-0x0000000000400000-0x0000000004B18000-memory.dmp Nirsoft behavioral1/memory/2920-64-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2920-62-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2920-61-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2920-66-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2668-87-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2668-85-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2668-84-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2668-91-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
M.exeM.exepid Process 2232 M.exe 2636 M.exe -
Loads dropped DLL 5 IoCs
Processes:
VirusShare_c521f79249320c77b5b20007f871fbb1.exeM.exeM.exepid Process 1724 VirusShare_c521f79249320c77b5b20007f871fbb1.exe 1724 VirusShare_c521f79249320c77b5b20007f871fbb1.exe 2232 M.exe 2232 M.exe 2636 M.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/files/0x0034000000013f21-4.dat upx behavioral1/memory/2232-13-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2232-55-0x0000000000400000-0x000000000045C000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
VirusShare_c521f79249320c77b5b20007f871fbb1.exeM.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" VirusShare_c521f79249320c77b5b20007f871fbb1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" M.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
M.exeM.exedescription pid Process procid_target PID 2232 set thread context of 2636 2232 M.exe 29 PID 2636 set thread context of 2920 2636 M.exe 32 PID 2636 set thread context of 2668 2636 M.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
M.exeM.exepid Process 2232 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe 2636 M.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid Process 2864 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
M.exedescription pid Process Token: SeDebugPrivilege 2636 M.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
M.exeM.exeAcroRd32.exepid Process 2232 M.exe 2232 M.exe 2636 M.exe 2864 AcroRd32.exe 2864 AcroRd32.exe 2864 AcroRd32.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
VirusShare_c521f79249320c77b5b20007f871fbb1.exeM.exeM.exedescription pid Process procid_target PID 1724 wrote to memory of 2232 1724 VirusShare_c521f79249320c77b5b20007f871fbb1.exe 28 PID 1724 wrote to memory of 2232 1724 VirusShare_c521f79249320c77b5b20007f871fbb1.exe 28 PID 1724 wrote to memory of 2232 1724 VirusShare_c521f79249320c77b5b20007f871fbb1.exe 28 PID 1724 wrote to memory of 2232 1724 VirusShare_c521f79249320c77b5b20007f871fbb1.exe 28 PID 1724 wrote to memory of 2232 1724 VirusShare_c521f79249320c77b5b20007f871fbb1.exe 28 PID 1724 wrote to memory of 2232 1724 VirusShare_c521f79249320c77b5b20007f871fbb1.exe 28 PID 1724 wrote to memory of 2232 1724 VirusShare_c521f79249320c77b5b20007f871fbb1.exe 28 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2232 wrote to memory of 2636 2232 M.exe 29 PID 2636 wrote to memory of 2864 2636 M.exe 31 PID 2636 wrote to memory of 2864 2636 M.exe 31 PID 2636 wrote to memory of 2864 2636 M.exe 31 PID 2636 wrote to memory of 2864 2636 M.exe 31 PID 2636 wrote to memory of 2864 2636 M.exe 31 PID 2636 wrote to memory of 2864 2636 M.exe 31 PID 2636 wrote to memory of 2864 2636 M.exe 31 PID 2636 wrote to memory of 2920 2636 M.exe 32 PID 2636 wrote to memory of 2920 2636 M.exe 32 PID 2636 wrote to memory of 2920 2636 M.exe 32 PID 2636 wrote to memory of 2920 2636 M.exe 32 PID 2636 wrote to memory of 2920 2636 M.exe 32 PID 2636 wrote to memory of 2920 2636 M.exe 32 PID 2636 wrote to memory of 2920 2636 M.exe 32 PID 2636 wrote to memory of 2920 2636 M.exe 32 PID 2636 wrote to memory of 2920 2636 M.exe 32 PID 2636 wrote to memory of 2920 2636 M.exe 32 PID 2636 wrote to memory of 2920 2636 M.exe 32 PID 2636 wrote to memory of 2920 2636 M.exe 32 PID 2636 wrote to memory of 2920 2636 M.exe 32 PID 2636 wrote to memory of 2668 2636 M.exe 33 PID 2636 wrote to memory of 2668 2636 M.exe 33 PID 2636 wrote to memory of 2668 2636 M.exe 33 PID 2636 wrote to memory of 2668 2636 M.exe 33 PID 2636 wrote to memory of 2668 2636 M.exe 33 PID 2636 wrote to memory of 2668 2636 M.exe 33 PID 2636 wrote to memory of 2668 2636 M.exe 33 PID 2636 wrote to memory of 2668 2636 M.exe 33 PID 2636 wrote to memory of 2668 2636 M.exe 33 PID 2636 wrote to memory of 2668 2636 M.exe 33 PID 2636 wrote to memory of 2668 2636 M.exe 33 PID 2636 wrote to memory of 2668 2636 M.exe 33 PID 2636 wrote to memory of 2668 2636 M.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_c521f79249320c77b5b20007f871fbb1.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_c521f79249320c77b5b20007f871fbb1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BFile_1.pdf"4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
PID:2920
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵PID:2668
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5a044a4eaea50ac33f65fd614f4b78509
SHA1f4c1d9a86ee7769492293508f650f67dc3c523f7
SHA2568f9c44049129703f3d6d3beeff6ac8d576df276a56e8f7f85c86beda912ed8c4
SHA5129fbeae185958d0c7868bc21fd08220cc8e1f6aaa6cea14ffbb257a93355ba043e294be25ae40c8f80d75563bdd1f9cec3f29afa944b3cac11664ec4b066822d3
-
Filesize
749KB
MD5aa9da8f4f5e434d8449c17efccebef5e
SHA199487070bb0da9e0c2df138b111e9bebc2a271f2
SHA25616b6bdc384d7b4821d541eb40f1be8c3ca2b027b9a329e77eb4c13800b3e8ec2
SHA512768fb0d93c91ad868f7b2cfc0fc67ce2e20293e40ec1e4216bb805232a2f02cdfd3ec225c29c40bed6c4f505aa35b788f5291661b99d2773c24d395c825ef0cb
-
Filesize
104KB
MD542ccd69a3be9618d329de0ea0fde3a81
SHA147e9897f303496eb9cd5883f9cdb283b6eee65d3
SHA25614137fcc8697e967b251fd0fafbdf79af8db4c1a67f2eafe53756e3ad80a9bef
SHA51233d95b20ce606441c89dbc575c8e884196a19db056ffd9d54a5e0c57f3928b0d064b6270e4abf033046606e0456156faba3f3a8e6a353e924a7461e61e46bfae
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
3KB
MD5225571b35123155ccb3d26eb5b5be4b5
SHA184d36a194da8e329c5aaa49372c046bd29638e2c
SHA256e27478da8b2f26ab284e80561cc3266934fbda86885176bb9f393057d7b0489b
SHA512f2e998d0216be279ec077ab15c645d84fca7f6a43e1639976ff9224de56bde9f67339ae9fdc0bc5076a67ac39212b485302961bb228b0f09af1573206c5fbd3d
-
Filesize
140KB
MD5bc9932d562808f046db8cf2d225b317e
SHA150827e282cb74b846b8ef79ccd3f5887e3a941f2
SHA25649a50d91166a62cb0c1454d015af0b5b98ea86702c9e88c21f6e5775517571b7
SHA512d46153b9d0260a076fd6247de14325b2f76d7537139677af927427fab23852258634b525a1e3e31e19456a04a5c58527ac351f44b475c2eb984294b30b0efa22