Analysis
-
max time kernel
138s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 08:33
Static task
static1
Behavioral task
behavioral1
Sample
POSAIFOODPVTLTD.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
POSAIFOODPVTLTD.exe
Resource
win10v2004-20240802-en
General
-
Target
POSAIFOODPVTLTD.exe
-
Size
1.0MB
-
MD5
dea59d578e0e64728780fb67dde7d96d
-
SHA1
b23c86a74f5514ebcfb8e3f102a4b16f60ff4076
-
SHA256
71dbb1177cb271ab30531fda54cad0f1ea8be87182f96bf21f37dcf65758f6ce
-
SHA512
64663c97bcea47b6c265df2598e12b1dfeb437efc6e78a6a23cf0a02cfeaf28b054cc5af85b2d1aff3822c5d5b82905952db2722e095e138a0bf0203977d4bce
-
SSDEEP
24576:xsep9+wg44M5eh0GGxlA2F4O41ub2z6X46qU8A/yHD5A1:eo9+wg44M5eoA2FGO2m4XU8A/yj5A1
Malware Config
Extracted
Protocol: ftp- Host:
ftp.comedyskits.com.ng - Port:
21 - Username:
[email protected] - Password:
TGXs]#J&_ReU
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 7 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/3144-21-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral2/memory/2940-95-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2940-96-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2940-98-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4428-99-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4428-100-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4428-107-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3144-21-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral2/memory/2940-95-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2940-96-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2940-98-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/3144-21-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral2/memory/4428-99-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4428-100-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4428-107-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1196 powershell.exe 4652 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation POSAIFOODPVTLTD.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" POSAIFOODPVTLTD.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 whatismyipaddress.com 35 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1932 set thread context of 3144 1932 POSAIFOODPVTLTD.exe 100 PID 3144 set thread context of 2940 3144 POSAIFOODPVTLTD.exe 101 PID 3144 set thread context of 4428 3144 POSAIFOODPVTLTD.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POSAIFOODPVTLTD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POSAIFOODPVTLTD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2204 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1196 powershell.exe 4652 powershell.exe 4652 powershell.exe 1196 powershell.exe 4428 vbc.exe 4428 vbc.exe 3144 POSAIFOODPVTLTD.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1196 powershell.exe Token: SeDebugPrivilege 4652 powershell.exe Token: SeDebugPrivilege 3144 POSAIFOODPVTLTD.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3144 POSAIFOODPVTLTD.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1932 wrote to memory of 1196 1932 POSAIFOODPVTLTD.exe 94 PID 1932 wrote to memory of 1196 1932 POSAIFOODPVTLTD.exe 94 PID 1932 wrote to memory of 1196 1932 POSAIFOODPVTLTD.exe 94 PID 1932 wrote to memory of 4652 1932 POSAIFOODPVTLTD.exe 96 PID 1932 wrote to memory of 4652 1932 POSAIFOODPVTLTD.exe 96 PID 1932 wrote to memory of 4652 1932 POSAIFOODPVTLTD.exe 96 PID 1932 wrote to memory of 2204 1932 POSAIFOODPVTLTD.exe 98 PID 1932 wrote to memory of 2204 1932 POSAIFOODPVTLTD.exe 98 PID 1932 wrote to memory of 2204 1932 POSAIFOODPVTLTD.exe 98 PID 1932 wrote to memory of 3144 1932 POSAIFOODPVTLTD.exe 100 PID 1932 wrote to memory of 3144 1932 POSAIFOODPVTLTD.exe 100 PID 1932 wrote to memory of 3144 1932 POSAIFOODPVTLTD.exe 100 PID 1932 wrote to memory of 3144 1932 POSAIFOODPVTLTD.exe 100 PID 1932 wrote to memory of 3144 1932 POSAIFOODPVTLTD.exe 100 PID 1932 wrote to memory of 3144 1932 POSAIFOODPVTLTD.exe 100 PID 1932 wrote to memory of 3144 1932 POSAIFOODPVTLTD.exe 100 PID 1932 wrote to memory of 3144 1932 POSAIFOODPVTLTD.exe 100 PID 3144 wrote to memory of 2940 3144 POSAIFOODPVTLTD.exe 101 PID 3144 wrote to memory of 2940 3144 POSAIFOODPVTLTD.exe 101 PID 3144 wrote to memory of 2940 3144 POSAIFOODPVTLTD.exe 101 PID 3144 wrote to memory of 2940 3144 POSAIFOODPVTLTD.exe 101 PID 3144 wrote to memory of 2940 3144 POSAIFOODPVTLTD.exe 101 PID 3144 wrote to memory of 2940 3144 POSAIFOODPVTLTD.exe 101 PID 3144 wrote to memory of 2940 3144 POSAIFOODPVTLTD.exe 101 PID 3144 wrote to memory of 2940 3144 POSAIFOODPVTLTD.exe 101 PID 3144 wrote to memory of 2940 3144 POSAIFOODPVTLTD.exe 101 PID 3144 wrote to memory of 4428 3144 POSAIFOODPVTLTD.exe 103 PID 3144 wrote to memory of 4428 3144 POSAIFOODPVTLTD.exe 103 PID 3144 wrote to memory of 4428 3144 POSAIFOODPVTLTD.exe 103 PID 3144 wrote to memory of 4428 3144 POSAIFOODPVTLTD.exe 103 PID 3144 wrote to memory of 4428 3144 POSAIFOODPVTLTD.exe 103 PID 3144 wrote to memory of 4428 3144 POSAIFOODPVTLTD.exe 103 PID 3144 wrote to memory of 4428 3144 POSAIFOODPVTLTD.exe 103 PID 3144 wrote to memory of 4428 3144 POSAIFOODPVTLTD.exe 103 PID 3144 wrote to memory of 4428 3144 POSAIFOODPVTLTD.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\POSAIFOODPVTLTD.exe"C:\Users\Admin\AppData\Local\Temp\POSAIFOODPVTLTD.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\POSAIFOODPVTLTD.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9AB9.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\POSAIFOODPVTLTD.exe"C:\Users\Admin\AppData\Local\Temp\POSAIFOODPVTLTD.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4428
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Scripting
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
18KB
MD53712031a7fceb36863b4fe48b75dfc1d
SHA11a4ff65ba8eeec728c50eb1726fd502fa99db76a
SHA25632008b07d1ad3a5e18f63cd220005b8a37cbab6f5f71a72016c6063eb8db2b61
SHA51278c47c55a1591e1f70cc935e5f0cb8041506e84ffe6e34c36c55122949648e274b80e211324909c1f854c7d2f6568bbe8343d882225cb618162851a53eb17bab
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
1KB
MD52b10bf312326d7abb4c50e6ca49230c5
SHA1a43654756be61846e0705dd452e174a019153dca
SHA2562047943b648821ce015200cfb174c4ce19ba03cebf06f026a73c741fa42846dc
SHA512d3156a0700622b27c48ad0bd2b4f89fd0b845e5c0645d6437ef74fc64f45b4130d4df4924989425d2b27d35f210c7da7c239132f7c218020d88257f61052fcb9
-
Filesize
1.0MB
MD5dea59d578e0e64728780fb67dde7d96d
SHA1b23c86a74f5514ebcfb8e3f102a4b16f60ff4076
SHA25671dbb1177cb271ab30531fda54cad0f1ea8be87182f96bf21f37dcf65758f6ce
SHA51264663c97bcea47b6c265df2598e12b1dfeb437efc6e78a6a23cf0a02cfeaf28b054cc5af85b2d1aff3822c5d5b82905952db2722e095e138a0bf0203977d4bce