Analysis
-
max time kernel
140s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2024 17:39
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Invoice.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Pics.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
Pics.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Products drawing.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
Products drawing.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Quotation and Prices.exe
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
Quotation and Prices.exe
Resource
win10v2004-20240802-en
General
-
Target
Pics.exe
-
Size
806KB
-
MD5
676dda52e0fec9f49caee414127de4ef
-
SHA1
6d95db4649588997b3b53b5e95aecb67047ba3ae
-
SHA256
20f5a9a0987d95a8b22df5c60e246d85259ec8893d0d6f3c7fdfeecb066e6b07
-
SHA512
ac1dc1bc932c503360119c713b3ae0d81331f1f36838e2b26dab1c8a80e5c4f7df57df19ad6c59cbc8f2f77d02f77fd9f9919cd5be8310ef17ce15d25126ccfb
-
SSDEEP
12288:fFda+FdaiFQMGqfwkD4KyN5U97OlIhvGPC10KnLkwvsdir8EwBxAOpWerOR8AtsF:VFpGqfwBtN0j10KLkwQiYHsv6At
Malware Config
Extracted
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
MARYolanmauluogwo@ever
Signatures
-
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
resource yara_rule behavioral4/memory/3704-5-0x0000000005830000-0x00000000058E8000-memory.dmp beds_protector -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 8 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral4/memory/4380-27-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral4/memory/1012-48-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral4/memory/1012-50-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral4/memory/1012-51-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral4/memory/1012-52-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral4/memory/3348-53-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral4/memory/3348-54-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral4/memory/3348-61-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral4/memory/4380-27-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral4/memory/1012-48-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral4/memory/1012-50-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral4/memory/1012-51-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral4/memory/1012-52-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral4/memory/4380-27-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral4/memory/3348-53-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral4/memory/3348-54-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral4/memory/3348-61-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe Powershell.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Pics.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 whatismyipaddress.com 10 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3704 set thread context of 4380 3704 Pics.exe 89 PID 4380 set thread context of 1012 4380 Pics.exe 103 PID 4380 set thread context of 3348 4380 Pics.exe 104 -
pid Process 2432 Powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2432 Powershell.exe 2432 Powershell.exe 3348 vbc.exe 3348 vbc.exe 4380 Pics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2432 Powershell.exe Token: SeDebugPrivilege 4380 Pics.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4380 Pics.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3704 wrote to memory of 2432 3704 Pics.exe 86 PID 3704 wrote to memory of 2432 3704 Pics.exe 86 PID 3704 wrote to memory of 2432 3704 Pics.exe 86 PID 3704 wrote to memory of 4380 3704 Pics.exe 89 PID 3704 wrote to memory of 4380 3704 Pics.exe 89 PID 3704 wrote to memory of 4380 3704 Pics.exe 89 PID 3704 wrote to memory of 4380 3704 Pics.exe 89 PID 3704 wrote to memory of 4380 3704 Pics.exe 89 PID 3704 wrote to memory of 4380 3704 Pics.exe 89 PID 3704 wrote to memory of 4380 3704 Pics.exe 89 PID 3704 wrote to memory of 4380 3704 Pics.exe 89 PID 4380 wrote to memory of 1012 4380 Pics.exe 103 PID 4380 wrote to memory of 1012 4380 Pics.exe 103 PID 4380 wrote to memory of 1012 4380 Pics.exe 103 PID 4380 wrote to memory of 1012 4380 Pics.exe 103 PID 4380 wrote to memory of 1012 4380 Pics.exe 103 PID 4380 wrote to memory of 1012 4380 Pics.exe 103 PID 4380 wrote to memory of 1012 4380 Pics.exe 103 PID 4380 wrote to memory of 1012 4380 Pics.exe 103 PID 4380 wrote to memory of 1012 4380 Pics.exe 103 PID 4380 wrote to memory of 3348 4380 Pics.exe 104 PID 4380 wrote to memory of 3348 4380 Pics.exe 104 PID 4380 wrote to memory of 3348 4380 Pics.exe 104 PID 4380 wrote to memory of 3348 4380 Pics.exe 104 PID 4380 wrote to memory of 3348 4380 Pics.exe 104 PID 4380 wrote to memory of 3348 4380 Pics.exe 104 PID 4380 wrote to memory of 3348 4380 Pics.exe 104 PID 4380 wrote to memory of 3348 4380 Pics.exe 104 PID 4380 wrote to memory of 3348 4380 Pics.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pics.exe"C:\Users\Admin\AppData\Local\Temp\Pics.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Pics.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'2⤵
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Users\Admin\AppData\Local\Temp\Pics.exe"C:\Users\Admin\AppData\Local\Temp\Pics.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1012
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3348
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56a669672404c7fa39949936a483cf174
SHA125efdb55d16b9629db7d934e960a73d31a24f7c9
SHA256937f98842e6d7049d8fcbb88ee2c4a324865f528e1fd9ba49de094010801b280
SHA512ff48308ab82705bbe80139057ac652bf87c5fd7d129b0b57754ce50c833dda1d95743c6dd99d4560d3085cb87b571e7a6657dfde83c3908770ffcbcd551acefe
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196