Analysis
-
max time kernel
132s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 12:50
Static task
static1
Behavioral task
behavioral1
Sample
50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe
Resource
win10v2004-20240802-en
General
-
Target
50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe
-
Size
790KB
-
MD5
6f42a0a4f4c44c32c274c2383096d515
-
SHA1
dcef833539c48b66f83c80c7f349bbbb16a057cd
-
SHA256
50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd
-
SHA512
87d1b426d2cfbdd609f4d8b2a4bd09ba2afeb101307e3a4dcc8fa9fa9bd1f0498a3ce5bedf50e2fb92c838b0e9a44624ca4d72b5f539cc10245cfedca04b3312
-
SSDEEP
12288:qUi2iN7WxGv2cEgBsSs4j9a1sEEWPPJK1i2RGPBaVj0FbJqzvH1i4QPuTfj+:qUi1SgPEg2j1HPBKnRq40EvHEvP4fj+
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 9 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/4956-11-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral2/memory/1948-24-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1948-22-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1948-25-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1948-28-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/744-30-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/744-32-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/744-33-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/744-41-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4956-11-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral2/memory/1948-24-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1948-22-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1948-25-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1948-28-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/4956-11-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral2/memory/744-30-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/744-32-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/744-33-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/744-41-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 40 whatismyipaddress.com 42 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1044 set thread context of 4956 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 98 PID 4956 set thread context of 1948 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 99 PID 4956 set thread context of 744 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 744 vbc.exe 744 vbc.exe 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe Token: SeDebugPrivilege 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2436 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 97 PID 1044 wrote to memory of 2436 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 97 PID 1044 wrote to memory of 2436 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 97 PID 1044 wrote to memory of 4956 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 98 PID 1044 wrote to memory of 4956 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 98 PID 1044 wrote to memory of 4956 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 98 PID 1044 wrote to memory of 4956 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 98 PID 1044 wrote to memory of 4956 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 98 PID 1044 wrote to memory of 4956 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 98 PID 1044 wrote to memory of 4956 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 98 PID 1044 wrote to memory of 4956 1044 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 98 PID 4956 wrote to memory of 1948 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 99 PID 4956 wrote to memory of 1948 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 99 PID 4956 wrote to memory of 1948 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 99 PID 4956 wrote to memory of 1948 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 99 PID 4956 wrote to memory of 1948 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 99 PID 4956 wrote to memory of 1948 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 99 PID 4956 wrote to memory of 1948 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 99 PID 4956 wrote to memory of 1948 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 99 PID 4956 wrote to memory of 1948 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 99 PID 4956 wrote to memory of 744 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 100 PID 4956 wrote to memory of 744 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 100 PID 4956 wrote to memory of 744 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 100 PID 4956 wrote to memory of 744 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 100 PID 4956 wrote to memory of 744 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 100 PID 4956 wrote to memory of 744 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 100 PID 4956 wrote to memory of 744 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 100 PID 4956 wrote to memory of 744 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 100 PID 4956 wrote to memory of 744 4956 50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe"C:\Users\Admin\AppData\Local\Temp\50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe"C:\Users\Admin\AppData\Local\Temp\50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe"2⤵PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe"C:\Users\Admin\AppData\Local\Temp\50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1948
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:744
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196