Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2024 02:44
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Invoice.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Pics.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Pics.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Products drawing.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
Products drawing.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Quotation and Prices.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
Quotation and Prices.exe
Resource
win10v2004-20240802-en
General
-
Target
Pics.exe
-
Size
806KB
-
MD5
676dda52e0fec9f49caee414127de4ef
-
SHA1
6d95db4649588997b3b53b5e95aecb67047ba3ae
-
SHA256
20f5a9a0987d95a8b22df5c60e246d85259ec8893d0d6f3c7fdfeecb066e6b07
-
SHA512
ac1dc1bc932c503360119c713b3ae0d81331f1f36838e2b26dab1c8a80e5c4f7df57df19ad6c59cbc8f2f77d02f77fd9f9919cd5be8310ef17ce15d25126ccfb
-
SSDEEP
12288:fFda+FdaiFQMGqfwkD4KyN5U97OlIhvGPC10KnLkwvsdir8EwBxAOpWerOR8AtsF:VFpGqfwBtN0j10KLkwQiYHsv6At
Malware Config
Extracted
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
MARYolanmauluogwo@ever
Signatures
-
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
resource yara_rule behavioral4/memory/4664-5-0x00000000050E0000-0x0000000005198000-memory.dmp beds_protector -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 7 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral4/memory/2320-26-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral4/memory/4004-48-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral4/memory/4004-49-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral4/memory/4004-51-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral4/memory/4984-54-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral4/memory/4984-55-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral4/memory/4984-62-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral4/memory/2320-26-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral4/memory/4004-48-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral4/memory/4004-49-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral4/memory/4004-51-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral4/memory/2320-26-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral4/memory/4984-54-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral4/memory/4984-55-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral4/memory/4984-62-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe Powershell.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Pics.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 whatismyipaddress.com 11 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4664 set thread context of 2320 4664 Pics.exe 95 PID 2320 set thread context of 4004 2320 Pics.exe 100 PID 2320 set thread context of 4984 2320 Pics.exe 105 -
pid Process 3008 Powershell.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4272 2320 WerFault.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3008 Powershell.exe 3008 Powershell.exe 4984 vbc.exe 4984 vbc.exe 2320 Pics.exe 2320 Pics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3008 Powershell.exe Token: SeDebugPrivilege 2320 Pics.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2320 Pics.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4664 wrote to memory of 3008 4664 Pics.exe 93 PID 4664 wrote to memory of 3008 4664 Pics.exe 93 PID 4664 wrote to memory of 3008 4664 Pics.exe 93 PID 4664 wrote to memory of 2320 4664 Pics.exe 95 PID 4664 wrote to memory of 2320 4664 Pics.exe 95 PID 4664 wrote to memory of 2320 4664 Pics.exe 95 PID 4664 wrote to memory of 2320 4664 Pics.exe 95 PID 4664 wrote to memory of 2320 4664 Pics.exe 95 PID 4664 wrote to memory of 2320 4664 Pics.exe 95 PID 4664 wrote to memory of 2320 4664 Pics.exe 95 PID 4664 wrote to memory of 2320 4664 Pics.exe 95 PID 2320 wrote to memory of 4004 2320 Pics.exe 100 PID 2320 wrote to memory of 4004 2320 Pics.exe 100 PID 2320 wrote to memory of 4004 2320 Pics.exe 100 PID 2320 wrote to memory of 4004 2320 Pics.exe 100 PID 2320 wrote to memory of 4004 2320 Pics.exe 100 PID 2320 wrote to memory of 4004 2320 Pics.exe 100 PID 2320 wrote to memory of 4004 2320 Pics.exe 100 PID 2320 wrote to memory of 4004 2320 Pics.exe 100 PID 2320 wrote to memory of 4004 2320 Pics.exe 100 PID 2320 wrote to memory of 4984 2320 Pics.exe 105 PID 2320 wrote to memory of 4984 2320 Pics.exe 105 PID 2320 wrote to memory of 4984 2320 Pics.exe 105 PID 2320 wrote to memory of 4984 2320 Pics.exe 105 PID 2320 wrote to memory of 4984 2320 Pics.exe 105 PID 2320 wrote to memory of 4984 2320 Pics.exe 105 PID 2320 wrote to memory of 4984 2320 Pics.exe 105 PID 2320 wrote to memory of 4984 2320 Pics.exe 105 PID 2320 wrote to memory of 4984 2320 Pics.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pics.exe"C:\Users\Admin\AppData\Local\Temp\Pics.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Pics.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'2⤵
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\Pics.exe"C:\Users\Admin\AppData\Local\Temp\Pics.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4004
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4984
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 21363⤵
- Program crash
PID:4272
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4324,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:81⤵PID:3432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2320 -ip 23201⤵PID:4680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56a669672404c7fa39949936a483cf174
SHA125efdb55d16b9629db7d934e960a73d31a24f7c9
SHA256937f98842e6d7049d8fcbb88ee2c4a324865f528e1fd9ba49de094010801b280
SHA512ff48308ab82705bbe80139057ac652bf87c5fd7d129b0b57754ce50c833dda1d95743c6dd99d4560d3085cb87b571e7a6657dfde83c3908770ffcbcd551acefe
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196