Analysis
-
max time kernel
91s -
max time network
92s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06-10-2024 19:19
Static task
static1
Behavioral task
behavioral1
Sample
32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe
Resource
win10v2004-20240802-en
General
-
Target
32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe
-
Size
1.2MB
-
MD5
3046aef9d05c2049a29afb7ec53551d0
-
SHA1
1d125005bcada9af2794a40a756ef385d0700837
-
SHA256
32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12
-
SHA512
7c3c8fe66a6bde7eea3cbfa61f2fa86c2f8e44279a2fd48ede6b1187fb32cc0890a5a44e65998386ba729dd6a7722ee47a40b4e966d82e44e546a8faca6a7c0a
-
SSDEEP
24576:0hntGx9yVf41ob4s6ABttGZOATIZXTnR1rAM:0tGZ1oEEbG8xXjrAM
Malware Config
Signatures
-
Detected Nirsoft tools 11 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/1072-201-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1072-203-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1072-202-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1072-206-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1072-207-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/2912-254-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2912-255-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2912-256-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2844-257-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2844-258-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2844-264-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1072-201-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1072-203-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1072-202-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1072-206-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1072-207-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/2912-254-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2912-255-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2912-256-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 8 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1072-201-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1072-203-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1072-202-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1072-206-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1072-207-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/2844-257-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2844-258-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2844-264-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Executes dropped EXE 2 IoCs
pid Process 2172 magert.exe 1072 magert.exe -
Loads dropped DLL 1 IoCs
pid Process 1652 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\Music\\magert.exe" 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 whatismyipaddress.com 17 whatismyipaddress.com 14 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2172 set thread context of 1072 2172 magert.exe 32 PID 1072 set thread context of 2912 1072 magert.exe 34 PID 1072 set thread context of 2844 1072 magert.exe 35 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language magert.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language magert.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1652 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 1652 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 1652 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 1652 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 1652 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 1652 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 2172 magert.exe 2172 magert.exe 2172 magert.exe 2172 magert.exe 2172 magert.exe 2172 magert.exe 2844 vbc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1652 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe Token: SeDebugPrivilege 2172 magert.exe Token: SeDebugPrivilege 1072 magert.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1072 magert.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1652 wrote to memory of 2172 1652 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 31 PID 1652 wrote to memory of 2172 1652 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 31 PID 1652 wrote to memory of 2172 1652 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 31 PID 1652 wrote to memory of 2172 1652 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 31 PID 2172 wrote to memory of 1072 2172 magert.exe 32 PID 2172 wrote to memory of 1072 2172 magert.exe 32 PID 2172 wrote to memory of 1072 2172 magert.exe 32 PID 2172 wrote to memory of 1072 2172 magert.exe 32 PID 2172 wrote to memory of 1072 2172 magert.exe 32 PID 2172 wrote to memory of 1072 2172 magert.exe 32 PID 2172 wrote to memory of 1072 2172 magert.exe 32 PID 2172 wrote to memory of 1072 2172 magert.exe 32 PID 2172 wrote to memory of 1072 2172 magert.exe 32 PID 1072 wrote to memory of 2912 1072 magert.exe 34 PID 1072 wrote to memory of 2912 1072 magert.exe 34 PID 1072 wrote to memory of 2912 1072 magert.exe 34 PID 1072 wrote to memory of 2912 1072 magert.exe 34 PID 1072 wrote to memory of 2912 1072 magert.exe 34 PID 1072 wrote to memory of 2912 1072 magert.exe 34 PID 1072 wrote to memory of 2912 1072 magert.exe 34 PID 1072 wrote to memory of 2912 1072 magert.exe 34 PID 1072 wrote to memory of 2912 1072 magert.exe 34 PID 1072 wrote to memory of 2912 1072 magert.exe 34 PID 1072 wrote to memory of 2844 1072 magert.exe 35 PID 1072 wrote to memory of 2844 1072 magert.exe 35 PID 1072 wrote to memory of 2844 1072 magert.exe 35 PID 1072 wrote to memory of 2844 1072 magert.exe 35 PID 1072 wrote to memory of 2844 1072 magert.exe 35 PID 1072 wrote to memory of 2844 1072 magert.exe 35 PID 1072 wrote to memory of 2844 1072 magert.exe 35 PID 1072 wrote to memory of 2844 1072 magert.exe 35 PID 1072 wrote to memory of 2844 1072 magert.exe 35 PID 1072 wrote to memory of 2844 1072 magert.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe"C:\Users\Admin\AppData\Local\Temp\32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\Music\magert.exe"C:\Users\Admin\Music\magert.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\Music\magert.exe"C:\Users\Admin\Music\magert.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2912
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2844
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD590b1ba161de1d578ed192f85db1bd140
SHA1cf2257fac3a33fce8f4c395d5fb5b5a5ed2bf5fd
SHA2561230c17b5bd31500fa8f35fb8b2b8b09f258356766a138301b93fd200b75fe9f
SHA512c947448fca5e351fc5a37c2b336e2e73f49f89bdba1c75f63a5ed5183650cb98901ff6f7e1ee427ab0d05f5c45d0240ddfa3301cacc56949bbfd201ac309f7b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59cc764b97fce7a28862999d136985d9a
SHA1ad23a94fc74ca7c692d989497f4d8d6dc81817e7
SHA256853edb22f4a254ab2632ebfb467b29fb2dcac0ba72ea504a83a9fac927f75718
SHA5126dcf089d44651221bdc850f030ab975210f645c6779d872626be8d5a4c028eaefb8966df56d6eea9f6e3900c5519067d63d23e289d2c5ace7a52a9a986248df1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b4c179ea5181368ec1518c585047bfa8
SHA1f500044a92336a204321faa597aa996985a55959
SHA256fe995b5f5a22e37bfe0bca79b97ca3b4ac797585c83b968006989730946676d9
SHA5123a553d5b9abcaf569c51939cb3e5f4e16098c8ced83b82cd19521f4284f82711028dae9148e8883106878c4370179b1211048c6f44a63529e0bc104790637229
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD52f6f703b5b34d8ea4a199e0e741ccfa6
SHA1c23a87986846ddbd2f9ee103ec13bd52d583cfcc
SHA256409206e1423f5a9475ff299b88d0f41e2bdf084d3082f0fe9c895de17dfa7b7c
SHA512b80291633d307ae6fa537277dd67a23e30a3b7f105c8a849b15ad335ecb3566487ceadeaf550d27be2280fee285c738f1ccf3aec82c5e612b15caf3d50b6ef8d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1.2MB
MD5811ad85712eefbb8f4c9f6aebecb2463
SHA1404326ae59113a2f50a737e0ec28e7187b446969
SHA256d660cba79f0d2313e5969923a03c5f9eca8590c6f292853e8c415c2b95c773ed
SHA512fa8950af3d4e505a22e3ed76a720f01a4655b43d7030402a97d28c3e0cf264c2e6f753f1d6a14b7ea65328f49d2f1d8e6951668ecbd5cabe7039518321eb4090