Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-10-2024 19:19
Static task
static1
Behavioral task
behavioral1
Sample
32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe
Resource
win10v2004-20240802-en
General
-
Target
32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe
-
Size
1.2MB
-
MD5
3046aef9d05c2049a29afb7ec53551d0
-
SHA1
1d125005bcada9af2794a40a756ef385d0700837
-
SHA256
32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12
-
SHA512
7c3c8fe66a6bde7eea3cbfa61f2fa86c2f8e44279a2fd48ede6b1187fb32cc0890a5a44e65998386ba729dd6a7722ee47a40b4e966d82e44e546a8faca6a7c0a
-
SSDEEP
24576:0hntGx9yVf41ob4s6ABttGZOATIZXTnR1rAM:0tGZ1oEEbG8xXjrAM
Malware Config
Extracted
Protocol: smtp- Host:
smtp.zoho.com - Port:
587 - Username:
[email protected] - Password:
Diego1986
Signatures
-
Detected Nirsoft tools 9 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/3224-37-0x0000000000930000-0x00000000009B4000-memory.dmp Nirsoft behavioral2/memory/3224-39-0x0000000000930000-0x00000000009B4000-memory.dmp Nirsoft behavioral2/memory/3224-38-0x0000000000930000-0x00000000009B4000-memory.dmp Nirsoft behavioral2/memory/4692-48-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4692-49-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4692-51-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2544-54-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2544-53-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2544-61-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3224-37-0x0000000000930000-0x00000000009B4000-memory.dmp MailPassView behavioral2/memory/3224-39-0x0000000000930000-0x00000000009B4000-memory.dmp MailPassView behavioral2/memory/3224-38-0x0000000000930000-0x00000000009B4000-memory.dmp MailPassView behavioral2/memory/4692-48-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4692-49-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4692-51-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/3224-37-0x0000000000930000-0x00000000009B4000-memory.dmp WebBrowserPassView behavioral2/memory/3224-39-0x0000000000930000-0x00000000009B4000-memory.dmp WebBrowserPassView behavioral2/memory/3224-38-0x0000000000930000-0x00000000009B4000-memory.dmp WebBrowserPassView behavioral2/memory/2544-54-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2544-53-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2544-61-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe -
Executes dropped EXE 2 IoCs
pid Process 736 magert.exe 3224 magert.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\Music\\magert.exe" 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 44 whatismyipaddress.com 46 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 736 set thread context of 3224 736 magert.exe 92 PID 3224 set thread context of 4692 3224 magert.exe 93 PID 3224 set thread context of 2544 3224 magert.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language magert.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language magert.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3028 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 3028 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 3028 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 3028 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 3028 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 3028 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 736 magert.exe 736 magert.exe 736 magert.exe 736 magert.exe 736 magert.exe 736 magert.exe 2544 vbc.exe 2544 vbc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3028 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe Token: SeDebugPrivilege 736 magert.exe Token: SeDebugPrivilege 3224 magert.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3224 magert.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3028 wrote to memory of 736 3028 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 89 PID 3028 wrote to memory of 736 3028 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 89 PID 3028 wrote to memory of 736 3028 32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe 89 PID 736 wrote to memory of 3224 736 magert.exe 92 PID 736 wrote to memory of 3224 736 magert.exe 92 PID 736 wrote to memory of 3224 736 magert.exe 92 PID 736 wrote to memory of 3224 736 magert.exe 92 PID 736 wrote to memory of 3224 736 magert.exe 92 PID 736 wrote to memory of 3224 736 magert.exe 92 PID 736 wrote to memory of 3224 736 magert.exe 92 PID 736 wrote to memory of 3224 736 magert.exe 92 PID 3224 wrote to memory of 4692 3224 magert.exe 93 PID 3224 wrote to memory of 4692 3224 magert.exe 93 PID 3224 wrote to memory of 4692 3224 magert.exe 93 PID 3224 wrote to memory of 4692 3224 magert.exe 93 PID 3224 wrote to memory of 4692 3224 magert.exe 93 PID 3224 wrote to memory of 4692 3224 magert.exe 93 PID 3224 wrote to memory of 4692 3224 magert.exe 93 PID 3224 wrote to memory of 4692 3224 magert.exe 93 PID 3224 wrote to memory of 4692 3224 magert.exe 93 PID 3224 wrote to memory of 2544 3224 magert.exe 94 PID 3224 wrote to memory of 2544 3224 magert.exe 94 PID 3224 wrote to memory of 2544 3224 magert.exe 94 PID 3224 wrote to memory of 2544 3224 magert.exe 94 PID 3224 wrote to memory of 2544 3224 magert.exe 94 PID 3224 wrote to memory of 2544 3224 magert.exe 94 PID 3224 wrote to memory of 2544 3224 magert.exe 94 PID 3224 wrote to memory of 2544 3224 magert.exe 94 PID 3224 wrote to memory of 2544 3224 magert.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe"C:\Users\Admin\AppData\Local\Temp\32156b1b0123517346e255b1e84a9edf497a88b5957c684a48f0784dc9937a12N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\Music\magert.exe"C:\Users\Admin\Music\magert.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Users\Admin\Music\magert.exe"C:\Users\Admin\Music\magert.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4692
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2544
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
526B
MD50b25f9f358a722369479cecdb0bfdfd4
SHA10e5e586dc2387f8492dc7bb8b9ba17cce90ba6fb
SHA25697e51099c3c8b24d92ae0f8c0241b3477e52127f0da5f89175c56abc202196c7
SHA5125f91fcd8822aa8e74566dc4b89af55e9f539aab19dc11cb450c13baa846e494b9f27954cce8626c867177b43e76be03a631c58e29be41b7bdad61576f5b8378b
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
1.2MB
MD5b8b4fd05572d5a45c34e1c783a7fd2d1
SHA15e25777deb23294ab8110e87f28d34a62caa5db4
SHA256cb6b2f18d1052f7679ae1fdd4b8b4068fc1cfcf1e79788e42041c244543a7450
SHA512f92068354cfa090019234f0b7fa7a7bfa69ff87416c065cb7807eb1facaa172b3b0850d5d89d12309a08048a6ff0f3fa0d8841344dd012d0c0b35383b3733f35