Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 03:51
Static task
static1
Behavioral task
behavioral1
Sample
btcreceiptscopies.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
btcreceiptscopies.exe
Resource
win10v2004-20241007-en
General
-
Target
btcreceiptscopies.exe
-
Size
742KB
-
MD5
9e86c85f3d451e8a8716c39dbe28379a
-
SHA1
c23ac963949b1c91ae566be269971e72808376a7
-
SHA256
5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f
-
SHA512
f8a4c42b41e3d4333120ad76701fff135f64805e558a4cf50fad17f86af1ed71ce4bbc34ab2128d72caa9029e76b30d29be29ba5a6873315538c3949b8cfa422
-
SSDEEP
12288:txGQ/w/DKicDR4RBAwFV340O5BZOKhNSRmDSuo8ukI/Px6VqlZz6oa5Nlt4pWG:PGQYLPRBAwFVo0O5BZOKhNZ9I4UlZmdO
Malware Config
Extracted
Protocol: smtp- Host:
webmail.mts.rs - Port:
587 - Username:
[email protected] - Password:
Tptadic
Signatures
-
Hawkeye family
-
Detected Nirsoft tools 7 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/452-6-0x0000000000400000-0x0000000000494000-memory.dmp Nirsoft behavioral2/memory/3016-43-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3016-45-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3016-42-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4812-49-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4812-48-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4812-56-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/452-6-0x0000000000400000-0x0000000000494000-memory.dmp MailPassView behavioral2/memory/3016-43-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3016-45-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3016-42-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/452-6-0x0000000000400000-0x0000000000494000-memory.dmp WebBrowserPassView behavioral2/memory/4812-49-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4812-48-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4812-56-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation btcreceiptscopies.exe -
Executes dropped EXE 2 IoCs
pid Process 5100 Windows Update.exe 4068 Windows Update.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 whatismyipaddress.com 13 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4924 set thread context of 452 4924 btcreceiptscopies.exe 85 PID 5100 set thread context of 4068 5100 Windows Update.exe 88 PID 4068 set thread context of 3016 4068 Windows Update.exe 90 PID 4068 set thread context of 4812 4068 Windows Update.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btcreceiptscopies.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btcreceiptscopies.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe 4068 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4068 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4068 Windows Update.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 4924 wrote to memory of 452 4924 btcreceiptscopies.exe 85 PID 4924 wrote to memory of 452 4924 btcreceiptscopies.exe 85 PID 4924 wrote to memory of 452 4924 btcreceiptscopies.exe 85 PID 4924 wrote to memory of 452 4924 btcreceiptscopies.exe 85 PID 4924 wrote to memory of 452 4924 btcreceiptscopies.exe 85 PID 4924 wrote to memory of 452 4924 btcreceiptscopies.exe 85 PID 4924 wrote to memory of 452 4924 btcreceiptscopies.exe 85 PID 4924 wrote to memory of 452 4924 btcreceiptscopies.exe 85 PID 452 wrote to memory of 5100 452 btcreceiptscopies.exe 87 PID 452 wrote to memory of 5100 452 btcreceiptscopies.exe 87 PID 452 wrote to memory of 5100 452 btcreceiptscopies.exe 87 PID 5100 wrote to memory of 4068 5100 Windows Update.exe 88 PID 5100 wrote to memory of 4068 5100 Windows Update.exe 88 PID 5100 wrote to memory of 4068 5100 Windows Update.exe 88 PID 5100 wrote to memory of 4068 5100 Windows Update.exe 88 PID 5100 wrote to memory of 4068 5100 Windows Update.exe 88 PID 5100 wrote to memory of 4068 5100 Windows Update.exe 88 PID 5100 wrote to memory of 4068 5100 Windows Update.exe 88 PID 5100 wrote to memory of 4068 5100 Windows Update.exe 88 PID 4068 wrote to memory of 3016 4068 Windows Update.exe 90 PID 4068 wrote to memory of 3016 4068 Windows Update.exe 90 PID 4068 wrote to memory of 3016 4068 Windows Update.exe 90 PID 4068 wrote to memory of 3016 4068 Windows Update.exe 90 PID 4068 wrote to memory of 3016 4068 Windows Update.exe 90 PID 4068 wrote to memory of 3016 4068 Windows Update.exe 90 PID 4068 wrote to memory of 3016 4068 Windows Update.exe 90 PID 4068 wrote to memory of 3016 4068 Windows Update.exe 90 PID 4068 wrote to memory of 3016 4068 Windows Update.exe 90 PID 4068 wrote to memory of 4812 4068 Windows Update.exe 91 PID 4068 wrote to memory of 4812 4068 Windows Update.exe 91 PID 4068 wrote to memory of 4812 4068 Windows Update.exe 91 PID 4068 wrote to memory of 4812 4068 Windows Update.exe 91 PID 4068 wrote to memory of 4812 4068 Windows Update.exe 91 PID 4068 wrote to memory of 4812 4068 Windows Update.exe 91 PID 4068 wrote to memory of 4812 4068 Windows Update.exe 91 PID 4068 wrote to memory of 4812 4068 Windows Update.exe 91 PID 4068 wrote to memory of 4812 4068 Windows Update.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\btcreceiptscopies.exe"C:\Users\Admin\AppData\Local\Temp\btcreceiptscopies.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\btcreceiptscopies.exe"C:\Users\Admin\AppData\Local\Temp\btcreceiptscopies.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3016
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- System Location Discovery: System Language Discovery
PID:4812
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55B
MD5e672630996e21ad7d8ae6fb323fc7f67
SHA1d30f3cca177e51c6e5d30300c0e4efd85f443910
SHA25686185edaab9a8db1dc592c8cfa76359a7b9f4775ae0769b2f8738340bdcedec8
SHA5124a404c550f79ac3adea3689cad9f13a8bbceccff90e92c723427dabcddbaacabf91c7f5132d39493df5aa9c00c1ce87146d231f82ac2e0f87c9dc9159aad4cad
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
742KB
MD59e86c85f3d451e8a8716c39dbe28379a
SHA1c23ac963949b1c91ae566be269971e72808376a7
SHA2565e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f
SHA512f8a4c42b41e3d4333120ad76701fff135f64805e558a4cf50fad17f86af1ed71ce4bbc34ab2128d72caa9029e76b30d29be29ba5a6873315538c3949b8cfa422