Analysis
-
max time kernel
121s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 13:27
Static task
static1
Behavioral task
behavioral1
Sample
Statement.Of.Account.exe
Resource
win7-20240508-en
General
-
Target
Statement.Of.Account.exe
-
Size
730KB
-
MD5
d875b18ba8697ac9f3f6a5733ae916fa
-
SHA1
1e2704f3b999e57e84c2b5e9fb27a47d4fa3f356
-
SHA256
ce80af98fda09bf24006e478aca3f2bdc6e496a293223116b0da19d7aa2073cd
-
SHA512
b493af28acc377e63c6b929b167818b5234efadf29e420cb71637621afd729dcd320051281684e5783a10e41a4fe15ccea8a085ec1c140b5fc8124f12a5f70ad
-
SSDEEP
12288:cMput4EcmZHAFaxmVmie9bngPooRy3i0zPPQEHjRYS11CQmWHDK32UD0JK79Jiek:cMpk4EcmZHAFaxmVmie9bngPZmwEHjq7
Malware Config
Signatures
-
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2208-25-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/2208-23-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/2208-21-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/2208-17-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/2208-15-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/1652-31-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1652-30-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1652-32-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 8 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/2208-25-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/2208-23-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/2208-21-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/2208-17-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/2208-15-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/1812-33-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1812-34-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1812-38-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-25-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/2208-23-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/2208-21-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/2208-17-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/2208-15-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/1652-31-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1652-30-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1652-32-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1812-33-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1812-34-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1812-38-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 whatismyipaddress.com 4 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Statement.Of.Account.exeRegSvcs.exedescription pid process target process PID 1688 set thread context of 2208 1688 Statement.Of.Account.exe RegSvcs.exe PID 2208 set thread context of 1652 2208 RegSvcs.exe vbc.exe PID 2208 set thread context of 1812 2208 RegSvcs.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Statement.Of.Account.exeRegSvcs.exepid process 1688 Statement.Of.Account.exe 1688 Statement.Of.Account.exe 1688 Statement.Of.Account.exe 2208 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Statement.Of.Account.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1688 Statement.Of.Account.exe Token: SeDebugPrivilege 2208 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2208 RegSvcs.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
Statement.Of.Account.exeRegSvcs.exedescription pid process target process PID 1688 wrote to memory of 2784 1688 Statement.Of.Account.exe schtasks.exe PID 1688 wrote to memory of 2784 1688 Statement.Of.Account.exe schtasks.exe PID 1688 wrote to memory of 2784 1688 Statement.Of.Account.exe schtasks.exe PID 1688 wrote to memory of 2784 1688 Statement.Of.Account.exe schtasks.exe PID 1688 wrote to memory of 2208 1688 Statement.Of.Account.exe RegSvcs.exe PID 1688 wrote to memory of 2208 1688 Statement.Of.Account.exe RegSvcs.exe PID 1688 wrote to memory of 2208 1688 Statement.Of.Account.exe RegSvcs.exe PID 1688 wrote to memory of 2208 1688 Statement.Of.Account.exe RegSvcs.exe PID 1688 wrote to memory of 2208 1688 Statement.Of.Account.exe RegSvcs.exe PID 1688 wrote to memory of 2208 1688 Statement.Of.Account.exe RegSvcs.exe PID 1688 wrote to memory of 2208 1688 Statement.Of.Account.exe RegSvcs.exe PID 1688 wrote to memory of 2208 1688 Statement.Of.Account.exe RegSvcs.exe PID 1688 wrote to memory of 2208 1688 Statement.Of.Account.exe RegSvcs.exe PID 1688 wrote to memory of 2208 1688 Statement.Of.Account.exe RegSvcs.exe PID 1688 wrote to memory of 2208 1688 Statement.Of.Account.exe RegSvcs.exe PID 1688 wrote to memory of 2208 1688 Statement.Of.Account.exe RegSvcs.exe PID 2208 wrote to memory of 1652 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1652 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1652 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1652 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1652 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1652 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1652 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1652 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1652 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1652 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1812 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1812 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1812 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1812 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1812 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1812 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1812 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1812 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1812 2208 RegSvcs.exe vbc.exe PID 2208 wrote to memory of 1812 2208 RegSvcs.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Statement.Of.Account.exe"C:\Users\Admin\AppData\Local\Temp\Statement.Of.Account.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UQaQPjIpaHIhAV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD9CB.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\tmpD9CB.tmpFilesize
1KB
MD5dc7ee7b3006fcde7b5fa9601f9e707ca
SHA142d53084bcd0b199de21919595c386aa96b81f21
SHA2566d7d045cecf10f30ad87e2e527dc743cf810202a738c867967fe3f4b7697c658
SHA512f478d6d9ccc7c7da0183895109f6e093e2aecf990867281d137b659f887ba8d43951faba495cabfd568f9e3103a8dce99628939e31f4540fc6082e230fb93fdc
-
memory/1652-30-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1652-32-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1652-31-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1688-4-0x0000000074B9E000-0x0000000074B9F000-memory.dmpFilesize
4KB
-
memory/1688-6-0x00000000079E0000-0x0000000007A7E000-memory.dmpFilesize
632KB
-
memory/1688-7-0x0000000007670000-0x00000000076F8000-memory.dmpFilesize
544KB
-
memory/1688-5-0x0000000074B90000-0x000000007527E000-memory.dmpFilesize
6.9MB
-
memory/1688-3-0x00000000002C0000-0x00000000002CA000-memory.dmpFilesize
40KB
-
memory/1688-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmpFilesize
4KB
-
memory/1688-2-0x0000000074B90000-0x000000007527E000-memory.dmpFilesize
6.9MB
-
memory/1688-1-0x0000000000A20000-0x0000000000ADC000-memory.dmpFilesize
752KB
-
memory/1688-26-0x0000000074B90000-0x000000007527E000-memory.dmpFilesize
6.9MB
-
memory/1812-36-0x0000000000460000-0x00000000004C7000-memory.dmpFilesize
412KB
-
memory/1812-38-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1812-34-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1812-33-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2208-21-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2208-29-0x0000000000760000-0x0000000000768000-memory.dmpFilesize
32KB
-
memory/2208-13-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2208-15-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2208-17-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2208-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2208-23-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2208-25-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2208-12-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB