Analysis
-
max time kernel
74s -
max time network
69s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 11:18
Static task
static1
Behavioral task
behavioral1
Sample
OurHack2.0.exe
Resource
win10v2004-20240611-en
General
-
Target
OurHack2.0.exe
-
Size
424KB
-
MD5
4a1213a8c757f3c6c02e098e6a6b99c3
-
SHA1
4865d8f010a0929f3dabc631875699738b2c3e7b
-
SHA256
7ca4702709ff125a7ec1e503b4358a3a8cb5cc282f57b262589e5c113c461b83
-
SHA512
1613e0ae56a57a6e7935f4e7166c3c4e5b2a5683eb685d136fd32677e8c6f316d16c70064ba13e1101b6477f4fee68864358e091e0e7ab66b30e304b7c8d87c0
-
SSDEEP
12288:pzDTo+c8NlvH0tGJjeM5u8v+VmlE2GLJ0uQ:9xbP0tkaM5Rwm62001
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
kgarbuz2000
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/4708-17-0x0000000000400000-0x000000000041E000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/2696-23-0x0000000000400000-0x000000000045D000-memory.dmp WebBrowserPassView behavioral1/memory/2696-29-0x0000000000400000-0x000000000045D000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
Processes:
resource yara_rule behavioral1/memory/4708-17-0x0000000000400000-0x000000000041E000-memory.dmp Nirsoft behavioral1/memory/2696-23-0x0000000000400000-0x000000000045D000-memory.dmp Nirsoft behavioral1/memory/2696-29-0x0000000000400000-0x000000000045D000-memory.dmp Nirsoft behavioral1/memory/2528-35-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral1/memory/2528-37-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral1/memory/396-45-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
mpv.exeWBP.exemespv.exepv.exepid process 4708 mpv.exe 2696 WBP.exe 2528 mespv.exe 396 pv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\mespv.exe upx behavioral1/memory/2528-35-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/2528-37-0x0000000000400000-0x0000000000426000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
mpv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts mpv.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WBP.exemespv.exetaskmgr.exepid process 2696 WBP.exe 2696 WBP.exe 2528 mespv.exe 2528 mespv.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mespv.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 2528 mespv.exe Token: SeDebugPrivilege 1996 taskmgr.exe Token: SeSystemProfilePrivilege 1996 taskmgr.exe Token: SeCreateGlobalPrivilege 1996 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe 1996 taskmgr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
OurHack2.0.exedescription pid process target process PID 4604 wrote to memory of 4708 4604 OurHack2.0.exe mpv.exe PID 4604 wrote to memory of 4708 4604 OurHack2.0.exe mpv.exe PID 4604 wrote to memory of 4708 4604 OurHack2.0.exe mpv.exe PID 4604 wrote to memory of 2696 4604 OurHack2.0.exe WBP.exe PID 4604 wrote to memory of 2696 4604 OurHack2.0.exe WBP.exe PID 4604 wrote to memory of 2696 4604 OurHack2.0.exe WBP.exe PID 4604 wrote to memory of 2528 4604 OurHack2.0.exe mespv.exe PID 4604 wrote to memory of 2528 4604 OurHack2.0.exe mespv.exe PID 4604 wrote to memory of 2528 4604 OurHack2.0.exe mespv.exe PID 4604 wrote to memory of 396 4604 OurHack2.0.exe pv.exe PID 4604 wrote to memory of 396 4604 OurHack2.0.exe pv.exe PID 4604 wrote to memory of 396 4604 OurHack2.0.exe pv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OurHack2.0.exe"C:\Users\Admin\AppData\Local\Temp\OurHack2.0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mpv.exeC:\Users\Admin\AppData\Local\Temp\mpv.exe /stext C:\Users\Admin\AppData\Local\Temp\mpvp.txt2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\AppData\Local\Temp\WBP.exeC:\Users\Admin\AppData\Local\Temp\WBP.exe /stext C:\Users\Admin\AppData\Local\Temp\WBVP.txt2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\mespv.exeC:\Users\Admin\AppData\Local\Temp\mespv.exe /stext C:\Users\Admin\AppData\Local\Temp\mespvp.txt2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\pv.exeC:\Users\Admin\AppData\Local\Temp\pv.exe /stext C:\Users\Admin\AppData\Local\Temp\pvp.txt2⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WBP.exeFilesize
183KB
MD56d95f03eaf83b31686f263260202ee36
SHA16633ac9d7790031b49bb2a4170ec77591d94bb58
SHA25629f2a54c829c37fc904a2b682c50b57d6d35e9af5dc7f43d72b68c8c51255103
SHA512a8dda5f3c9e493f9f0e17bfee40a73f74ac6c4276b22589ec9bb163a91f941d966e4ce3b0866be7488fddd229156d73017fb8b22fc3b90903591fef2045c2b46
-
C:\Users\Admin\AppData\Local\Temp\WBVP.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Local\Temp\mespv.exeFilesize
65KB
MD5ffc52f2b4435fcddaca6e15489a88b75
SHA163ec31a04cf176852344d544ae855da0dac64980
SHA2563f3c8484962b395f304a836ee5e8ee17beaafe982795c9747d8ee98cc6e4ca8f
SHA512389694feccfe6ca352705b9481913fece6d1d47083f235ccdd60c05cfda82606be53845fde0dba8ec3f3748f820a828c9be0ce078c8b9cc853285b23f172841c
-
C:\Users\Admin\AppData\Local\Temp\mpv.exeFilesize
50KB
MD5a138fca70622323e45d6018125322051
SHA1b91f8e20569fecabed22e48da5ec626758563488
SHA256677d333648aba8e2538cbbb9fdd8a32901c67a5e10c8f951970313499304783a
SHA512b89f1d513608f5b0f8022a8d983cdfec0064ecd5e8479125b40477738fc0f5e2b1aa77868333fd783cd5cd2233e0f018d16d8865650071b1a371d375c22a54ee
-
C:\Users\Admin\AppData\Local\Temp\pv.exeFilesize
38KB
MD5afe3aeeffaa1e1772a926ca45923f33f
SHA1f20104fa1f75f341818751b5164b5c2b24d2dd9e
SHA2566cbc1d59fdba6445b8e7243a08bd64816f01fcf6ce7f68570d9170e13c8810a7
SHA512083732db58970d192b98c4298444b8eba2ecae5fa982b3d9505cfa17bce920106281f66df507e6e211d969a6c553d212e50dcdcfeab4b900301d01c442a0de91
-
C:\Users\Admin\AppData\Local\Temp\pvp.txtFilesize
725B
MD57797a3675f24126badb9c6c867b585fb
SHA13d9a871fbe04365d1c6b14bcfcdba217b6522cb6
SHA25658389d981661268bd12d2a1f2e64aeed3f74a47fd55477ffed4792d3e7a4c4ab
SHA51204511af2204b66febb0574dedf973ee5932d1960a49e20665da82374d58ba2703b420e2198856bf7d00bb1377cf776a265d8606cdc3cf98b419987b10dccdbd5
-
memory/396-45-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/396-42-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1996-50-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmpFilesize
4KB
-
memory/1996-54-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmpFilesize
4KB
-
memory/1996-55-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmpFilesize
4KB
-
memory/1996-56-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmpFilesize
4KB
-
memory/1996-57-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmpFilesize
4KB
-
memory/1996-58-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmpFilesize
4KB
-
memory/1996-59-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmpFilesize
4KB
-
memory/1996-60-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmpFilesize
4KB
-
memory/1996-48-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmpFilesize
4KB
-
memory/1996-49-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmpFilesize
4KB
-
memory/2528-35-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2528-37-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2696-23-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2696-29-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2696-21-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/4604-1-0x00007FFDAACD0000-0x00007FFDAB671000-memory.dmpFilesize
9.6MB
-
memory/4604-9-0x00007FFDAACD0000-0x00007FFDAB671000-memory.dmpFilesize
9.6MB
-
memory/4604-5-0x000000001BD50000-0x000000001C21E000-memory.dmpFilesize
4.8MB
-
memory/4604-47-0x00007FFDAACD0000-0x00007FFDAB671000-memory.dmpFilesize
9.6MB
-
memory/4604-0-0x00007FFDAAF85000-0x00007FFDAAF86000-memory.dmpFilesize
4KB
-
memory/4604-6-0x000000001C330000-0x000000001C3CC000-memory.dmpFilesize
624KB
-
memory/4604-3-0x000000001B6B0000-0x000000001B714000-memory.dmpFilesize
400KB
-
memory/4604-2-0x00007FFDAACD0000-0x00007FFDAB671000-memory.dmpFilesize
9.6MB
-
memory/4604-4-0x000000001B7D0000-0x000000001B876000-memory.dmpFilesize
664KB
-
memory/4604-7-0x0000000001000000-0x0000000001008000-memory.dmpFilesize
32KB
-
memory/4604-8-0x000000001C5E0000-0x000000001C62C000-memory.dmpFilesize
304KB
-
memory/4708-15-0x000000000041B000-0x000000000041C000-memory.dmpFilesize
4KB
-
memory/4708-14-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4708-17-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB