Analysis
-
max time kernel
119s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2022 06:32
Static task
static1
Behavioral task
behavioral1
Sample
DOC20220919-56789098765560890.exe
Resource
win7-20220812-en
General
-
Target
DOC20220919-56789098765560890.exe
-
Size
844KB
-
MD5
ab4f11300b28fca30e7b1febe92fe21e
-
SHA1
d436f88bb93be78b99c06db844611ffc217c214f
-
SHA256
649e67dfa9829d849ab0e2e5dd9c40702dbb89cf5a8a02ad111c5f2df79c411f
-
SHA512
28e0a4754d23fa1b5be34170aaa78812d3ef0794aa1e1082ff848075198856455df7ddf4e0742bc4d23093012cd352ba1eb0fd43bbd7f8ee79bf9b39ac7b7b13
-
SSDEEP
12288:TjatMC00J4BPcOmK80/6wM2zlgKM/h40knDwq/9xDxTVORzmXIcQI:CtmmMk7K80LMagKOO5V8zQ4I
Malware Config
Extracted
formbook
c1no
NOAZ1GtFnUx1bqjUWmD6
sUBk3CYAoWuQfq3UWmD6
5vwrVl0msDtpEkYt
VtL6sSoIchhMStcj5DxYbm3FBw==
BKjy1ZxyhhuJ2guPWUI=
eAgklPLAE7zgqOmwRqPNOQLXz1Y=
aApC9n9Zp0ZhObwjLLLUAg1cjsx6Lg==
OrLZYLeFBavC1cD5+A==
jJm87eu4hy/QMbYE/wzDRQLXz1Y=
s63OS5RsBKrY3FurpDZXbm3FBw==
hyxwKsePxJNCwwejbEg=
l5667e2vQOkM4hFPE5yA0Q==
wTtVQBT04YkyoNKoN53GFV9m2hpS
+pzWhBnS26FJqiRyZXQrqR1Ow/1B
d/VHx031x5W2
GjhhiKSDZ/1txQejbEg=
nDhRjp5e9JeQiKzm+gqI41hdV5nFhsI=
ws4wtUMZYA1pEkYt
GazXV6Fr6akfcvxEOcbpTTCmMEq7Jg==
2vAOHufF5MT6VdU=
Rmesm2FJYQCwdLa4dn8tHKc0tsSMRfan/A==
6PYJNksMyWn+TNBGQB/GmyCpMEq7Jg==
Fk3Kzl41C52WgvVUK5CSbjeE7XvqENr6
olaNRROnJwFpEkYt
bOL3cqB4Lb5u8hpVE5yA0Q==
UPhAL/jS6oo+0QuPWUI=
/n/q6bKEjFsQ1cD5+A==
+5/mpjYIUmnXNnK5upj1E8mT
PuAXz2ErflH/g6eZbfwmbm3FBw==
rUZUn6iDBMu+lg==
ammOBlkSZQ8xMWjk8g==
2Nbi4a9xZ0C0Qsg=
yXy3fBvsNUC0Qsg=
3OP8OEAwNtmG7eHtqP/y
aZfJwo9uhflo0AejbEg=
rlKRSty85XfkPcQf67s2jwwHuOrqENr6
VujyOjoYA555frmhOEA=
5lqQRs+a5o25zgnSZDOgfC/0swL69ajj
9xtRcMJdYA8=
WAhN/oJdfxe9NlRB+pmEA4c=
zYi59Q3pfRM9NHJE+pmEA4c=
3XSFxN+uZwCrL2QxujpZbm3FBw==
haa1wH9dq3IVdt07FfeZcSUHMF2tMQ==
lJa6H2UyslV9atQXt5r1E8mT
NDRjkZ97O9Zw9zCOZUo=
qZ7TO5F298Ly3Fu/vT5cbm3FBw==
rCRIQQ/W47Nn5SuyelE=
+BYq7oZaeQZ2xwejbEg=
Tvs24IVjt1RzaqLUWmD6
xecmWVw0Ca5OxvnKE5yA0Q==
3mx+AzwMxJn2Qr86Ri37bWDlYG/pPw==
9mt5fMuwMAFpEkYt
kio7eXZGFaY/lht2VjqoCrkC+zmtm8g=
hQIf02FBly5EIlVLGCPTwzqpMEq7Jg==
6h9in6mDBMu+lg==
FfoRVGQ48Hlwd6bUWmD6
o7/v/Mq18YadfL1VGjGK1w==
o8oJTk8sPAH30g1PE5yA0Q==
d6XZ3J6Cw2SCeq3UWmD6
KlSLmF81NspzLTML7w==
oZuwp21CK1BpEkYt
4gBJdJRq/pvS1VJNAZduYFBRDl4=
7iFaThnsDL5k5Finp5j1E8mT
HdIf10k3z6LNwv79zCpObm3FBw==
virusalert.online
Signatures
-
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A2B186F3-9BE4-477E-A944-B0AA39CD18EC}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{ACBB3DE8-8A71-4592-BF92-3EC6ACF1FD25}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DOC20220919-56789098765560890.exedescription pid process target process PID 1544 set thread context of 408 1544 DOC20220919-56789098765560890.exe DOC20220919-56789098765560890.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DOC20220919-56789098765560890.exepid process 408 DOC20220919-56789098765560890.exe 408 DOC20220919-56789098765560890.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
DOC20220919-56789098765560890.exedescription pid process target process PID 1544 wrote to memory of 408 1544 DOC20220919-56789098765560890.exe DOC20220919-56789098765560890.exe PID 1544 wrote to memory of 408 1544 DOC20220919-56789098765560890.exe DOC20220919-56789098765560890.exe PID 1544 wrote to memory of 408 1544 DOC20220919-56789098765560890.exe DOC20220919-56789098765560890.exe PID 1544 wrote to memory of 408 1544 DOC20220919-56789098765560890.exe DOC20220919-56789098765560890.exe PID 1544 wrote to memory of 408 1544 DOC20220919-56789098765560890.exe DOC20220919-56789098765560890.exe PID 1544 wrote to memory of 408 1544 DOC20220919-56789098765560890.exe DOC20220919-56789098765560890.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOC20220919-56789098765560890.exe"C:\Users\Admin\AppData\Local\Temp\DOC20220919-56789098765560890.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DOC20220919-56789098765560890.exe"C:\Users\Admin\AppData\Local\Temp\DOC20220919-56789098765560890.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/408-138-0x0000000000000000-mapping.dmp
-
memory/408-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/408-141-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/408-142-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/408-143-0x00000000017E0000-0x0000000001B2A000-memory.dmpFilesize
3.3MB
-
memory/1544-132-0x00000000001A0000-0x0000000000278000-memory.dmpFilesize
864KB
-
memory/1544-133-0x00000000051E0000-0x0000000005784000-memory.dmpFilesize
5.6MB
-
memory/1544-134-0x0000000004C30000-0x0000000004CC2000-memory.dmpFilesize
584KB
-
memory/1544-135-0x00000000026D0000-0x00000000026DA000-memory.dmpFilesize
40KB
-
memory/1544-136-0x0000000008650000-0x00000000086EC000-memory.dmpFilesize
624KB
-
memory/1544-137-0x0000000008720000-0x0000000008786000-memory.dmpFilesize
408KB