Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2022 14:18
Static task
static1
Behavioral task
behavioral1
Sample
DOC20220913-567890987655608.exe
Resource
win7-20220901-en
General
-
Target
DOC20220913-567890987655608.exe
-
Size
495KB
-
MD5
24cfcc6d2aad113f2cf5e56e6ad439f8
-
SHA1
a2ab91dee9e7671c57678469643e3b2463ec38a6
-
SHA256
c02ba72751bcd08440effe6f60db6c75d43c337f510f4b73f3fe70261b9d31c9
-
SHA512
76008b53103b3bb12af4fb68e6b01ce7abe9e8ed2d0be1ba27df42b9fbbc3e126447d7a8f71636983eefedf4fe30e8ee68692ad80e2756a11b0ae60bd8758206
-
SSDEEP
12288:MHBumaHX7OghxLM6O975yWddnhJuKL0pKk:suzOALFO995dM
Malware Config
Extracted
formbook
c1no
SKHcqi+am5xGsHiCoXnH
BObxRpdRlNT5GCo3Eg8azNIQ
GPkN2SZ9gJOYqn4iaNIH6d1MRlk=
ZrdQ6Q4zd05LBFWPDc8=
KYQZEtvg85sq1t9jd7kazNIQ
KWu2/CZdnIFgf0p8
YlJ9mWmf+XkCjxzXSw==
nPeaENkZPzjWSh5DJiBVhlrTSx9V
GfUN8rKft59DsH2CoXnH
5ThnVCgjBm96jxzXSw==
pfb0D48Mk38v
uK6V0h16ziJXZuQ3NR8asKzT2Q==
QaxeYCJXoHFvKesgBSozIyC6bkTR8rbF
QT12wt/a0nsdrbY/oSGKqcq2wQ==
vfuiENwZZrvruTm5lHDF
iNsQyVnb3NHbtXyCoXnH
9jjn4jP8RyrjBYwNPvtfPg==
Wz1uwtUpdbrpwZXZq5HpXV7TSx9V
e9+RDvTx9HSZej/7PvtfPg==
oAeNwswNS6QgtnOdmcc=
qPubLUVHnOVnrg==
5hJj3x7DBmd7jxzXSw==
UJPc9LGnoAkXANI6tm/Q
AEuW4O/a+50iqzbmTQ==
zBtaGow/nqJDqD8o99ARRpY=
lvVy19o2FG5RbnI=
C+Mjuwiv9D38YjFlKlDxbWjTSx9V
EGubVd1LTkbdRNVPEzrP
N50fT05CnOVnrg==
KwYs8G/W6/uqC1DKQQ==
GFmHQM49XbHM2bRgzkGXqcq2wQ==
6ccOQNIwJxy1N0aCoXnH
QwoOaEt9su8HvXiCoXnH
hON/kiKJdadvQRQ5vYqtBI/Sh1E=
JGudBVkGfnujw8zRpsc=
DHAN9KmqplIDRg7NHtfRAY/Sh1E=
ugtLD50RHi3ap2TdSA==
sv8ZdLAjTJCpYO/ZTNARRpY=
BVPqCaFmwbZLyJndw57aPiss/NU9Zg==
In8wuf5zZl1ailWPDc8=
MHO6dBG7C2WDl1WPDc8=
5T97jQThPgkR5H4=
txScCkbBqZg1rH2CoXnH
VqP4PVVedxRNo25u/M0=
kt1nfiHFBWmSlKCQSmlupPSTQzpf
Q6pfESIJFHV0ekl/8MU=
W6v5CQA/FW5RbnI=
qA/HpzO2t6JB1+xLGAAazNIQ
LhI5pgG1BU1iiFWPDc8=
l42eVNJBRDM3ENwC9woazNIQ
eV5oGYwMk38v
DGILBVIJd5VP29dfyjuEuqGtbjMGkYXQHA==
sRdbmrbhGtN3rC+pwRONbN/IxlnLswMRFA==
twSnE+Mjg3oUTiBl
NosU+T2QjZyXm1WPDc8=
1TBn3TWymYsceDt3aLs4EtKbDIn2AsnF
4x5ht83A0Fx3jxzXSw==
0bnTtIWxGSgUTiBl
Oxc26HoHPXh8jJmR9E2zpC8t/NU9Zg==
UJwXuNYZSX+CklWPDc8=
zy1cD5Nys5RApmS1vQ2Vqcq2wQ==
Bd/1wxjHHSgUTiBl
KIQZq6PLHaPT09biuNHG+I/Sh1E=
f9gJPU9ERcTWvpNEsTKTqcq2wQ==
frankrijk-stijlvol.online
Extracted
xloader
3.7
c1no
SKHcqi+am5xGsHiCoXnH
BObxRpdRlNT5GCo3Eg8azNIQ
GPkN2SZ9gJOYqn4iaNIH6d1MRlk=
ZrdQ6Q4zd05LBFWPDc8=
KYQZEtvg85sq1t9jd7kazNIQ
KWu2/CZdnIFgf0p8
YlJ9mWmf+XkCjxzXSw==
nPeaENkZPzjWSh5DJiBVhlrTSx9V
GfUN8rKft59DsH2CoXnH
5ThnVCgjBm96jxzXSw==
pfb0D48Mk38v
uK6V0h16ziJXZuQ3NR8asKzT2Q==
QaxeYCJXoHFvKesgBSozIyC6bkTR8rbF
QT12wt/a0nsdrbY/oSGKqcq2wQ==
vfuiENwZZrvruTm5lHDF
iNsQyVnb3NHbtXyCoXnH
9jjn4jP8RyrjBYwNPvtfPg==
Wz1uwtUpdbrpwZXZq5HpXV7TSx9V
e9+RDvTx9HSZej/7PvtfPg==
oAeNwswNS6QgtnOdmcc=
qPubLUVHnOVnrg==
5hJj3x7DBmd7jxzXSw==
UJPc9LGnoAkXANI6tm/Q
AEuW4O/a+50iqzbmTQ==
zBtaGow/nqJDqD8o99ARRpY=
lvVy19o2FG5RbnI=
C+Mjuwiv9D38YjFlKlDxbWjTSx9V
EGubVd1LTkbdRNVPEzrP
N50fT05CnOVnrg==
KwYs8G/W6/uqC1DKQQ==
GFmHQM49XbHM2bRgzkGXqcq2wQ==
6ccOQNIwJxy1N0aCoXnH
QwoOaEt9su8HvXiCoXnH
hON/kiKJdadvQRQ5vYqtBI/Sh1E=
JGudBVkGfnujw8zRpsc=
DHAN9KmqplIDRg7NHtfRAY/Sh1E=
ugtLD50RHi3ap2TdSA==
sv8ZdLAjTJCpYO/ZTNARRpY=
BVPqCaFmwbZLyJndw57aPiss/NU9Zg==
In8wuf5zZl1ailWPDc8=
MHO6dBG7C2WDl1WPDc8=
5T97jQThPgkR5H4=
txScCkbBqZg1rH2CoXnH
VqP4PVVedxRNo25u/M0=
kt1nfiHFBWmSlKCQSmlupPSTQzpf
Q6pfESIJFHV0ekl/8MU=
W6v5CQA/FW5RbnI=
qA/HpzO2t6JB1+xLGAAazNIQ
LhI5pgG1BU1iiFWPDc8=
l42eVNJBRDM3ENwC9woazNIQ
eV5oGYwMk38v
DGILBVIJd5VP29dfyjuEuqGtbjMGkYXQHA==
sRdbmrbhGtN3rC+pwRONbN/IxlnLswMRFA==
twSnE+Mjg3oUTiBl
NosU+T2QjZyXm1WPDc8=
1TBn3TWymYsceDt3aLs4EtKbDIn2AsnF
4x5ht83A0Fx3jxzXSw==
0bnTtIWxGSgUTiBl
Oxc26HoHPXh8jJmR9E2zpC8t/NU9Zg==
UJwXuNYZSX+CklWPDc8=
zy1cD5Nys5RApmS1vQ2Vqcq2wQ==
Bd/1wxjHHSgUTiBl
KIQZq6PLHaPT09biuNHG+I/Sh1E=
f9gJPU9ERcTWvpNEsTKTqcq2wQ==
frankrijk-stijlvol.online
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
DOC20220913-567890987655608.execvtres.exesvchost.exedescription pid process target process PID 2328 set thread context of 1516 2328 DOC20220913-567890987655608.exe cvtres.exe PID 1516 set thread context of 3052 1516 cvtres.exe Explorer.EXE PID 4504 set thread context of 3052 4504 svchost.exe Explorer.EXE -
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
cvtres.exesvchost.exepid process 1516 cvtres.exe 1516 cvtres.exe 1516 cvtres.exe 1516 cvtres.exe 1516 cvtres.exe 1516 cvtres.exe 1516 cvtres.exe 1516 cvtres.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
cvtres.exesvchost.exepid process 1516 cvtres.exe 1516 cvtres.exe 1516 cvtres.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cvtres.exesvchost.exedescription pid process Token: SeDebugPrivilege 1516 cvtres.exe Token: SeDebugPrivilege 4504 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DOC20220913-567890987655608.exeExplorer.EXEsvchost.exedescription pid process target process PID 2328 wrote to memory of 1516 2328 DOC20220913-567890987655608.exe cvtres.exe PID 2328 wrote to memory of 1516 2328 DOC20220913-567890987655608.exe cvtres.exe PID 2328 wrote to memory of 1516 2328 DOC20220913-567890987655608.exe cvtres.exe PID 2328 wrote to memory of 1516 2328 DOC20220913-567890987655608.exe cvtres.exe PID 2328 wrote to memory of 1516 2328 DOC20220913-567890987655608.exe cvtres.exe PID 2328 wrote to memory of 1516 2328 DOC20220913-567890987655608.exe cvtres.exe PID 3052 wrote to memory of 4504 3052 Explorer.EXE svchost.exe PID 3052 wrote to memory of 4504 3052 Explorer.EXE svchost.exe PID 3052 wrote to memory of 4504 3052 Explorer.EXE svchost.exe PID 4504 wrote to memory of 2532 4504 svchost.exe Firefox.exe PID 4504 wrote to memory of 2532 4504 svchost.exe Firefox.exe PID 4504 wrote to memory of 2532 4504 svchost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DOC20220913-567890987655608.exe"C:\Users\Admin\AppData\Local\Temp\DOC20220913-567890987655608.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1516-133-0x0000000000000000-mapping.dmp
-
memory/1516-134-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1516-136-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1516-137-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1516-138-0x00000000010F0000-0x000000000143A000-memory.dmpFilesize
3.3MB
-
memory/1516-140-0x0000000000CA0000-0x0000000000CB0000-memory.dmpFilesize
64KB
-
memory/1516-143-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1516-144-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/2328-132-0x0000000000A20000-0x0000000000AA4000-memory.dmpFilesize
528KB
-
memory/3052-149-0x0000000007FB0000-0x000000000805D000-memory.dmpFilesize
692KB
-
memory/3052-141-0x0000000007EF0000-0x0000000007FA5000-memory.dmpFilesize
724KB
-
memory/3052-151-0x0000000007FB0000-0x000000000805D000-memory.dmpFilesize
692KB
-
memory/4504-142-0x0000000000000000-mapping.dmp
-
memory/4504-147-0x0000000001260000-0x000000000128D000-memory.dmpFilesize
180KB
-
memory/4504-148-0x0000000001970000-0x00000000019FF000-memory.dmpFilesize
572KB
-
memory/4504-146-0x0000000001D00000-0x000000000204A000-memory.dmpFilesize
3.3MB
-
memory/4504-150-0x0000000001260000-0x000000000128D000-memory.dmpFilesize
180KB
-
memory/4504-145-0x0000000000C90000-0x0000000000C9E000-memory.dmpFilesize
56KB