Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2022 13:42
Static task
static1
Behavioral task
behavioral1
Sample
Purchase_Order.exe
Resource
win7-20220812-en
General
-
Target
Purchase_Order.exe
-
Size
461KB
-
MD5
566e113fe0ab328439baf0a1add92b53
-
SHA1
9c6fac6feb951361b0c5988214e380883acab4ef
-
SHA256
b521c4ff6f3130816ab67c86fb383eeca6699d1527fd91efd67d7daba7daaa37
-
SHA512
c1fa0906f02759535dd4b249f9ff6ea6f00710f5041c6302be5b4a36f89213cbeb87e39de1604607d405f132744d2a1f545267ce1b72e8d1a8ae97c8b53a91a7
-
SSDEEP
6144:bLbc1sIu0xsWhi180vAs5JVxTPHFlXEuZ6VWW6ViMwKi:rcg0uWhSImJVxjvHgWWzMd
Malware Config
Extracted
formbook
i65a
r00zzvD9uoqMkFT8XDSqPg==
iSMQDJ3Tyuj8KXflBw==
Gq+tYoFrGU/5B4gGNnzHNg==
wEwcynSwpynZKUFhqyIK
bw3PbrjowhAVJA==
TggEt9LuwhAVJA==
r0UqC6sxgcWN7vc=
0m+fwBgf0oyehByUtx51BsBkuj8=
dhtdWWyIhRatp2dpv8tPcJoQ
jTAw4/4TCwcXjpECXDSqPg==
aglx4nPPkGp/raeivGVOfzdbFIu4
+qXr4cAGtQJm7Mf6
sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=
E6ohOo2zadVgzLIfaWALaik=
wXwu0yo/KbNm7Mf6
EcoyojCJYKg1laCuBK+exkNbFIu4
bhZgFvj6yP+R4F+0/5S/oFMpAA==
rzlylCB1NIMabG2dzGQd
+5ngCKjwwhAVJA==
AMUtZrYh+0LPL/QyfSo=
hzqw1O4JApAae41vjXUOeC8=
C7guqfg0PD5dvVf4DQ==
BsM1AaksgMWN7vc=
5pcGLkVbBUPPL/QyfSo=
TvMO/UKDdcWN7vc=
fCNJYrrKfTprvVf4DQ==
5rfNvNbPhEFrvVf4DQ==
9717JcIR+w4iNgKcr91It5f448HcIA==
Wfo2UPQmr3SeAgqCx+ihjjsY
Svg8XfRAHZ5DvXj4EA==
TuXg5TNpdh6yCOmt0pkeNaKCuzc=
fjn46QYnKM4w0+g=
WRV/AkxH/M7NzFzkCw91Zpz048HcIA==
Bo6ILlHigRGpGJRgtPd6WQFsGA==
ZCdTYvhSBMTjO0mpy+ihjjsY
Vg104XmxSn8DTRA2YCA=
fBmNxO/pwkHXAKalv3UOeC8=
2YL6LEtrcsyquo2wz3ahjjsY
iC2cyuTQsS3KHymco5LiuXXRdYc9KA==
JvGrI2XdqxWjoPQyfSo=
NMuVRIiBW1Nhjn9zgw3PwEJbFIu4
7KsjVqn0meiO7MVyjXUOeC8=
XvgsVPgmHCtBPPXC7IhcycBkuj8=
HsE0cZF7K+0KXVC4yexV8KqiJAA0Yi8=
ZA9olK7JxkTg6q7/TenoBXFnljPD7XGx
PvN6Nk9THuEFRZYCFA==
cx/LcM3luPqVmxJ+jhMI
smWwq8nUo09jvVf4DQ==
aBnnX3Z7RIQqQsRdhz0=
8o1CKXiwmgZm7Mf6
s2NR7g0vRFBRp3VhqyIK
DLYGcptChcWN7vc=
0GEVmuU0F1jkMfQyfSo=
s1Kiy26yq6+H9spyinUOeC8=
CZxV2PHhkdRu/ewuGg==
y8Xu3/EguTvj
ulTCKLYf9ULaNPQyfSo=
1Yl0JHHbnlR3eAp4uepO8u5YFRkKjVNu8Q==
V+zu64nHc059gzjoEtXhkxEB
dQkau9PuwhAVJA==
NMYypu3zqoGsllajzOShjjsY
Wxkhx+n/zcWN7vc=
74dZAaju4XcRfFR3kzM=
u3R6gBVPPDpcvVf4DQ==
partnermdg.com
Extracted
xloader
3.8
i65a
r00zzvD9uoqMkFT8XDSqPg==
iSMQDJ3Tyuj8KXflBw==
Gq+tYoFrGU/5B4gGNnzHNg==
wEwcynSwpynZKUFhqyIK
bw3PbrjowhAVJA==
TggEt9LuwhAVJA==
r0UqC6sxgcWN7vc=
0m+fwBgf0oyehByUtx51BsBkuj8=
dhtdWWyIhRatp2dpv8tPcJoQ
jTAw4/4TCwcXjpECXDSqPg==
aglx4nPPkGp/raeivGVOfzdbFIu4
+qXr4cAGtQJm7Mf6
sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=
E6ohOo2zadVgzLIfaWALaik=
wXwu0yo/KbNm7Mf6
EcoyojCJYKg1laCuBK+exkNbFIu4
bhZgFvj6yP+R4F+0/5S/oFMpAA==
rzlylCB1NIMabG2dzGQd
+5ngCKjwwhAVJA==
AMUtZrYh+0LPL/QyfSo=
hzqw1O4JApAae41vjXUOeC8=
C7guqfg0PD5dvVf4DQ==
BsM1AaksgMWN7vc=
5pcGLkVbBUPPL/QyfSo=
TvMO/UKDdcWN7vc=
fCNJYrrKfTprvVf4DQ==
5rfNvNbPhEFrvVf4DQ==
9717JcIR+w4iNgKcr91It5f448HcIA==
Wfo2UPQmr3SeAgqCx+ihjjsY
Svg8XfRAHZ5DvXj4EA==
TuXg5TNpdh6yCOmt0pkeNaKCuzc=
fjn46QYnKM4w0+g=
WRV/AkxH/M7NzFzkCw91Zpz048HcIA==
Bo6ILlHigRGpGJRgtPd6WQFsGA==
ZCdTYvhSBMTjO0mpy+ihjjsY
Vg104XmxSn8DTRA2YCA=
fBmNxO/pwkHXAKalv3UOeC8=
2YL6LEtrcsyquo2wz3ahjjsY
iC2cyuTQsS3KHymco5LiuXXRdYc9KA==
JvGrI2XdqxWjoPQyfSo=
NMuVRIiBW1Nhjn9zgw3PwEJbFIu4
7KsjVqn0meiO7MVyjXUOeC8=
XvgsVPgmHCtBPPXC7IhcycBkuj8=
HsE0cZF7K+0KXVC4yexV8KqiJAA0Yi8=
ZA9olK7JxkTg6q7/TenoBXFnljPD7XGx
PvN6Nk9THuEFRZYCFA==
cx/LcM3luPqVmxJ+jhMI
smWwq8nUo09jvVf4DQ==
aBnnX3Z7RIQqQsRdhz0=
8o1CKXiwmgZm7Mf6
s2NR7g0vRFBRp3VhqyIK
DLYGcptChcWN7vc=
0GEVmuU0F1jkMfQyfSo=
s1Kiy26yq6+H9spyinUOeC8=
CZxV2PHhkdRu/ewuGg==
y8Xu3/EguTvj
ulTCKLYf9ULaNPQyfSo=
1Yl0JHHbnlR3eAp4uepO8u5YFRkKjVNu8Q==
V+zu64nHc059gzjoEtXhkxEB
dQkau9PuwhAVJA==
NMYypu3zqoGsllajzOShjjsY
Wxkhx+n/zcWN7vc=
74dZAaju4XcRfFR3kzM=
u3R6gBVPPDpcvVf4DQ==
partnermdg.com
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Purchase_Order.exeaspnet_compiler.execolorcpl.exedescription pid process target process PID 5048 set thread context of 1696 5048 Purchase_Order.exe aspnet_compiler.exe PID 1696 set thread context of 2456 1696 aspnet_compiler.exe Explorer.EXE PID 4820 set thread context of 2456 4820 colorcpl.exe Explorer.EXE -
Processes:
colorcpl.exedescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 colorcpl.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
aspnet_compiler.execolorcpl.exepid process 1696 aspnet_compiler.exe 1696 aspnet_compiler.exe 1696 aspnet_compiler.exe 1696 aspnet_compiler.exe 1696 aspnet_compiler.exe 1696 aspnet_compiler.exe 1696 aspnet_compiler.exe 1696 aspnet_compiler.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2456 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
aspnet_compiler.execolorcpl.exepid process 1696 aspnet_compiler.exe 1696 aspnet_compiler.exe 1696 aspnet_compiler.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe 4820 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aspnet_compiler.execolorcpl.exedescription pid process Token: SeDebugPrivilege 1696 aspnet_compiler.exe Token: SeDebugPrivilege 4820 colorcpl.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Purchase_Order.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 5048 wrote to memory of 1696 5048 Purchase_Order.exe aspnet_compiler.exe PID 5048 wrote to memory of 1696 5048 Purchase_Order.exe aspnet_compiler.exe PID 5048 wrote to memory of 1696 5048 Purchase_Order.exe aspnet_compiler.exe PID 5048 wrote to memory of 1696 5048 Purchase_Order.exe aspnet_compiler.exe PID 5048 wrote to memory of 1696 5048 Purchase_Order.exe aspnet_compiler.exe PID 5048 wrote to memory of 1696 5048 Purchase_Order.exe aspnet_compiler.exe PID 2456 wrote to memory of 4820 2456 Explorer.EXE colorcpl.exe PID 2456 wrote to memory of 4820 2456 Explorer.EXE colorcpl.exe PID 2456 wrote to memory of 4820 2456 Explorer.EXE colorcpl.exe PID 4820 wrote to memory of 3944 4820 colorcpl.exe Firefox.exe PID 4820 wrote to memory of 3944 4820 colorcpl.exe Firefox.exe PID 4820 wrote to memory of 3944 4820 colorcpl.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1696-133-0x0000000000000000-mapping.dmp
-
memory/1696-134-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1696-137-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1696-136-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1696-139-0x0000000001880000-0x0000000001BCA000-memory.dmpFilesize
3.3MB
-
memory/1696-140-0x00000000012A0000-0x00000000012B0000-memory.dmpFilesize
64KB
-
memory/1696-143-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1696-144-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/2456-149-0x00000000028F0000-0x00000000029D0000-memory.dmpFilesize
896KB
-
memory/2456-141-0x0000000008470000-0x00000000085F5000-memory.dmpFilesize
1.5MB
-
memory/2456-151-0x00000000028F0000-0x00000000029D0000-memory.dmpFilesize
896KB
-
memory/4820-142-0x0000000000000000-mapping.dmp
-
memory/4820-145-0x0000000000E50000-0x0000000000E69000-memory.dmpFilesize
100KB
-
memory/4820-147-0x0000000002F90000-0x00000000032DA000-memory.dmpFilesize
3.3MB
-
memory/4820-146-0x0000000000DB0000-0x0000000000DDD000-memory.dmpFilesize
180KB
-
memory/4820-148-0x0000000002DC0000-0x0000000002E4F000-memory.dmpFilesize
572KB
-
memory/4820-150-0x0000000000DB0000-0x0000000000DDD000-memory.dmpFilesize
180KB
-
memory/5048-132-0x0000000000990000-0x0000000000A00000-memory.dmpFilesize
448KB