Analysis
-
max time kernel
154s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2022 13:20
Static task
static1
Behavioral task
behavioral1
Sample
Purchase_Order.exe
Resource
win7-20220901-en
General
-
Target
Purchase_Order.exe
-
Size
295KB
-
MD5
4e256d3d4ddbcc9c1d2cfa57034a0d52
-
SHA1
60ec184a1ab03af29341f093791e210202814f1c
-
SHA256
5463db9a5e180df75642646615cfd6ff7598b9846718c2224f19c878ee01dc00
-
SHA512
2e455bd66870778fc511515d3db4ae3b14d16374436cc4f6b70c182b42f2c70f977b9976194c1fb392f0ab28ebc4b7fd3ecec87fba279a541c6be396425fd79e
-
SSDEEP
6144:uj5zFdfKy5i+xc+tR5VwWmKH0LYlA8yjXeIIzls3GEioll+8zE7ev:efKy5p9tBmKUL0uhIoGEiQltEi
Malware Config
Extracted
formbook
i65a
r00zzvD9uoqMkFT8XDSqPg==
iSMQDJ3Tyuj8KXflBw==
Gq+tYoFrGU/5B4gGNnzHNg==
wEwcynSwpynZKUFhqyIK
bw3PbrjowhAVJA==
TggEt9LuwhAVJA==
r0UqC6sxgcWN7vc=
0m+fwBgf0oyehByUtx51BsBkuj8=
dhtdWWyIhRatp2dpv8tPcJoQ
jTAw4/4TCwcXjpECXDSqPg==
aglx4nPPkGp/raeivGVOfzdbFIu4
+qXr4cAGtQJm7Mf6
sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=
E6ohOo2zadVgzLIfaWALaik=
wXwu0yo/KbNm7Mf6
EcoyojCJYKg1laCuBK+exkNbFIu4
bhZgFvj6yP+R4F+0/5S/oFMpAA==
rzlylCB1NIMabG2dzGQd
+5ngCKjwwhAVJA==
AMUtZrYh+0LPL/QyfSo=
hzqw1O4JApAae41vjXUOeC8=
C7guqfg0PD5dvVf4DQ==
BsM1AaksgMWN7vc=
5pcGLkVbBUPPL/QyfSo=
TvMO/UKDdcWN7vc=
fCNJYrrKfTprvVf4DQ==
5rfNvNbPhEFrvVf4DQ==
9717JcIR+w4iNgKcr91It5f448HcIA==
Wfo2UPQmr3SeAgqCx+ihjjsY
Svg8XfRAHZ5DvXj4EA==
TuXg5TNpdh6yCOmt0pkeNaKCuzc=
fjn46QYnKM4w0+g=
WRV/AkxH/M7NzFzkCw91Zpz048HcIA==
Bo6ILlHigRGpGJRgtPd6WQFsGA==
ZCdTYvhSBMTjO0mpy+ihjjsY
Vg104XmxSn8DTRA2YCA=
fBmNxO/pwkHXAKalv3UOeC8=
2YL6LEtrcsyquo2wz3ahjjsY
iC2cyuTQsS3KHymco5LiuXXRdYc9KA==
JvGrI2XdqxWjoPQyfSo=
NMuVRIiBW1Nhjn9zgw3PwEJbFIu4
7KsjVqn0meiO7MVyjXUOeC8=
XvgsVPgmHCtBPPXC7IhcycBkuj8=
HsE0cZF7K+0KXVC4yexV8KqiJAA0Yi8=
ZA9olK7JxkTg6q7/TenoBXFnljPD7XGx
PvN6Nk9THuEFRZYCFA==
cx/LcM3luPqVmxJ+jhMI
smWwq8nUo09jvVf4DQ==
aBnnX3Z7RIQqQsRdhz0=
8o1CKXiwmgZm7Mf6
s2NR7g0vRFBRp3VhqyIK
DLYGcptChcWN7vc=
0GEVmuU0F1jkMfQyfSo=
s1Kiy26yq6+H9spyinUOeC8=
CZxV2PHhkdRu/ewuGg==
y8Xu3/EguTvj
ulTCKLYf9ULaNPQyfSo=
1Yl0JHHbnlR3eAp4uepO8u5YFRkKjVNu8Q==
V+zu64nHc059gzjoEtXhkxEB
dQkau9PuwhAVJA==
NMYypu3zqoGsllajzOShjjsY
Wxkhx+n/zcWN7vc=
74dZAaju4XcRfFR3kzM=
u3R6gBVPPDpcvVf4DQ==
partnermdg.com
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Purchase_Order.execvtres.exeraserver.exedescription pid process target process PID 2140 set thread context of 4856 2140 Purchase_Order.exe cvtres.exe PID 4856 set thread context of 3044 4856 cvtres.exe Explorer.EXE PID 372 set thread context of 3044 372 raserver.exe Explorer.EXE -
Processes:
raserver.exedescription ioc process Key created \Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
cvtres.exeraserver.exepid process 4856 cvtres.exe 4856 cvtres.exe 4856 cvtres.exe 4856 cvtres.exe 4856 cvtres.exe 4856 cvtres.exe 4856 cvtres.exe 4856 cvtres.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3044 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
cvtres.exeraserver.exepid process 4856 cvtres.exe 4856 cvtres.exe 4856 cvtres.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe 372 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cvtres.exeraserver.exedescription pid process Token: SeDebugPrivilege 4856 cvtres.exe Token: SeDebugPrivilege 372 raserver.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Purchase_Order.exeExplorer.EXEraserver.exedescription pid process target process PID 2140 wrote to memory of 4856 2140 Purchase_Order.exe cvtres.exe PID 2140 wrote to memory of 4856 2140 Purchase_Order.exe cvtres.exe PID 2140 wrote to memory of 4856 2140 Purchase_Order.exe cvtres.exe PID 2140 wrote to memory of 4856 2140 Purchase_Order.exe cvtres.exe PID 2140 wrote to memory of 4856 2140 Purchase_Order.exe cvtres.exe PID 2140 wrote to memory of 4856 2140 Purchase_Order.exe cvtres.exe PID 3044 wrote to memory of 372 3044 Explorer.EXE raserver.exe PID 3044 wrote to memory of 372 3044 Explorer.EXE raserver.exe PID 3044 wrote to memory of 372 3044 Explorer.EXE raserver.exe PID 372 wrote to memory of 2756 372 raserver.exe Firefox.exe PID 372 wrote to memory of 2756 372 raserver.exe Firefox.exe PID 372 wrote to memory of 2756 372 raserver.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/372-148-0x0000000000E40000-0x0000000000E6D000-memory.dmpFilesize
180KB
-
memory/372-146-0x0000000002B60000-0x0000000002BEF000-memory.dmpFilesize
572KB
-
memory/372-145-0x0000000002D40000-0x000000000308A000-memory.dmpFilesize
3.3MB
-
memory/372-143-0x0000000000370000-0x000000000038F000-memory.dmpFilesize
124KB
-
memory/372-144-0x0000000000E40000-0x0000000000E6D000-memory.dmpFilesize
180KB
-
memory/372-142-0x0000000000000000-mapping.dmp
-
memory/2140-132-0x0000000000C50000-0x0000000000C9E000-memory.dmpFilesize
312KB
-
memory/3044-141-0x0000000007D10000-0x0000000007DC9000-memory.dmpFilesize
740KB
-
memory/3044-147-0x0000000007DD0000-0x0000000007F4E000-memory.dmpFilesize
1.5MB
-
memory/3044-149-0x0000000007DD0000-0x0000000007F4E000-memory.dmpFilesize
1.5MB
-
memory/4856-140-0x00000000017E0000-0x00000000017F0000-memory.dmpFilesize
64KB
-
memory/4856-139-0x00000000013A0000-0x00000000016EA000-memory.dmpFilesize
3.3MB
-
memory/4856-138-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4856-137-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4856-136-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4856-134-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4856-133-0x0000000000000000-mapping.dmp