Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-09-2022 19:23
Static task
static1
Behavioral task
behavioral1
Sample
Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exe
Resource
win7-20220812-en
General
-
Target
Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exe
-
Size
313KB
-
MD5
624b5a402b803e5387ad3703512b6245
-
SHA1
c13ee0108903b3e3408db80e9d8b601f4831649b
-
SHA256
6cb6ca24a5438e646c710e6f4f0c7f4f79d12faa9cf647e89a215083eea45417
-
SHA512
cc7d20501feadf1599f936d8bba67973c052af9c99a617efde1b3d56b7c3b6b4be86865e924b25efbf2bb1486355bcff07c52459d7da5b202b0c701087daab8b
-
SSDEEP
6144:Mnfj51HnOQ7hseU+3FfVpJem0rHkMMQNI2tK+u:+5tnnN13FbEkOpK
Malware Config
Extracted
formbook
r4am
7s+N0ZPIJ9VpqrvtKksXc7XuyWQV
b10VlJxyr+gCSypTPq+ttg==
p38gcQiwILmDccYrmbc=
J/ORoE40XwuxoUBl0DCnAjg=
waVc3Ur4Ig/2N0Ju2wG1DbgtjWxhIxs=
yp97AnUvgTnkTw4b
mYElQRz+60TcJwkmpAqVnYfUymE=
aUfuNJdSXN/qNxE/cpiTmoTL/4cd
aR/gJFPYz8rH+cVCjpty
xY45ukYcf0olJqofG75t
TBq3DAxHoNxz8qesW9Ft
TTP/Dhhszw/D8kZdFg==
qHgNTp0fYKBi19z346EcuNxg
A83SygeBE+V16/U=
LOesLh1Ykw8BKSmyaV1l
y6paCH8rmVAlJQ==
vYwzUX3wKXJGnWGyaV1l
lXVE0tXBtEtmmVeyaV1l
dV80xnHwI1aoF/MR
AN1o76cpYJhWVyFS1TCnAjg=
XC+mtHyKvtrTBtZPjHItQzA=
MhPbG9oQez4sWypZVvizCdbL/4cd
EuipPcw2Li8rVxxOPq+ttg==
5tGBmtBmqiLm45ujn0ADWX3IRA==
xYc0iJHgRYc1cgtTDw==
cVsEVMkoCP7hEwcUU25prmOozBG5wA==
bjK5zQBunMZxaiItrgTMHQp5
1L+S7OS/nBcBKimyaV1l
3q6H4EkMVFLsMQpSDQ==
LwewNkZAObii4usU0znk5G7tTSgg8Ag=
az3xS19SNuV16/U=
r3wfMG8SSMzS6jtGBQ==
OP/DUm9pS7J/+sYrmbc=
0pUXXjZh1p9rdgwxncFrtf4ohmhVBhE=
RDHicg15UUQVcHWrdRkMVZD+XQ==
It6DBZMHFuOhnYeobAv2MtRDjWhVBhE=
4LteqavxJpV3mV5tW0o8dkmozBG5wA==
mnw1uV3PnouOu4zQhSoVVZD+XQ==
9ueX2g2BmVAlJQ==
jwLuBD+nUAD/
MxXFRkIsZhez/sYrmbc=
p4U4wlQogy/WyT6AT6A=
07Zv9fMD3MR8afdCjpty
BNKQJpJfJuV16/U=
qp02vMiynyT7/b/uK1IcuNxg
MviGCDCO7oFg3cQaSbmCDD4=
h1sctJvTvjLaIE2yaV1l
3qVCgzUrDndFvZYWi64=
knI8nuDpTSQ=
Dfum8NMEb7pUK8TXlYH6sunaS2k=
m31BzNC6/sOP/sYrmbc=
i0TvPiVjzHmfnCs9Pq+ttg==
MxfTJ38I7Ou3ECWyaV1l
l18Xm6eehQYChkdRDA==
Dguz+3HlzdjqF/IpqBH/VZD+XQ==
sZU1SihglhMT77rypVJKeOnaS2k=
hVpNGsoFXMvbX9xTUiwZVZD+XQ==
k1IrZzBk1fwDcgtTDw==
wKMZkRp/mVAlJQ==
Y04PlRt/mVAlJQ==
oZFQlMZNNj05YitOPq+ttg==
f0sKoFX0XKY8DcdCjpty
VAGv9/4DdPX1
KAfI3iCj0A7N1Z7DdhH/VZD+XQ==
authorsong.com
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
chkdsk.exepid process 1480 chkdsk.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.execvtres.exechkdsk.exedescription pid process target process PID 900 set thread context of 1908 900 Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exe cvtres.exe PID 1908 set thread context of 1420 1908 cvtres.exe Explorer.EXE PID 1480 set thread context of 1420 1480 chkdsk.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
cvtres.exechkdsk.exepid process 1908 cvtres.exe 1908 cvtres.exe 1908 cvtres.exe 1908 cvtres.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
cvtres.exechkdsk.exepid process 1908 cvtres.exe 1908 cvtres.exe 1908 cvtres.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe 1480 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cvtres.exechkdsk.exedescription pid process Token: SeDebugPrivilege 1908 cvtres.exe Token: SeDebugPrivilege 1480 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1420 Explorer.EXE 1420 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1420 Explorer.EXE 1420 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exeExplorer.EXEchkdsk.exedescription pid process target process PID 900 wrote to memory of 1908 900 Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exe cvtres.exe PID 900 wrote to memory of 1908 900 Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exe cvtres.exe PID 900 wrote to memory of 1908 900 Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exe cvtres.exe PID 900 wrote to memory of 1908 900 Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exe cvtres.exe PID 900 wrote to memory of 1908 900 Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exe cvtres.exe PID 900 wrote to memory of 1908 900 Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exe cvtres.exe PID 900 wrote to memory of 1908 900 Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exe cvtres.exe PID 1420 wrote to memory of 1480 1420 Explorer.EXE chkdsk.exe PID 1420 wrote to memory of 1480 1420 Explorer.EXE chkdsk.exe PID 1420 wrote to memory of 1480 1420 Explorer.EXE chkdsk.exe PID 1420 wrote to memory of 1480 1420 Explorer.EXE chkdsk.exe PID 1480 wrote to memory of 1604 1480 chkdsk.exe Firefox.exe PID 1480 wrote to memory of 1604 1480 chkdsk.exe Firefox.exe PID 1480 wrote to memory of 1604 1480 chkdsk.exe Firefox.exe PID 1480 wrote to memory of 1604 1480 chkdsk.exe Firefox.exe PID 1480 wrote to memory of 1604 1480 chkdsk.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exe"C:\Users\Admin\AppData\Local\Temp\Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
841KB
MD55fc6cd5d5ca1489d2a3c361717359a95
SHA15c630e232cd5761e7a611e41515be4afa3e7a141
SHA25685c8b8a648c56cf5f063912e0e26ecebb90e0caf2f442fd5cdd8287301fe7e81
SHA5125f9124a721f6b463d4f980920e87925098aa753b0fa2a59a3ff48b48d2b1a45d760fd46445414d84fb66321181cd2c82a4194361811114c15e35b42f838ab792
-
memory/900-54-0x0000000000D20000-0x0000000000D6E000-memory.dmpFilesize
312KB
-
memory/900-56-0x0000000000280000-0x0000000000286000-memory.dmpFilesize
24KB
-
memory/900-57-0x0000000000450000-0x000000000045C000-memory.dmpFilesize
48KB
-
memory/900-58-0x0000000000460000-0x0000000000468000-memory.dmpFilesize
32KB
-
memory/900-55-0x0000000000270000-0x0000000000278000-memory.dmpFilesize
32KB
-
memory/1420-77-0x0000000006B70000-0x0000000006C9F000-memory.dmpFilesize
1.2MB
-
memory/1420-76-0x0000000006B70000-0x0000000006C9F000-memory.dmpFilesize
1.2MB
-
memory/1420-70-0x00000000072F0000-0x0000000007494000-memory.dmpFilesize
1.6MB
-
memory/1480-78-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/1480-71-0x0000000000000000-mapping.dmp
-
memory/1480-75-0x0000000001D80000-0x0000000001E0F000-memory.dmpFilesize
572KB
-
memory/1480-74-0x0000000001FC0000-0x00000000022C3000-memory.dmpFilesize
3.0MB
-
memory/1480-72-0x0000000000480000-0x0000000000487000-memory.dmpFilesize
28KB
-
memory/1480-73-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/1908-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1908-69-0x0000000000260000-0x0000000000270000-memory.dmpFilesize
64KB
-
memory/1908-68-0x0000000000900000-0x0000000000C03000-memory.dmpFilesize
3.0MB
-
memory/1908-67-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1908-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1908-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1908-63-0x00000000004012B0-mapping.dmp
-
memory/1908-62-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1908-59-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB