Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2022 18:38
Static task
static1
Behavioral task
behavioral1
Sample
Purchase_Order.exe
Resource
win7-20220812-en
General
-
Target
Purchase_Order.exe
-
Size
460KB
-
MD5
3b5056e4430804872a253c034ac9ca47
-
SHA1
2b0942b8aa1615a5d8c61326a3c88fa4d0658e09
-
SHA256
f468e0e25debea49005582be9279616ee2f100a73cbedaaecebdc210a5515102
-
SHA512
993b3511e6fa766b85418b2fc69ab921f8a51f377b3ca6a6caf818eaea9e6e90f26135c5dd89d76676b743d75f99a6d0d9c98942d16c522133e629a1484af3c3
-
SSDEEP
6144:j246z2kJ7ZM3X2a2gIi9pGB9o2L3v+1LqtOLzqTEogLXax:j246zrTMqi9EB9oU21LqtrETX
Malware Config
Extracted
formbook
i65a
r00zzvD9uoqMkFT8XDSqPg==
iSMQDJ3Tyuj8KXflBw==
Gq+tYoFrGU/5B4gGNnzHNg==
wEwcynSwpynZKUFhqyIK
bw3PbrjowhAVJA==
TggEt9LuwhAVJA==
r0UqC6sxgcWN7vc=
0m+fwBgf0oyehByUtx51BsBkuj8=
dhtdWWyIhRatp2dpv8tPcJoQ
jTAw4/4TCwcXjpECXDSqPg==
aglx4nPPkGp/raeivGVOfzdbFIu4
+qXr4cAGtQJm7Mf6
sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=
E6ohOo2zadVgzLIfaWALaik=
wXwu0yo/KbNm7Mf6
EcoyojCJYKg1laCuBK+exkNbFIu4
bhZgFvj6yP+R4F+0/5S/oFMpAA==
rzlylCB1NIMabG2dzGQd
+5ngCKjwwhAVJA==
AMUtZrYh+0LPL/QyfSo=
hzqw1O4JApAae41vjXUOeC8=
C7guqfg0PD5dvVf4DQ==
BsM1AaksgMWN7vc=
5pcGLkVbBUPPL/QyfSo=
TvMO/UKDdcWN7vc=
fCNJYrrKfTprvVf4DQ==
5rfNvNbPhEFrvVf4DQ==
9717JcIR+w4iNgKcr91It5f448HcIA==
Wfo2UPQmr3SeAgqCx+ihjjsY
Svg8XfRAHZ5DvXj4EA==
TuXg5TNpdh6yCOmt0pkeNaKCuzc=
fjn46QYnKM4w0+g=
WRV/AkxH/M7NzFzkCw91Zpz048HcIA==
Bo6ILlHigRGpGJRgtPd6WQFsGA==
ZCdTYvhSBMTjO0mpy+ihjjsY
Vg104XmxSn8DTRA2YCA=
fBmNxO/pwkHXAKalv3UOeC8=
2YL6LEtrcsyquo2wz3ahjjsY
iC2cyuTQsS3KHymco5LiuXXRdYc9KA==
JvGrI2XdqxWjoPQyfSo=
NMuVRIiBW1Nhjn9zgw3PwEJbFIu4
7KsjVqn0meiO7MVyjXUOeC8=
XvgsVPgmHCtBPPXC7IhcycBkuj8=
HsE0cZF7K+0KXVC4yexV8KqiJAA0Yi8=
ZA9olK7JxkTg6q7/TenoBXFnljPD7XGx
PvN6Nk9THuEFRZYCFA==
cx/LcM3luPqVmxJ+jhMI
smWwq8nUo09jvVf4DQ==
aBnnX3Z7RIQqQsRdhz0=
8o1CKXiwmgZm7Mf6
s2NR7g0vRFBRp3VhqyIK
DLYGcptChcWN7vc=
0GEVmuU0F1jkMfQyfSo=
s1Kiy26yq6+H9spyinUOeC8=
CZxV2PHhkdRu/ewuGg==
y8Xu3/EguTvj
ulTCKLYf9ULaNPQyfSo=
1Yl0JHHbnlR3eAp4uepO8u5YFRkKjVNu8Q==
V+zu64nHc059gzjoEtXhkxEB
dQkau9PuwhAVJA==
NMYypu3zqoGsllajzOShjjsY
Wxkhx+n/zcWN7vc=
74dZAaju4XcRfFR3kzM=
u3R6gBVPPDpcvVf4DQ==
partnermdg.com
Extracted
xloader
3.8
i65a
r00zzvD9uoqMkFT8XDSqPg==
iSMQDJ3Tyuj8KXflBw==
Gq+tYoFrGU/5B4gGNnzHNg==
wEwcynSwpynZKUFhqyIK
bw3PbrjowhAVJA==
TggEt9LuwhAVJA==
r0UqC6sxgcWN7vc=
0m+fwBgf0oyehByUtx51BsBkuj8=
dhtdWWyIhRatp2dpv8tPcJoQ
jTAw4/4TCwcXjpECXDSqPg==
aglx4nPPkGp/raeivGVOfzdbFIu4
+qXr4cAGtQJm7Mf6
sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=
E6ohOo2zadVgzLIfaWALaik=
wXwu0yo/KbNm7Mf6
EcoyojCJYKg1laCuBK+exkNbFIu4
bhZgFvj6yP+R4F+0/5S/oFMpAA==
rzlylCB1NIMabG2dzGQd
+5ngCKjwwhAVJA==
AMUtZrYh+0LPL/QyfSo=
hzqw1O4JApAae41vjXUOeC8=
C7guqfg0PD5dvVf4DQ==
BsM1AaksgMWN7vc=
5pcGLkVbBUPPL/QyfSo=
TvMO/UKDdcWN7vc=
fCNJYrrKfTprvVf4DQ==
5rfNvNbPhEFrvVf4DQ==
9717JcIR+w4iNgKcr91It5f448HcIA==
Wfo2UPQmr3SeAgqCx+ihjjsY
Svg8XfRAHZ5DvXj4EA==
TuXg5TNpdh6yCOmt0pkeNaKCuzc=
fjn46QYnKM4w0+g=
WRV/AkxH/M7NzFzkCw91Zpz048HcIA==
Bo6ILlHigRGpGJRgtPd6WQFsGA==
ZCdTYvhSBMTjO0mpy+ihjjsY
Vg104XmxSn8DTRA2YCA=
fBmNxO/pwkHXAKalv3UOeC8=
2YL6LEtrcsyquo2wz3ahjjsY
iC2cyuTQsS3KHymco5LiuXXRdYc9KA==
JvGrI2XdqxWjoPQyfSo=
NMuVRIiBW1Nhjn9zgw3PwEJbFIu4
7KsjVqn0meiO7MVyjXUOeC8=
XvgsVPgmHCtBPPXC7IhcycBkuj8=
HsE0cZF7K+0KXVC4yexV8KqiJAA0Yi8=
ZA9olK7JxkTg6q7/TenoBXFnljPD7XGx
PvN6Nk9THuEFRZYCFA==
cx/LcM3luPqVmxJ+jhMI
smWwq8nUo09jvVf4DQ==
aBnnX3Z7RIQqQsRdhz0=
8o1CKXiwmgZm7Mf6
s2NR7g0vRFBRp3VhqyIK
DLYGcptChcWN7vc=
0GEVmuU0F1jkMfQyfSo=
s1Kiy26yq6+H9spyinUOeC8=
CZxV2PHhkdRu/ewuGg==
y8Xu3/EguTvj
ulTCKLYf9ULaNPQyfSo=
1Yl0JHHbnlR3eAp4uepO8u5YFRkKjVNu8Q==
V+zu64nHc059gzjoEtXhkxEB
dQkau9PuwhAVJA==
NMYypu3zqoGsllajzOShjjsY
Wxkhx+n/zcWN7vc=
74dZAaju4XcRfFR3kzM=
u3R6gBVPPDpcvVf4DQ==
partnermdg.com
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Purchase_Order.exeregsvcs.exeNETSTAT.EXEdescription pid process target process PID 4792 set thread context of 3932 4792 Purchase_Order.exe regsvcs.exe PID 3932 set thread context of 2664 3932 regsvcs.exe Explorer.EXE PID 3624 set thread context of 2664 3624 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 3624 NETSTAT.EXE -
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvcs.exeNETSTAT.EXEpid process 3932 regsvcs.exe 3932 regsvcs.exe 3932 regsvcs.exe 3932 regsvcs.exe 3932 regsvcs.exe 3932 regsvcs.exe 3932 regsvcs.exe 3932 regsvcs.exe 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2664 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
regsvcs.exeNETSTAT.EXEpid process 3932 regsvcs.exe 3932 regsvcs.exe 3932 regsvcs.exe 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE 3624 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvcs.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 3932 regsvcs.exe Token: SeDebugPrivilege 3624 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Purchase_Order.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 4792 wrote to memory of 3932 4792 Purchase_Order.exe regsvcs.exe PID 4792 wrote to memory of 3932 4792 Purchase_Order.exe regsvcs.exe PID 4792 wrote to memory of 3932 4792 Purchase_Order.exe regsvcs.exe PID 4792 wrote to memory of 3932 4792 Purchase_Order.exe regsvcs.exe PID 4792 wrote to memory of 3932 4792 Purchase_Order.exe regsvcs.exe PID 4792 wrote to memory of 3932 4792 Purchase_Order.exe regsvcs.exe PID 2664 wrote to memory of 3624 2664 Explorer.EXE NETSTAT.EXE PID 2664 wrote to memory of 3624 2664 Explorer.EXE NETSTAT.EXE PID 2664 wrote to memory of 3624 2664 Explorer.EXE NETSTAT.EXE PID 3624 wrote to memory of 364 3624 NETSTAT.EXE Firefox.exe PID 3624 wrote to memory of 364 3624 NETSTAT.EXE Firefox.exe PID 3624 wrote to memory of 364 3624 NETSTAT.EXE Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2664-141-0x0000000007FB0000-0x00000000080EA000-memory.dmpFilesize
1.2MB
-
memory/2664-151-0x0000000002DE0000-0x0000000002E88000-memory.dmpFilesize
672KB
-
memory/2664-149-0x0000000002DE0000-0x0000000002E88000-memory.dmpFilesize
672KB
-
memory/3624-146-0x0000000000710000-0x000000000073D000-memory.dmpFilesize
180KB
-
memory/3624-145-0x0000000000FE0000-0x0000000000FEB000-memory.dmpFilesize
44KB
-
memory/3624-150-0x0000000000710000-0x000000000073D000-memory.dmpFilesize
180KB
-
memory/3624-148-0x0000000000F50000-0x0000000000FDF000-memory.dmpFilesize
572KB
-
memory/3624-147-0x00000000011A0000-0x00000000014EA000-memory.dmpFilesize
3.3MB
-
memory/3624-142-0x0000000000000000-mapping.dmp
-
memory/3932-136-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3932-144-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/3932-143-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3932-137-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/3932-140-0x00000000010D0000-0x00000000010E0000-memory.dmpFilesize
64KB
-
memory/3932-134-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3932-139-0x00000000016A0000-0x00000000019EA000-memory.dmpFilesize
3.3MB
-
memory/3932-133-0x0000000000000000-mapping.dmp
-
memory/4792-132-0x0000000000970000-0x00000000009E6000-memory.dmpFilesize
472KB