Analysis
-
max time kernel
154s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 09:43
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order No-079 DT 03.10.2022.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Purchase Order No-079 DT 03.10.2022.exe
Resource
win10v2004-20220812-en
General
-
Target
Purchase Order No-079 DT 03.10.2022.exe
-
Size
371KB
-
MD5
06d111e86da46ee91aad0b9e3c4ceb7c
-
SHA1
8fe930a374cd43bc4b1d57f79c6beef78ff77042
-
SHA256
d7d73c00b7da86c119784a524a81220be76a1804f731ba08618922ef448bdd3c
-
SHA512
5a3a92361846a9eb2a613e3d1abd287cd68d7cf702950e7d344bd92ddb1b839894c1195750a970b2b85277a80636a2eefb72ff179d179f657e4882a3e81f84f0
-
SSDEEP
6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/zH3F3rZ30fPMUYjGE:lToPWBv/cpGrU3y8tGzXFbZ0fE3iE
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
impmxacrhmmlzem.exeimpmxacrhmmlzem.exepid process 1420 impmxacrhmmlzem.exe 3184 impmxacrhmmlzem.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Purchase Order No-079 DT 03.10.2022.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Purchase Order No-079 DT 03.10.2022.exe -
Loads dropped DLL 1 IoCs
Processes:
impmxacrhmmlzem.exepid process 2984 impmxacrhmmlzem.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
impmxacrhmmlzem.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook impmxacrhmmlzem.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook impmxacrhmmlzem.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook impmxacrhmmlzem.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
impmxacrhmmlzem.exedescription pid process target process PID 1420 set thread context of 2984 1420 impmxacrhmmlzem.exe impmxacrhmmlzem.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
impmxacrhmmlzem.exedescription pid process Token: SeDebugPrivilege 2984 impmxacrhmmlzem.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Purchase Order No-079 DT 03.10.2022.exeimpmxacrhmmlzem.exedescription pid process target process PID 4848 wrote to memory of 1420 4848 Purchase Order No-079 DT 03.10.2022.exe impmxacrhmmlzem.exe PID 4848 wrote to memory of 1420 4848 Purchase Order No-079 DT 03.10.2022.exe impmxacrhmmlzem.exe PID 4848 wrote to memory of 1420 4848 Purchase Order No-079 DT 03.10.2022.exe impmxacrhmmlzem.exe PID 1420 wrote to memory of 3184 1420 impmxacrhmmlzem.exe impmxacrhmmlzem.exe PID 1420 wrote to memory of 3184 1420 impmxacrhmmlzem.exe impmxacrhmmlzem.exe PID 1420 wrote to memory of 3184 1420 impmxacrhmmlzem.exe impmxacrhmmlzem.exe PID 1420 wrote to memory of 2984 1420 impmxacrhmmlzem.exe impmxacrhmmlzem.exe PID 1420 wrote to memory of 2984 1420 impmxacrhmmlzem.exe impmxacrhmmlzem.exe PID 1420 wrote to memory of 2984 1420 impmxacrhmmlzem.exe impmxacrhmmlzem.exe PID 1420 wrote to memory of 2984 1420 impmxacrhmmlzem.exe impmxacrhmmlzem.exe -
outlook_office_path 1 IoCs
Processes:
impmxacrhmmlzem.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook impmxacrhmmlzem.exe -
outlook_win_path 1 IoCs
Processes:
impmxacrhmmlzem.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook impmxacrhmmlzem.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order No-079 DT 03.10.2022.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order No-079 DT 03.10.2022.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exe"C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exe"C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exe"C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exe"3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exeFilesize
6KB
MD558dae549a95522ce74dfda819bc2b8b5
SHA17941b02cfa73b5ea89dc684c596b4e8cfe6dcba5
SHA25672bf301c8a8486fb02c1dd1567326282c99048b3ed122040ce4718c47c4d6cc2
SHA512d6277e8218bd7da69beedd5f437dcb8dac849458d6aeb139064b8c27731da4ab5b0f086d827224015f5ce35dfa22c17fa7b5fba0cc98804d7be8b26e031dacba
-
C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exeFilesize
6KB
MD558dae549a95522ce74dfda819bc2b8b5
SHA17941b02cfa73b5ea89dc684c596b4e8cfe6dcba5
SHA25672bf301c8a8486fb02c1dd1567326282c99048b3ed122040ce4718c47c4d6cc2
SHA512d6277e8218bd7da69beedd5f437dcb8dac849458d6aeb139064b8c27731da4ab5b0f086d827224015f5ce35dfa22c17fa7b5fba0cc98804d7be8b26e031dacba
-
C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exeFilesize
6KB
MD558dae549a95522ce74dfda819bc2b8b5
SHA17941b02cfa73b5ea89dc684c596b4e8cfe6dcba5
SHA25672bf301c8a8486fb02c1dd1567326282c99048b3ed122040ce4718c47c4d6cc2
SHA512d6277e8218bd7da69beedd5f437dcb8dac849458d6aeb139064b8c27731da4ab5b0f086d827224015f5ce35dfa22c17fa7b5fba0cc98804d7be8b26e031dacba
-
C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exeFilesize
6KB
MD558dae549a95522ce74dfda819bc2b8b5
SHA17941b02cfa73b5ea89dc684c596b4e8cfe6dcba5
SHA25672bf301c8a8486fb02c1dd1567326282c99048b3ed122040ce4718c47c4d6cc2
SHA512d6277e8218bd7da69beedd5f437dcb8dac849458d6aeb139064b8c27731da4ab5b0f086d827224015f5ce35dfa22c17fa7b5fba0cc98804d7be8b26e031dacba
-
C:\Users\Admin\AppData\Local\Temp\loouoa.ovnFilesize
104KB
MD549c0e5426873d5c391859eff70882aea
SHA1d67be96737c57614be9af63ae1b8d99ac2b84a94
SHA256311b6c210ffe3dcbed2b5419005e053dc7cb1c9f88a6f46ef4a462df2e0cdc37
SHA512453b6d112271b117e7a5cdcdec9f8d2782b8cd14da4f79e6659fa479a79974366baaab3db3876d33b98194753c534664f7cce9f2185dde0d2b4322d1f3d28cc7
-
C:\Users\Admin\AppData\Local\Temp\nzlkuq.opkFilesize
4KB
MD5171403f28cff9e0bb2b9fb1af649ef29
SHA1a46d3a9163ac7be7502f9db907eefd0c0ba4343f
SHA256349bcf4cd16b2045cb4bf9ea2df6e06f1ed442015e419bf045b4122ec0a828c1
SHA512bd381f3527afbe40ac047a9385ee530d2846673c3fa1c9543edbd1f704b468806a7c4f7ec1615e1f6a85d7ce59f42300d6de628243d4a5a47fb9df94985f38a8
-
memory/1420-132-0x0000000000000000-mapping.dmp
-
memory/2984-138-0x0000000000000000-mapping.dmp