Analysis
-
max time kernel
150s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 14:09
Static task
static1
Behavioral task
behavioral1
Sample
Bill Of Lading - VNSEA4331295.exe
Resource
win7-20220812-en
General
-
Target
Bill Of Lading - VNSEA4331295.exe
-
Size
919KB
-
MD5
fa2b3a90b953f1919563c4494d8ada0b
-
SHA1
2c515413532fada3621210c7e2101146e6f5a5fa
-
SHA256
61667ea581c9bfc633099ba839280ee1086d68e7e9f98fb3e9d8b09a0a1ae404
-
SHA512
7b33069526852e1bc5595efa16a801894ec521d6a2a9410dad5a689827e28610ad1e80184826b4933b8581607f35e2c8177241870ca23183aeb53018b51b8b68
-
SSDEEP
12288:MGFDutOg6duUKLo2BPLDRNZSeqJrtVq6dG7xH1/dcR49w9WSGEtDdLrz5BEPHBSq:MpLDHEeIDq6g7xVimwPLAf9OBGN48
Malware Config
Extracted
formbook
ntzb
ec/NM1mI984Gb/9r
LIh84/7lSr8jyCJjNRy3cy5K/w==
ywyL4wf5IYKQvdNGr5hpUcZk
ibXIRT7wwpAGb/9r
jvlCCTIkf3aEc0yrhiKei9M=
JpvChtpFpghexluRIQ==
ufPzZvM9cUyAySmfh3VZ
IWlUsdnOG2qvOYvJMp9v2/IU7Q==
AShx1yFdwhMDEvts6yKei9M=
G0s8BkB7oPAhNESxLJisov0O4g==
5whNpsfrfGq6bT5VM5c=
7YrOda8xKRZpbX55Rp0=
lff5IDBTuCxnxluRIQ==
s/nqUHamCtIGb/9r
IqvUNFmH8soGb/9r
l8GtEDwvaHre8/VBHFv+wQ==
cb4m5SZjvr4EuU20ORuv4zoQMrY=
msP5quMgh5TOcT5VM5c=
yvEWmNz1G6jvgN1EHFv+wQ==
ZfcqLcYYqRdu9EWF7mUynGEx7sib
oC9SS+ghXRCgR6kM3dGiZWaDYDGfllT60Q==
VUIK0hVHWvYXMQ==
VKTw+/16n5qR
s/RwhmOG9s4Gb/9r
aAsYoEN62lR1xluRIQ==
8GOp4R1hi+k9sFGePqGfyQ==
LXFw4m/QLYLbcMsm3j7R7DoQMrY=
tXL5jv2EWvYXMQ==
qcf7uuPfL5DoZka7OA==
3ukiaY+Fsgj8Fx86GZSozg==
1yikZ3SLxJPFZ/hpKNaQhtM=
PrXj6CozmR4jVkKVWr2wov0O4g==
g/YzYBhbimXH6/pU2kUIov0O4g==
OJeQF8IJdbMEKg8=
PrEldZm98730D+s5HFv+wQ==
0VCEk9XRNiaLvNU1HFv+wQ==
H4hYSMz+bmR070RubWNY
919MSu5Jt3MVLBA=
1B8mlsPjIa8rLw0=
Gf6/pr6AWvYXMQ==
tUeCDlf1VUhLNlzBPA==
iKnS9J4HaU68LP9P10YK1Q==
htnZtNkBXsDYTvM/sJ8=
CVlevDlkwT9uiZX4a9+hD93xhBrgj0h8
hgFKF/x6n5qR
5W62bbL9Kq8rLw0=
+xXftgVBZKjpITedE5+Obn2RI0DBgQ==
kpsnN3Bn7A==
C6ThjtUwzS6ehF2YKQ==
0WObSldDe2V170ZubWNY
v+0ksf0RNI8MMRBjG6Csov0O4g==
JzS/lA9DWvYXMQ==
7V2hcZydC3zehFaaIYA=
0jzCnoDdBRCpaWrfqTmi3joQMrY=
RXenOe8sXMQipfpi6TQeLToQMrY=
ncfD0CkpTZh/MZr5r951ScQ=
039/6y96n5qR
Nb/4r8v1ViIMmfJHKRr6fQZY9r3Lhw==
5i+jXqPuI68rLw0=
T6iuUjknViQeyyhfIB3RgdNu
KoeSxNvRJa8rLw0=
mrmLDLzXA2uDiWvb7AAE1g==
nCJiJz96n5qR
6EWQM05vy68VFoFfFbZ1LqZY9Q==
seismoeng.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 40 1932 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Bill Of Lading - VNSEA4331295.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Bill Of Lading - VNSEA4331295.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Bill Of Lading - VNSEA4331295.exeBill Of Lading - VNSEA4331295.exerundll32.exedescription pid process target process PID 4832 set thread context of 1588 4832 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 1588 set thread context of 3076 1588 Bill Of Lading - VNSEA4331295.exe Explorer.EXE PID 1932 set thread context of 3076 1932 rundll32.exe Explorer.EXE -
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
Bill Of Lading - VNSEA4331295.exerundll32.exepid process 1588 Bill Of Lading - VNSEA4331295.exe 1588 Bill Of Lading - VNSEA4331295.exe 1588 Bill Of Lading - VNSEA4331295.exe 1588 Bill Of Lading - VNSEA4331295.exe 1588 Bill Of Lading - VNSEA4331295.exe 1588 Bill Of Lading - VNSEA4331295.exe 1588 Bill Of Lading - VNSEA4331295.exe 1588 Bill Of Lading - VNSEA4331295.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3076 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Bill Of Lading - VNSEA4331295.exerundll32.exepid process 1588 Bill Of Lading - VNSEA4331295.exe 1588 Bill Of Lading - VNSEA4331295.exe 1588 Bill Of Lading - VNSEA4331295.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe 1932 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Bill Of Lading - VNSEA4331295.exerundll32.exedescription pid process Token: SeDebugPrivilege 1588 Bill Of Lading - VNSEA4331295.exe Token: SeDebugPrivilege 1932 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Bill Of Lading - VNSEA4331295.exeExplorer.EXErundll32.exedescription pid process target process PID 4832 wrote to memory of 1588 4832 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 4832 wrote to memory of 1588 4832 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 4832 wrote to memory of 1588 4832 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 4832 wrote to memory of 1588 4832 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 4832 wrote to memory of 1588 4832 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 4832 wrote to memory of 1588 4832 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 3076 wrote to memory of 1932 3076 Explorer.EXE rundll32.exe PID 3076 wrote to memory of 1932 3076 Explorer.EXE rundll32.exe PID 3076 wrote to memory of 1932 3076 Explorer.EXE rundll32.exe PID 1932 wrote to memory of 4388 1932 rundll32.exe Firefox.exe PID 1932 wrote to memory of 4388 1932 rundll32.exe Firefox.exe PID 1932 wrote to memory of 4388 1932 rundll32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\Bill Of Lading - VNSEA4331295.exe"C:\Users\Admin\AppData\Local\Temp\Bill Of Lading - VNSEA4331295.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\Bill Of Lading - VNSEA4331295.exe"C:\Users\Admin\AppData\Local\Temp\Bill Of Lading - VNSEA4331295.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:4388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1588-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1588-145-0x00000000014B0000-0x00000000014C0000-memory.dmpFilesize
64KB
-
memory/1588-144-0x0000000001A60000-0x0000000001DAA000-memory.dmpFilesize
3.3MB
-
memory/1588-143-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1588-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1588-141-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1588-138-0x0000000000000000-mapping.dmp
-
memory/1932-148-0x00000000004C0000-0x00000000004D4000-memory.dmpFilesize
80KB
-
memory/1932-150-0x0000000002EC0000-0x000000000320A000-memory.dmpFilesize
3.3MB
-
memory/1932-153-0x00000000010C0000-0x00000000010ED000-memory.dmpFilesize
180KB
-
memory/1932-151-0x0000000003210000-0x000000000329F000-memory.dmpFilesize
572KB
-
memory/1932-149-0x00000000010C0000-0x00000000010ED000-memory.dmpFilesize
180KB
-
memory/1932-147-0x0000000000000000-mapping.dmp
-
memory/3076-146-0x00000000082B0000-0x00000000083B8000-memory.dmpFilesize
1.0MB
-
memory/3076-152-0x00000000032D0000-0x00000000033C3000-memory.dmpFilesize
972KB
-
memory/3076-154-0x00000000032D0000-0x00000000033C3000-memory.dmpFilesize
972KB
-
memory/4832-133-0x0000000005AE0000-0x0000000006084000-memory.dmpFilesize
5.6MB
-
memory/4832-132-0x0000000000B90000-0x0000000000C7C000-memory.dmpFilesize
944KB
-
memory/4832-134-0x0000000005610000-0x00000000056A2000-memory.dmpFilesize
584KB
-
memory/4832-137-0x0000000005960000-0x00000000059FC000-memory.dmpFilesize
624KB
-
memory/4832-135-0x00000000056B0000-0x0000000005726000-memory.dmpFilesize
472KB
-
memory/4832-136-0x0000000005780000-0x000000000579E000-memory.dmpFilesize
120KB