60839f78201096dac45fcff102f5c7eb8682b7eb1b36c12b9b997ee41c7d0ced

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2023 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shipping document.exe
Size

694KB
MD5

e93972baf88a612125f843a2d036df02
SHA1

372954e625babd330a82e226adb5c19e8eeb9640
SHA256

60839f78201096dac45fcff102f5c7eb8682b7eb1b36c12b9b997ee41c7d0ced
SHA512

b857e3d9957b0b7dde7b185240f8454e85b3c9a165cb8be22f159e2975451ae7f8339e27d7cc1d2a039d214eda683e9dd69d36bf0b1b7b7af17e04b189f7c016
SSDEEP

12288:85U+vIg5vP0FBWRHitHdInp44B9L+DCJITkcONusHvm4yz:85nvIDoCt9InpTPzS4cIPm

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5096 set thread context of 4568	5096	shipping document.exe	80
PID 4568 set thread context of 2152	4568	Caspol.exe	18
PID 1684 set thread context of 2152	1684	ipconfig.exe	18

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2204	4848	WerFault.exe	82

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1684	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4568	Caspol.exe
4568	Caspol.exe
4568	Caspol.exe
4568	Caspol.exe
4568	Caspol.exe
4568	Caspol.exe
4568	Caspol.exe
4568	Caspol.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2152	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4568	Caspol.exe
4568	Caspol.exe
4568	Caspol.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe
1684	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	Caspol.exe
Token: SeDebugPrivilege	1684	ipconfig.exe
Token: SeShutdownPrivilege	2152	Explorer.EXE
Token: SeCreatePagefilePrivilege	2152	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4568	5096	shipping document.exe	80
PID 5096 wrote to memory of 4568	5096	shipping document.exe	80
PID 5096 wrote to memory of 4568	5096	shipping document.exe	80
PID 5096 wrote to memory of 4568	5096	shipping document.exe	80
PID 5096 wrote to memory of 4568	5096	shipping document.exe	80
PID 5096 wrote to memory of 4568	5096	shipping document.exe	80
PID 2152 wrote to memory of 1684	2152	Explorer.EXE	81
PID 2152 wrote to memory of 1684	2152	Explorer.EXE	81
PID 2152 wrote to memory of 1684	2152	Explorer.EXE	81
PID 1684 wrote to memory of 4848	1684	ipconfig.exe	82
PID 1684 wrote to memory of 4848	1684	ipconfig.exe	82
PID 1684 wrote to memory of 4848	1684	ipconfig.exe	82

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\shipping document.exe
  "C:\Users\Admin\AppData\Local\Temp\shipping document.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4848
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4848 -s 188
      4⤵
      Program crash
      PID:2204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 4848 -ip 4848
1⤵
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-141-0x0000000000000000-mapping.dmp

Download
memory/1684-146-0x00000000015D0000-0x000000000165F000-memory.dmp

Filesize
572KB

Download
memory/1684-145-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/1684-144-0x0000000001790000-0x0000000001ADA000-memory.dmp

Filesize
3.3MB

Download
memory/1684-143-0x0000000000040000-0x000000000004B000-memory.dmp

Filesize
44KB

Download
memory/2152-140-0x0000000007B30000-0x0000000007C00000-memory.dmp

Filesize
832KB

Download
memory/2152-147-0x0000000007CB0000-0x0000000007D6D000-memory.dmp

Filesize
756KB

Download
memory/2152-148-0x0000000007CB0000-0x0000000007D6D000-memory.dmp

Filesize
756KB

Download
memory/4568-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-139-0x0000000001180000-0x0000000001190000-memory.dmp

Filesize
64KB

Download
memory/4568-137-0x00000000016F0000-0x0000000001A3A000-memory.dmp

Filesize
3.3MB

Download
memory/4568-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-134-0x00000000004012E0-mapping.dmp

Download
memory/4568-133-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-132-0x0000017B78270000-0x0000017B78320000-memory.dmp

Filesize
704KB

Download
memory/5096-135-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download