Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
20/03/2023, 12:21
General
-
Target
https://www.mediafire.com/file_premium/tr8pl157mvpusf7/PURCHASE_ORDER.tgz/file
Malware Config
Signatures
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 23 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 38 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.mediafire.com/file_premium/tr8pl157mvpusf7/PURCHASE_ORDER.tgz/file1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4560 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\PURCHASE ORDER.tgz"2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD57948dd926b3122d6b147f58ca5afa1c6
SHA13c5692c4ff1fd9413602de9ece96d1b796356030
SHA256cc4bd2b5019416c5a81bc78f703f4f2b3da82007de88102a8fc6500efed18168
SHA512aeddee0d767b5983aa847945d1283ec4530757d48068a8ea3800072ea91f464898a2d2fd481f00a87a9c3a1a35005bc09fe12df67b04076a15cf5e3698862f58
-
Filesize
1.2MB
MD57948dd926b3122d6b147f58ca5afa1c6
SHA13c5692c4ff1fd9413602de9ece96d1b796356030
SHA256cc4bd2b5019416c5a81bc78f703f4f2b3da82007de88102a8fc6500efed18168
SHA512aeddee0d767b5983aa847945d1283ec4530757d48068a8ea3800072ea91f464898a2d2fd481f00a87a9c3a1a35005bc09fe12df67b04076a15cf5e3698862f58
-
Filesize
2.0MB
-
Filesize
2.0MB