Analysis
-
max time kernel
63s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-05-2023 11:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
purchase order.exe
Resource
win7-20230220-en
windows7-x64
7 signatures
150 seconds
General
-
Target
purchase order.exe
-
Size
916KB
-
MD5
3f626f64cf5f7196bc812ff1814d95f6
-
SHA1
c7dcf05df40dc04d4f9af38ef7a887ffde68abb5
-
SHA256
f6a82d751b2c63e135488686a43c60f35c2cda54a5599f450d4c123043e3c6b2
-
SHA512
ecf5aca2cfc774557f1170d5ba73115a3240831b2b1bf2c7c43b8dd8b2965450efd7c25ed71b0bb0a7e28931ecb5cd614c1cf5c3fc318ca2c891813983856413
-
SSDEEP
12288:KOCmzZBEP85QaC9JhmbdqSNhjwl+eZj17y1a3RplcyqKdxKHwhj5p5U61aNf:h9BEP83O6qSNhjwtIa2DyxKkf5UMM
Malware Config
Extracted
Family
darkcloud
Attributes
-
email_from
hotel2@hotelzing.net
-
email_to
newgrow.tech@protonmail.com
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
purchase order.exedescription pid process target process PID 1320 set thread context of 972 1320 purchase order.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
purchase order.exepid process 1320 purchase order.exe 1320 purchase order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
purchase order.exedescription pid process Token: SeDebugPrivilege 1320 purchase order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 972 vbc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
purchase order.exedescription pid process target process PID 1320 wrote to memory of 972 1320 purchase order.exe vbc.exe PID 1320 wrote to memory of 972 1320 purchase order.exe vbc.exe PID 1320 wrote to memory of 972 1320 purchase order.exe vbc.exe PID 1320 wrote to memory of 972 1320 purchase order.exe vbc.exe PID 1320 wrote to memory of 972 1320 purchase order.exe vbc.exe PID 1320 wrote to memory of 972 1320 purchase order.exe vbc.exe PID 1320 wrote to memory of 972 1320 purchase order.exe vbc.exe PID 1320 wrote to memory of 972 1320 purchase order.exe vbc.exe PID 1320 wrote to memory of 972 1320 purchase order.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\purchase order.exe"C:\Users\Admin\AppData\Local\Temp\purchase order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/972-62-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/972-72-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/972-71-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/972-68-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/972-66-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/972-65-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/972-63-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/972-61-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1320-57-0x0000000004540000-0x0000000004580000-memory.dmpFilesize
256KB
-
memory/1320-60-0x00000000052C0000-0x0000000005332000-memory.dmpFilesize
456KB
-
memory/1320-59-0x00000000058F0000-0x0000000005996000-memory.dmpFilesize
664KB
-
memory/1320-58-0x00000000004A0000-0x00000000004AA000-memory.dmpFilesize
40KB
-
memory/1320-54-0x0000000000CE0000-0x0000000000DCC000-memory.dmpFilesize
944KB
-
memory/1320-56-0x0000000000340000-0x0000000000350000-memory.dmpFilesize
64KB
-
memory/1320-55-0x0000000004540000-0x0000000004580000-memory.dmpFilesize
256KB