Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2023 11:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
purchase order.exe
Resource
win7-20230220-en
windows7-x64
7 signatures
150 seconds
General
-
Target
purchase order.exe
-
Size
916KB
-
MD5
3f626f64cf5f7196bc812ff1814d95f6
-
SHA1
c7dcf05df40dc04d4f9af38ef7a887ffde68abb5
-
SHA256
f6a82d751b2c63e135488686a43c60f35c2cda54a5599f450d4c123043e3c6b2
-
SHA512
ecf5aca2cfc774557f1170d5ba73115a3240831b2b1bf2c7c43b8dd8b2965450efd7c25ed71b0bb0a7e28931ecb5cd614c1cf5c3fc318ca2c891813983856413
-
SSDEEP
12288:KOCmzZBEP85QaC9JhmbdqSNhjwl+eZj17y1a3RplcyqKdxKHwhj5p5U61aNf:h9BEP83O6qSNhjwtIa2DyxKkf5UMM
Malware Config
Extracted
Family
darkcloud
Attributes
-
email_from
hotel2@hotelzing.net
-
email_to
newgrow.tech@protonmail.com
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
purchase order.exedescription pid process target process PID 3812 set thread context of 4804 3812 purchase order.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
purchase order.exepid process 3812 purchase order.exe 3812 purchase order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
purchase order.exedescription pid process Token: SeDebugPrivilege 3812 purchase order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 4804 vbc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
purchase order.exedescription pid process target process PID 3812 wrote to memory of 4804 3812 purchase order.exe vbc.exe PID 3812 wrote to memory of 4804 3812 purchase order.exe vbc.exe PID 3812 wrote to memory of 4804 3812 purchase order.exe vbc.exe PID 3812 wrote to memory of 4804 3812 purchase order.exe vbc.exe PID 3812 wrote to memory of 4804 3812 purchase order.exe vbc.exe PID 3812 wrote to memory of 4804 3812 purchase order.exe vbc.exe PID 3812 wrote to memory of 4804 3812 purchase order.exe vbc.exe PID 3812 wrote to memory of 4804 3812 purchase order.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\purchase order.exe"C:\Users\Admin\AppData\Local\Temp\purchase order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3812-133-0x0000000000330000-0x000000000041C000-memory.dmpFilesize
944KB
-
memory/3812-134-0x0000000005450000-0x00000000059F4000-memory.dmpFilesize
5.6MB
-
memory/3812-135-0x0000000004DC0000-0x0000000004E52000-memory.dmpFilesize
584KB
-
memory/3812-136-0x0000000004E70000-0x0000000004E7A000-memory.dmpFilesize
40KB
-
memory/3812-137-0x0000000004F70000-0x0000000004F80000-memory.dmpFilesize
64KB
-
memory/3812-138-0x0000000004F70000-0x0000000004F80000-memory.dmpFilesize
64KB
-
memory/3812-139-0x0000000006FB0000-0x000000000704C000-memory.dmpFilesize
624KB
-
memory/4804-140-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/4804-143-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/4804-146-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/4804-147-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB