Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
25/07/2023, 06:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Purchase Order.exe
Resource
win7-20230712-en
6 signatures
150 seconds
General
-
Target
Purchase Order.exe
-
Size
929KB
-
MD5
4850b02b03b4c5afce61f6fddba41d42
-
SHA1
bd2fac213a29c346425431f7dcc06c9208882dab
-
SHA256
c5dc5d0cc0ec3f2f607941f8d44019001ca18ab09abda656d4e68a5219d0e576
-
SHA512
eef1c9628bf7282f7390edb70d041655efe74cb2e905ae83a864ebaf64669492dc2964942f3e74fb71d1c94060a45f680d766a1ad798a349c526065b9e3ae9a8
-
SSDEEP
24576:BHIcTrGCZs4SsKuw7AvndUyDI0Ax6EDyBhXko:BHIkrz64SsKuw7APdlI/I7BZk
Malware Config
Extracted
Family
darkcloud
Attributes
- email_from
- email_to
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 472 set thread context of 1724 472 Purchase Order.exe 31 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 472 Purchase Order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 472 Purchase Order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1724 Purchase Order.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 472 wrote to memory of 2140 472 Purchase Order.exe 30 PID 472 wrote to memory of 2140 472 Purchase Order.exe 30 PID 472 wrote to memory of 2140 472 Purchase Order.exe 30 PID 472 wrote to memory of 2140 472 Purchase Order.exe 30 PID 472 wrote to memory of 1724 472 Purchase Order.exe 31 PID 472 wrote to memory of 1724 472 Purchase Order.exe 31 PID 472 wrote to memory of 1724 472 Purchase Order.exe 31 PID 472 wrote to memory of 1724 472 Purchase Order.exe 31 PID 472 wrote to memory of 1724 472 Purchase Order.exe 31 PID 472 wrote to memory of 1724 472 Purchase Order.exe 31 PID 472 wrote to memory of 1724 472 Purchase Order.exe 31 PID 472 wrote to memory of 1724 472 Purchase Order.exe 31 PID 472 wrote to memory of 1724 472 Purchase Order.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"2⤵PID:2140
-
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1724
-