f7c753b43a9dd03a388e57237a14861e28db225e6c11ad3ea04a80143aad8a71

Resubmissions

30/10/2023, 12:29

231030-ppdctaeg32 3

30/10/2023, 10:24

231030-mfdacacc6z 3

Analysis

max time kernel
138s
max time network
267s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2023, 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document Purchase Order BNK-295980.msg
Size

264KB
MD5

616cf66aa84b76dbb575de88d65d6f80
SHA1

aa1d299b0de6e195c5177815c08082fcf4b9962f
SHA256

f7c753b43a9dd03a388e57237a14861e28db225e6c11ad3ea04a80143aad8a71
SHA512

545223b66f33aa8c34dbf6b2371a6c4d34c3f52b291ab76c16f99521723b1106388047e3f6fd5c6ee66edd64e1d18f72bb579adf90b6e86e1c92489a0252df40
SSDEEP

6144:Kh+EMdRduTOxCuTeg+kmpOUprp28qXwLx7UkaZCiFr9qUQl0rr:jRnxUr928FLxStDQl0rr

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4432	OpenWith.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 952	4432	OpenWith.exe	94
PID 4432 wrote to memory of 952	4432	OpenWith.exe	94

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Document Purchase Order BNK-295980.msg"
1⤵
- Modifies registry class
PID:3864

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Document Purchase Order BNK-295980.msg
  2⤵
  PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...