241a63ae9b38398c8b01a096d48ee5d36fe95c1277da2828015c1ff82d0d2e11

Analysis

max time kernel
135s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Doctor firm order form.exe
Size

669KB
MD5

7921d3a2df6061b71d17c17db395b7e0
SHA1

3e4fcc203670021c89724d79519c173b3f65e987
SHA256

d93978a9bffc17a585440b55863b852331f8a24bd2f13ab16a32c5ccbcf9eddd
SHA512

79b82ba94f911a9a750d69018ab4660c76d9130de24d27c02562ea3232dff90d89e13a7165c72fa87cb25d042d1371ebc0fe827b17ba25416a5652d01883d270
SSDEEP

12288:YI9A8OQDqMbCU82kfGYOO5Xf/exzg+EUPi0j3e04YoJwRg5vNKW3JugtzZCGGVLc:YIKNWqMX82kfGYOc/OzgOaIu0ROwRSNN

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 2304	2180	Doctor firm order form.exe	96

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doctor firm order form.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2180	Doctor firm order form.exe
2180	Doctor firm order form.exe
2180	Doctor firm order form.exe
2180	Doctor firm order form.exe
2180	Doctor firm order form.exe
2180	Doctor firm order form.exe
2304	Doctor firm order form.exe
2304	Doctor firm order form.exe
2304	Doctor firm order form.exe
2304	Doctor firm order form.exe
2304	Doctor firm order form.exe
2304	Doctor firm order form.exe
2304	Doctor firm order form.exe
2304	Doctor firm order form.exe
2304	Doctor firm order form.exe
2304	Doctor firm order form.exe
2304	Doctor firm order form.exe
2304	Doctor firm order form.exe
2304	Doctor firm order form.exe
2304	Doctor firm order form.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	Doctor firm order form.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1884	2180	Doctor firm order form.exe	94
PID 2180 wrote to memory of 1884	2180	Doctor firm order form.exe	94
PID 2180 wrote to memory of 1884	2180	Doctor firm order form.exe	94
PID 2180 wrote to memory of 2832	2180	Doctor firm order form.exe	95
PID 2180 wrote to memory of 2832	2180	Doctor firm order form.exe	95
PID 2180 wrote to memory of 2832	2180	Doctor firm order form.exe	95
PID 2180 wrote to memory of 2304	2180	Doctor firm order form.exe	96
PID 2180 wrote to memory of 2304	2180	Doctor firm order form.exe	96
PID 2180 wrote to memory of 2304	2180	Doctor firm order form.exe	96
PID 2180 wrote to memory of 2304	2180	Doctor firm order form.exe	96
PID 2180 wrote to memory of 2304	2180	Doctor firm order form.exe	96
PID 2180 wrote to memory of 2304	2180	Doctor firm order form.exe	96

C:\Users\Admin\AppData\Local\Temp\Doctor firm order form.exe
"C:\Users\Admin\AppData\Local\Temp\Doctor firm order form.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\Doctor firm order form.exe
  "C:\Users\Admin\AppData\Local\Temp\Doctor firm order form.exe"
  2⤵
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\Doctor firm order form.exe
  "C:\Users\Admin\AppData\Local\Temp\Doctor firm order form.exe"
  2⤵
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\Doctor firm order form.exe
  "C:\Users\Admin\AppData\Local\Temp\Doctor firm order form.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-8-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/2180-4-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2180-0-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/2180-3-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/2180-9-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2180-5-0x00000000055C0000-0x00000000055CA000-memory.dmp

Filesize
40KB

Download
memory/2180-6-0x0000000006BE0000-0x0000000006C84000-memory.dmp

Filesize
656KB

Download
memory/2180-10-0x0000000006C90000-0x0000000006D1E000-memory.dmp

Filesize
568KB

Download
memory/2180-2-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/2180-1-0x0000000000C80000-0x0000000000D2E000-memory.dmp

Filesize
696KB

Download
memory/2180-7-0x0000000005BB0000-0x0000000005BC0000-memory.dmp

Filesize
64KB

Download
memory/2180-11-0x00000000092E0000-0x000000000937C000-memory.dmp

Filesize
624KB

Download
memory/2180-14-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2304-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2304-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2304-16-0x0000000001940000-0x0000000001C8A000-memory.dmp

Filesize
3.3MB

Download
memory/2304-17-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download