Analysis
-
max time kernel
123s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 17:39
Static task
static1
Behavioral task
behavioral1
Sample
REMITTANCE SLIP ADVISE_pdf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
REMITTANCE SLIP ADVISE_pdf.exe
Resource
win10v2004-20220812-en
General
-
Target
REMITTANCE SLIP ADVISE_pdf.exe
-
Size
209KB
-
MD5
1be9bac6394ecf58c82ff9cfdb17beb7
-
SHA1
586d42863e3866230a13c2d753e94aa5991f665e
-
SHA256
5f4e853dec8fb25a1bf395fadd55a4a90ac7754e1339d17d3c602bb3c66dc6af
-
SHA512
e5645dde55795a16287eab52c0ad45adefa9c2ec91d40ce49b486f7e9baaab52dd29d6170e381c4cc917adac1db8da27bf8fc81a8b58fcad7c8bcb33fd43ec2c
-
SSDEEP
6144:mbE/HUbt040+3ZQ7qazA4V8rPYqFzak0BqrUe:mb/tiiIqa89P3FqsX
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1984 hcpyulw.exe 1708 hcpyulw.exe -
Loads dropped DLL 4 IoCs
pid Process 784 REMITTANCE SLIP ADVISE_pdf.exe 1984 hcpyulw.exe 1984 hcpyulw.exe 1592 hcpyulw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook hcpyulw.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook hcpyulw.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook hcpyulw.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1984 set thread context of 1592 1984 hcpyulw.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1592 hcpyulw.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 784 wrote to memory of 1984 784 REMITTANCE SLIP ADVISE_pdf.exe 26 PID 784 wrote to memory of 1984 784 REMITTANCE SLIP ADVISE_pdf.exe 26 PID 784 wrote to memory of 1984 784 REMITTANCE SLIP ADVISE_pdf.exe 26 PID 784 wrote to memory of 1984 784 REMITTANCE SLIP ADVISE_pdf.exe 26 PID 1984 wrote to memory of 1708 1984 hcpyulw.exe 28 PID 1984 wrote to memory of 1708 1984 hcpyulw.exe 28 PID 1984 wrote to memory of 1708 1984 hcpyulw.exe 28 PID 1984 wrote to memory of 1708 1984 hcpyulw.exe 28 PID 1984 wrote to memory of 1592 1984 hcpyulw.exe 29 PID 1984 wrote to memory of 1592 1984 hcpyulw.exe 29 PID 1984 wrote to memory of 1592 1984 hcpyulw.exe 29 PID 1984 wrote to memory of 1592 1984 hcpyulw.exe 29 PID 1984 wrote to memory of 1592 1984 hcpyulw.exe 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook hcpyulw.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook hcpyulw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REMITTANCE SLIP ADVISE_pdf.exe"C:\Users\Admin\AppData\Local\Temp\REMITTANCE SLIP ADVISE_pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"3⤵
- Executes dropped EXE
PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1592
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD54f55952b6403887ac5f6892b87e7d704
SHA1b9a2cb36197806c79c1c62aa610b4b010e20d104
SHA25638064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606
SHA512d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11
-
Filesize
133KB
MD54f55952b6403887ac5f6892b87e7d704
SHA1b9a2cb36197806c79c1c62aa610b4b010e20d104
SHA25638064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606
SHA512d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11
-
Filesize
133KB
MD54f55952b6403887ac5f6892b87e7d704
SHA1b9a2cb36197806c79c1c62aa610b4b010e20d104
SHA25638064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606
SHA512d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11
-
Filesize
133KB
MD54f55952b6403887ac5f6892b87e7d704
SHA1b9a2cb36197806c79c1c62aa610b4b010e20d104
SHA25638064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606
SHA512d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11
-
Filesize
104KB
MD5d1c8d9bf46a1165e80e3b59635bf2884
SHA1f704bc41a4930a4859420423f404cac43de8e527
SHA25659d386110a90dd8fc51c3a602c5624b2456b6f2fdf371fac8540c2dba62f4d23
SHA512b9db300d11b5472791585e4bece00ab1477b0a9a8454674f62c7ea9afe0be691f3c50e6a642ae44ea5f8cc7cf004997e7428e6d1ac865051c1b4f2d6a61aa36d
-
Filesize
4KB
MD5cd49ab3b45660b0472efda650f1c3480
SHA1b5686c548f951ed51dd20f0454e75720fb4c6f05
SHA256fd5997ddb1a6b2bea0ddde2b531a5e1c76f8300c475ee2cbe95c89e576fb2161
SHA512d7e82adab1334b6553bd30a79d0750581d5c5d8a07e1fee3cb0624a44b9837687c8e7a9a24d667c9ac51a7ff1d02c8a13bc95f5749eaadea8b22dde347707731
-
Filesize
133KB
MD54f55952b6403887ac5f6892b87e7d704
SHA1b9a2cb36197806c79c1c62aa610b4b010e20d104
SHA25638064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606
SHA512d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11
-
Filesize
133KB
MD54f55952b6403887ac5f6892b87e7d704
SHA1b9a2cb36197806c79c1c62aa610b4b010e20d104
SHA25638064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606
SHA512d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11
-
Filesize
133KB
MD54f55952b6403887ac5f6892b87e7d704
SHA1b9a2cb36197806c79c1c62aa610b4b010e20d104
SHA25638064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606
SHA512d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11