Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 17:39
Static task
static1
Behavioral task
behavioral1
Sample
REMITTANCE SLIP ADVISE_pdf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
REMITTANCE SLIP ADVISE_pdf.exe
Resource
win10v2004-20220812-en
General
-
Target
REMITTANCE SLIP ADVISE_pdf.exe
-
Size
209KB
-
MD5
1be9bac6394ecf58c82ff9cfdb17beb7
-
SHA1
586d42863e3866230a13c2d753e94aa5991f665e
-
SHA256
5f4e853dec8fb25a1bf395fadd55a4a90ac7754e1339d17d3c602bb3c66dc6af
-
SHA512
e5645dde55795a16287eab52c0ad45adefa9c2ec91d40ce49b486f7e9baaab52dd29d6170e381c4cc917adac1db8da27bf8fc81a8b58fcad7c8bcb33fd43ec2c
-
SSDEEP
6144:mbE/HUbt040+3ZQ7qazA4V8rPYqFzak0BqrUe:mb/tiiIqa89P3FqsX
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4764 hcpyulw.exe 368 hcpyulw.exe -
Loads dropped DLL 1 IoCs
pid Process 3632 hcpyulw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook hcpyulw.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook hcpyulw.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook hcpyulw.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4764 set thread context of 3632 4764 hcpyulw.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3492 4764 WerFault.exe 81 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3632 hcpyulw.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4148 wrote to memory of 4764 4148 REMITTANCE SLIP ADVISE_pdf.exe 81 PID 4148 wrote to memory of 4764 4148 REMITTANCE SLIP ADVISE_pdf.exe 81 PID 4148 wrote to memory of 4764 4148 REMITTANCE SLIP ADVISE_pdf.exe 81 PID 4764 wrote to memory of 368 4764 hcpyulw.exe 83 PID 4764 wrote to memory of 368 4764 hcpyulw.exe 83 PID 4764 wrote to memory of 368 4764 hcpyulw.exe 83 PID 4764 wrote to memory of 3632 4764 hcpyulw.exe 84 PID 4764 wrote to memory of 3632 4764 hcpyulw.exe 84 PID 4764 wrote to memory of 3632 4764 hcpyulw.exe 84 PID 4764 wrote to memory of 3632 4764 hcpyulw.exe 84 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook hcpyulw.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook hcpyulw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REMITTANCE SLIP ADVISE_pdf.exe"C:\Users\Admin\AppData\Local\Temp\REMITTANCE SLIP ADVISE_pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"3⤵
- Executes dropped EXE
PID:368
-
-
C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 6603⤵
- Program crash
PID:3492
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4764 -ip 47641⤵PID:1184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD54f55952b6403887ac5f6892b87e7d704
SHA1b9a2cb36197806c79c1c62aa610b4b010e20d104
SHA25638064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606
SHA512d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11
-
Filesize
133KB
MD54f55952b6403887ac5f6892b87e7d704
SHA1b9a2cb36197806c79c1c62aa610b4b010e20d104
SHA25638064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606
SHA512d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11
-
Filesize
133KB
MD54f55952b6403887ac5f6892b87e7d704
SHA1b9a2cb36197806c79c1c62aa610b4b010e20d104
SHA25638064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606
SHA512d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11
-
Filesize
133KB
MD54f55952b6403887ac5f6892b87e7d704
SHA1b9a2cb36197806c79c1c62aa610b4b010e20d104
SHA25638064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606
SHA512d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11
-
Filesize
104KB
MD5d1c8d9bf46a1165e80e3b59635bf2884
SHA1f704bc41a4930a4859420423f404cac43de8e527
SHA25659d386110a90dd8fc51c3a602c5624b2456b6f2fdf371fac8540c2dba62f4d23
SHA512b9db300d11b5472791585e4bece00ab1477b0a9a8454674f62c7ea9afe0be691f3c50e6a642ae44ea5f8cc7cf004997e7428e6d1ac865051c1b4f2d6a61aa36d
-
Filesize
4KB
MD5cd49ab3b45660b0472efda650f1c3480
SHA1b5686c548f951ed51dd20f0454e75720fb4c6f05
SHA256fd5997ddb1a6b2bea0ddde2b531a5e1c76f8300c475ee2cbe95c89e576fb2161
SHA512d7e82adab1334b6553bd30a79d0750581d5c5d8a07e1fee3cb0624a44b9837687c8e7a9a24d667c9ac51a7ff1d02c8a13bc95f5749eaadea8b22dde347707731