2a61e0add99b698af28cc73128adfcea58d0ff6bc7e83f60f20dbe17d4062eda

Analysis

max time kernel
92s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2023 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HSBC Payment Advice_pdf.exe
Size

447KB
MD5

f77a61ddbb4fb65c094df3d6dca123c8
SHA1

21ffa60707fb515e8372b97c7bf4d3c023cb7c1f
SHA256

2a61e0add99b698af28cc73128adfcea58d0ff6bc7e83f60f20dbe17d4062eda
SHA512

9d6a1e912812e6d7ef71cb3052c5bab78c045f62c655e5eb3e314811d252c58a5093bd558cecbaa301554a100690ee3dbb375b4181288fa8d6d694f647ed56aa
SSDEEP

12288:OY+//tP+nHCkSRNdT3yVb64KdBNJneCsrygjs:OYEUnHCko3SVKblMO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1988	awogigkxwn.exe
4948	awogigkxwn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 4948	1988	awogigkxwn.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1212	4948	WerFault.exe	81

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1988	awogigkxwn.exe
1988	awogigkxwn.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 1988	3996	HSBC Payment Advice_pdf.exe	80
PID 3996 wrote to memory of 1988	3996	HSBC Payment Advice_pdf.exe	80
PID 3996 wrote to memory of 1988	3996	HSBC Payment Advice_pdf.exe	80
PID 1988 wrote to memory of 4948	1988	awogigkxwn.exe	81
PID 1988 wrote to memory of 4948	1988	awogigkxwn.exe	81
PID 1988 wrote to memory of 4948	1988	awogigkxwn.exe	81
PID 1988 wrote to memory of 4948	1988	awogigkxwn.exe	81

C:\Users\Admin\AppData\Local\Temp\HSBC Payment Advice_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC Payment Advice_pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\awogigkxwn.exe
  "C:\Users\Admin\AppData\Local\Temp\awogigkxwn.exe" C:\Users\Admin\AppData\Local\Temp\hqcsbqa.ngf
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\awogigkxwn.exe
    "C:\Users\Admin\AppData\Local\Temp\awogigkxwn.exe"
    3⤵
    - Executes dropped EXE
    PID:4948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 184
      4⤵
      Program crash
      PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4948 -ip 4948
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\awogigkxwn.exe

Filesize
120KB

MD5
74563cc65aa6e207020d00b0f2cecd4d

SHA1
c69d15dd8ec11b06c093dc4165a4b22bf03d45c4

SHA256
25dd51e576edf808eeb3586ee0f928dd153b1dea7bc323aa8a2b943c8b754fb5

SHA512
2f085dc3e341c11d3e25e70316b6ad04a2338da8dd4e3c73eb0a493e61e2e4799fd3fe0132671cb08a7dcc9c6f5e6ccffd1d302fa8a6c4ed9762d42cbbef9efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\awogigkxwn.exe

Filesize
120KB

MD5
74563cc65aa6e207020d00b0f2cecd4d

SHA1
c69d15dd8ec11b06c093dc4165a4b22bf03d45c4

SHA256
25dd51e576edf808eeb3586ee0f928dd153b1dea7bc323aa8a2b943c8b754fb5

SHA512
2f085dc3e341c11d3e25e70316b6ad04a2338da8dd4e3c73eb0a493e61e2e4799fd3fe0132671cb08a7dcc9c6f5e6ccffd1d302fa8a6c4ed9762d42cbbef9efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\awogigkxwn.exe

Filesize
120KB

MD5
74563cc65aa6e207020d00b0f2cecd4d

SHA1
c69d15dd8ec11b06c093dc4165a4b22bf03d45c4

SHA256
25dd51e576edf808eeb3586ee0f928dd153b1dea7bc323aa8a2b943c8b754fb5

SHA512
2f085dc3e341c11d3e25e70316b6ad04a2338da8dd4e3c73eb0a493e61e2e4799fd3fe0132671cb08a7dcc9c6f5e6ccffd1d302fa8a6c4ed9762d42cbbef9efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqcsbqa.ngf

Filesize
5KB

MD5
8caae125c3a92088b472f6e4c8ffccbe

SHA1
b5e983310140e44a92bcc3078a71f6fb26e6e709

SHA256
38b099b8ba8fed3131af3173bc1f1c8acb10ae7dcd6b725a7a6379f500b88ab2

SHA512
0981b0f101d663a7943dcd20d2427f08df36a79e7c6448466e1f04dadf5b0eae88cc17cb8eb5821c6605235e61a490bf40e3a05d49c0102b91d0d13dd3eeb6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylrgm.v

Filesize
206KB

MD5
fd32fd0d86e79e3a1297ecb8810e6090

SHA1
71d26b7fd5cd92e72675ee4778008eccb2ed9feb

SHA256
152a91a433e2c3f74c2384bbc3f876774ebecae4090430dbabfb38f44be35067

SHA512
823a76e8674c1fdf49e88bd54b4a35dd57736e1f5706583b622de12837416ac79552809fbeedeb079d5ad91e6aee0f17084eccc310b3fac385bde6b046af1256

Download Submit
memory/1988-132-0x0000000000000000-mapping.dmp

Download
memory/4948-137-0x0000000000000000-mapping.dmp

Download