a320ad98e8b6806b5b51ec489ae27f0b7400c078de79513308e51a8702ccef64

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2553c5f252ae715435fe09cec92f444d.exe
Size

1.1MB
MD5

2553c5f252ae715435fe09cec92f444d
SHA1

44343ef1fc3b15b7866ef6170836a1f36be3a258
SHA256

a320ad98e8b6806b5b51ec489ae27f0b7400c078de79513308e51a8702ccef64
SHA512

7fc88d4b20b008c991f58a5fe10508cec62dc4905c5e81adafa2b686e0662450f1600f989eb92c1d2c5eb579455de799fce5a26bbdc28d9d57c46557ba467a3f
SSDEEP

24576:Ok6+c2dkF9VoDm7zq3yRozWrj0xSlIQBd0X2tAJqFVchzvsre:ObLre3yOzWMc2QBdBqJqF8sre

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1048	RFQ_INVOICE-09876543234567654‮rcs.exe

Loads dropped DLL 4 IoCs

pid	Process
2156	2553c5f252ae715435fe09cec92f444d.exe
2156	2553c5f252ae715435fe09cec92f444d.exe
2156	2553c5f252ae715435fe09cec92f444d.exe
2156	2553c5f252ae715435fe09cec92f444d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
800	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	RFQ_INVOICE-09876543234567654‮rcs.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
800	AcroRd32.exe
800	AcroRd32.exe
800	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 800	2156	2553c5f252ae715435fe09cec92f444d.exe	29
PID 2156 wrote to memory of 800	2156	2553c5f252ae715435fe09cec92f444d.exe	29
PID 2156 wrote to memory of 800	2156	2553c5f252ae715435fe09cec92f444d.exe	29
PID 2156 wrote to memory of 800	2156	2553c5f252ae715435fe09cec92f444d.exe	29
PID 2156 wrote to memory of 1048	2156	2553c5f252ae715435fe09cec92f444d.exe	30
PID 2156 wrote to memory of 1048	2156	2553c5f252ae715435fe09cec92f444d.exe	30
PID 2156 wrote to memory of 1048	2156	2553c5f252ae715435fe09cec92f444d.exe	30
PID 2156 wrote to memory of 1048	2156	2553c5f252ae715435fe09cec92f444d.exe	30

C:\Users\Admin\AppData\Local\Temp\2553c5f252ae715435fe09cec92f444d.exe
"C:\Users\Admin\AppData\Local\Temp\2553c5f252ae715435fe09cec92f444d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\INVOICE.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:800
- C:\Users\Admin\AppData\Local\Temp\RFQ_INVOICE-09876543234567654‮rcs.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ_INVOICE-09876543234567654‮rcs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INVOICE.pdf

Filesize
205KB

MD5
6823bc6c640db5b4e2e4a9587186a29f

SHA1
4181714d266d95c5eece874e1e8132b4326cae29

SHA256
0fba51f53a7587f6b2d0e6faebefb8b775b664c93d71d9fb27879730f44af257

SHA512
8e9d35c7924b3ff11a402a1b93c0b1732772265c2124cd7cfd7310490b126ef2bd07511491e3b54d2abfcc1cef020bad5992ea3c60d0f9e3538a3a1c88eb11b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFQ_INVOICE-09876543234567654‮rcs.exe

Filesize
547KB

MD5
ee4d4bbd7afff7a0a4fc1c8bec65f25d

SHA1
f5e4d70e182823ee69fe64355608e972da7a4378

SHA256
fecf840a3cc9fc85c5b2cc699be382cfc2e99cdc0d732bbf1f66d2470f83a1b0

SHA512
0a8af0682d9b9c657a08196ad38a2f3cb64a337a8d89a7c74973f98a30d7d774917cb6707d5a2df331a0be7e3e7d1726ff867cb9714db560299757c6b95767fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFQ_INVOICE-09876543234567654‮rcs.exe

Filesize
437KB

MD5
ca6b0656ef88247d9f03364c39f4533f

SHA1
8c460518e7b0a98eb6fdb484b3da117cad67809c

SHA256
e28e601d2dfd4b2cec27bf1117cf2d01ba66e85b2cce66c92c56ba4aa5fb0943

SHA512
48d069bfe0cc159654f019783d6b603fef969b3795292b852cfb7a5169da18352930fb780737f814b3c1884c6cd85588d120956da6bb92a4c0390f81a77bae95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFQ_INVOICE-09876543234567654‮rcs.exe

Filesize
857KB

MD5
9a16d09eebd4c93cea8c716fffd54329

SHA1
9b55d19f61d731d7d19a52b30bc7a71d2ebd5201

SHA256
b409ee566ea7f96da11cb8ede84a5069e907cc107390a8c315f31f30260904d4

SHA512
116bb48b3bab8fa4fb15576171bb90ba6639032038d2647ad1fc60288a1063a52daf5bf1090e2da012d0883e8becc3c5e55e1f971c87ec8079e40cdddb017c24

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8016a9c5c8fac1fa934ec15000c26de0

SHA1
bcbceb300caf6de5d3960633c7964d91b18e9070

SHA256
6dda811c95df7c34e2d49b788bd0fc019936b9e804d8dc40455a6aa66d918e7e

SHA512
82759675f78c36fbeafc2119eae8789a957d38e2a9b593f2510f69658b4a95b6d6efa9b8f13c6e91e41150f4bbeb19deed2a78e1a3d457b593aab564820ee44b

Download Submit
\Users\Admin\AppData\Local\Temp\RFQ_INVOICE-09876543234567654‮rcs.exe

Filesize
799KB

MD5
2303127de5645f8110e3d15f57b2401f

SHA1
489f6c68cc63e0f49f87fa1116a58b8d42c96673

SHA256
3ba8627cf01f564909dac155386f73ceb5ac40004dd28a7dc4b5cb89545531eb

SHA512
a57419538e0f49e93c106f59b91903475070493bb77122b0f952c9ce669c6f394bde19b55f7f4b58ecd2034f4ac7ec3b58e261fd1a2525f72be5d5974e672e33

Download Submit
\Users\Admin\AppData\Local\Temp\RFQ_INVOICE-09876543234567654‮rcs.exe

Filesize
19KB

MD5
5d1e851677f528f9b0ba1340dd2c70fd

SHA1
76a842d78af3b9e862ef4c794962e1f72b1fe688

SHA256
620ecc42d510ced78331c99c2297e9829e2a2d6d5ac048026c3258264ef2b6f5

SHA512
1cf872fc211cfce25a617c3486f020e4e94c505ef1ac6e56dc6fd2063c45b148a9231eb21cf08c56baef707bf9ad68517980fc4b245246812d7ba86fe3ad018e

Download Submit
\Users\Admin\AppData\Local\Temp\RFQ_INVOICE-09876543234567654‮rcs.exe

Filesize
632KB

MD5
a129313cfbf60746a8be0ad4c7fd8ae6

SHA1
03868cf20e2caf40345c32a16f7703eee8fb43c4

SHA256
e6d1d3c653d8db899a05d6d14da90c629afc2f0a2b5c306fdd21ea295ca0b8ac

SHA512
0d7e77d3fad135e6fd6d78821654d989a835f5173be82246d4a6d70e3351309d757cf9975c1ea7f78b9035958bf8c20f08ed055ff810fdebcf22f8b6eefab4a2

Download Submit
\Users\Admin\AppData\Local\Temp\RFQ_INVOICE-09876543234567654‮rcs.exe

Filesize
725KB

MD5
3ee489abb8305f88991b41e8e89c0f73

SHA1
b8e61e78fb73c267b36f03233cd7f752fd24aae7

SHA256
2bd745ef9a7d96dad747b123292807f33a1e39ff6fccbd4f462eef7d0961ac3c

SHA512
73779db10f4ef28cb1ace78f795d46478b10cb64687f0026b49bd0ce6be575726e108e432348ecb2a735da47106f17ac3d68d45b0bffb7078c5b4cdb3fbc752d

Download Submit
memory/1048-19-0x0000000001390000-0x00000000014AE000-memory.dmp

Filesize
1.1MB

Download
memory/1048-22-0x0000000000530000-0x0000000000570000-memory.dmp

Filesize
256KB

Download
memory/1048-18-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/1048-39-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/1048-40-0x0000000000530000-0x0000000000570000-memory.dmp

Filesize
256KB

Download