Analysis
-
max time kernel
72s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
12-01-2024 12:06
General
-
Target
https://cdn.discordapp.com/attachments/1195298016588996621/1195298089410506833/Factura-PDF.GZ?ex=65b37b18&is=65a10618&hm=17a4293eb33fe94c52b5138d86634e07139f0062b5667b82714df3d7e0ee4a3e&
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 5 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Program crash 1 IoCs
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 27 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://cdn.discordapp.com/attachments/1195298016588996621/1195298089410506833/Factura-PDF.GZ?ex=65b37b18&is=65a10618&hm=17a4293eb33fe94c52b5138d86634e07139f0062b5667b82714df3d7e0ee4a3e&1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RU3RPYUN\Factura-PDF.GZ"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\Desktop\Factura-PDF.exe"C:\Users\Admin\Desktop\Factura-PDF.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 2842⤵
- Loads dropped DLL
- Program crash
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
680KB
MD53c1ddbf680fb31088c8e1ec00bbeba1f
SHA11a96be75a828f2f0dc4f07f6ce5e2138a05aa64b
SHA2560280e801914156055f67f030d6bed874e4a071c772d60e19758983c42181102b
SHA512c777d17ac4aa8712383a4c659a588f684ae88cc42f7c85551e260f2466f4318237e5b432b26f9c6002d9e8d2bfe43298f508625a39fc002aeb434d402e23e723
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
1.3MB
MD582bcdae78be1a973c4627ff5bf92b218
SHA1325388e5c0a59dd56d23573e35f260ecd4ec46e6
SHA256e7251cdfe10bf0731137674fa26df6f0f2f50f2dc92b67607a5776ed7bb4ffb7
SHA51217d0b350a012a37126a67580b34488b548b97bf7dd7e71e280c5c484359b3f80eb4da67a4a7f725ae65b32f55ff0a3d78888e49d474a14b1f64caac48d3a3212