Analysis
-
max time kernel
162s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 10:58
Behavioral task
behavioral1
Sample
FACTURA_.EXE.exe
Resource
win7-20240221-en
General
-
Target
FACTURA_.EXE.exe
-
Size
710KB
-
MD5
8670ff57444ced9cc643f4588e41a93e
-
SHA1
7195dc5aeda6f7f88e32e3aab2c696959c4e42a5
-
SHA256
4150a9254130775146e1973ba461ffacc7d51365da70db48becba50fbfc1e39d
-
SHA512
d4948994ac3dfb526a0b03b8c3d442c4254f2145fbe3574f45e4b4bd5ddbc575870ad261de7f92a351808ecb1c8b62ea9c4e86c69ae945c4cb8cccf090c5c0fd
-
SSDEEP
12288:AsHzOUNUSB/o5LsI1uwajJ5yvv1l2WiqfqVR7idUfRgtdvGmavCbyBW6/:TiUmSB/o5d1ubcvpjbdWgf2W6/
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops startup file 1 IoCs
Processes:
DADDY 24.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DADDY 24.vbs DADDY 24.exe -
Executes dropped EXE 1 IoCs
Processes:
DADDY 24.exepid process 2460 DADDY 24.exe -
Loads dropped DLL 1 IoCs
Processes:
FACTURA_.EXE.exepid process 2852 FACTURA_.EXE.exe -
Processes:
resource yara_rule behavioral1/memory/2852-0-0x0000000000F80000-0x000000000110F000-memory.dmp upx \Users\Admin\AppData\Local\directory\DADDY 24.exe upx behavioral1/memory/2852-14-0x0000000000F80000-0x000000000110F000-memory.dmp upx C:\Users\Admin\AppData\Local\directory\DADDY 24.exe upx behavioral1/memory/2852-18-0x0000000000F80000-0x000000000110F000-memory.dmp upx behavioral1/memory/2460-34-0x0000000000E40000-0x0000000000FCF000-memory.dmp upx C:\Users\Admin\AppData\Local\directory\DADDY 24.exe upx behavioral1/memory/2460-37-0x0000000000E40000-0x0000000000FCF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe" svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2852-14-0x0000000000F80000-0x000000000110F000-memory.dmp autoit_exe behavioral1/memory/2852-18-0x0000000000F80000-0x000000000110F000-memory.dmp autoit_exe behavioral1/memory/2460-34-0x0000000000E40000-0x0000000000FCF000-memory.dmp autoit_exe behavioral1/memory/2460-37-0x0000000000E40000-0x0000000000FCF000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DADDY 24.exedescription pid process target process PID 2460 set thread context of 2672 2460 DADDY 24.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
svchost.exepid process 2672 svchost.exe 2672 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
DADDY 24.exepid process 2460 DADDY 24.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2672 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
FACTURA_.EXE.exeDADDY 24.exepid process 2852 FACTURA_.EXE.exe 2852 FACTURA_.EXE.exe 2460 DADDY 24.exe 2460 DADDY 24.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
FACTURA_.EXE.exeDADDY 24.exepid process 2852 FACTURA_.EXE.exe 2852 FACTURA_.EXE.exe 2460 DADDY 24.exe 2460 DADDY 24.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
FACTURA_.EXE.exeDADDY 24.exedescription pid process target process PID 2852 wrote to memory of 2460 2852 FACTURA_.EXE.exe DADDY 24.exe PID 2852 wrote to memory of 2460 2852 FACTURA_.EXE.exe DADDY 24.exe PID 2852 wrote to memory of 2460 2852 FACTURA_.EXE.exe DADDY 24.exe PID 2852 wrote to memory of 2460 2852 FACTURA_.EXE.exe DADDY 24.exe PID 2460 wrote to memory of 2672 2460 DADDY 24.exe svchost.exe PID 2460 wrote to memory of 2672 2460 DADDY 24.exe svchost.exe PID 2460 wrote to memory of 2672 2460 DADDY 24.exe svchost.exe PID 2460 wrote to memory of 2672 2460 DADDY 24.exe svchost.exe PID 2460 wrote to memory of 2672 2460 DADDY 24.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURA_.EXE.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA_.EXE.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\directory\DADDY 24.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA_.EXE.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA_.EXE.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2820
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:1956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holloingFilesize
29KB
MD59051a40b6ac75f6b5347da6925ecfccd
SHA1328c6977e8d88b2a606c9a94e46d700df29e8f03
SHA256c67d018207edfcb91b774d1a63f6eafb864db567b5f3c5a741d56c3c315b8870
SHA51273fd3b38b41285ae0ebca8b815bb47f4139029173d8d80968b14b184991114174e38bb7f27ca17f020d3f090542b311f64f37c8599c99a39d3412fa8be66e3d5
-
C:\Users\Admin\AppData\Local\Temp\outbluffedFilesize
321KB
MD5c9d48e11c2310c97b41d29cda85d5e98
SHA100b37cd3d43d8ff20e6b70ad28fa155729c3327a
SHA256a31829ce442837ee0fef65dc83d813706446dc22e8fb001f227517d33585f327
SHA512ffaf91d73f689dfeebe7b6983a675b26f45a1ac5133301757bd57abb90378bda1a0c8bcda2e6bf40896b00278c3840d2957cc02da2d2a253a6848d9b9cf0d1e3
-
C:\Users\Admin\AppData\Local\directory\DADDY 24.exeFilesize
5.8MB
MD5025d228c8e6a4e4a0ff28c6af0dfcc2e
SHA184a7b9e7d6dc942e08db884b211ef490c58b0465
SHA2560b74d338568d0919c2d766d004ae32e6ac1d3ff050768c29bdd4ef0382261a72
SHA512a84a6b09352f2dac2576a09c8a7287e6798652ad922d48b532acc3025106eb4e3c07599dd579b1167fe73641b734afd6a1ae80936912a7147f3c21080bca9021
-
C:\Users\Admin\AppData\Local\directory\DADDY 24.exeFilesize
7.5MB
MD50012e18d4abc9fef2697ed6a82f8aecf
SHA1f09eefd4b6148c877b316d23d1428fac9a801693
SHA2560dcb2fd1d0f7a35ebb331af52b22eee744b3e3576dd82d73acf101a1a64d36ab
SHA512ae3c13964249b5bac7c18def6a5344f2e1c4513575bb933169f70dfe8c68638a066238ccc314864ded0b65bf5e6ceb2535f86c0615d60c0eab1f159cc37dfa70
-
\Users\Admin\AppData\Local\directory\DADDY 24.exeFilesize
5.6MB
MD54d64973260d74fd9681b4de375b46367
SHA1b79789cbc0660e977c4ab05ea988b79d85e6fdbf
SHA2569458c6403a32379bad2fac83d30c352e23ccf4057425e07d66795d955991d2e5
SHA5120effd778f9c80e0219ba7ed63bc41a720927efe5757c38ed785e02c36b86e0566d1a4d45215aa09b14947978f96f605e569455e984c3534c2f8e919836566071
-
memory/2460-37-0x0000000000E40000-0x0000000000FCF000-memory.dmpFilesize
1.6MB
-
memory/2460-34-0x0000000000E40000-0x0000000000FCF000-memory.dmpFilesize
1.6MB
-
memory/2672-44-0x0000000004600000-0x0000000004640000-memory.dmpFilesize
256KB
-
memory/2672-46-0x0000000004600000-0x0000000004640000-memory.dmpFilesize
256KB
-
memory/2672-42-0x0000000004600000-0x0000000004640000-memory.dmpFilesize
256KB
-
memory/2672-43-0x0000000000460000-0x00000000004A2000-memory.dmpFilesize
264KB
-
memory/2672-36-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/2672-41-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/2672-39-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/2672-40-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/2672-50-0x0000000004600000-0x0000000004640000-memory.dmpFilesize
256KB
-
memory/2672-49-0x0000000004600000-0x0000000004640000-memory.dmpFilesize
256KB
-
memory/2672-48-0x0000000004600000-0x0000000004640000-memory.dmpFilesize
256KB
-
memory/2672-47-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/2672-45-0x0000000004600000-0x0000000004640000-memory.dmpFilesize
256KB
-
memory/2852-0-0x0000000000F80000-0x000000000110F000-memory.dmpFilesize
1.6MB
-
memory/2852-18-0x0000000000F80000-0x000000000110F000-memory.dmpFilesize
1.6MB
-
memory/2852-11-0x00000000001A0000-0x00000000001A4000-memory.dmpFilesize
16KB
-
memory/2852-21-0x0000000002C30000-0x0000000002DBF000-memory.dmpFilesize
1.6MB
-
memory/2852-14-0x0000000000F80000-0x000000000110F000-memory.dmpFilesize
1.6MB