Analysis
-
max time kernel
145s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
01-05-2024 03:36
General
-
Target
Fattura 00384788-0849838.pdf.exe
-
Size
867KB
-
MD5
921023d253b6dfac1eaabe38f3b36a45
-
SHA1
82ae601f2eb5202a5314feffb2a9bd07c5f33327
-
SHA256
a2deb60615b3bd20beeb9253547a41c0a970139bfb59d9f88854b8b61880ead1
-
SHA512
86229692b51a24e3f29aec482f6aca2109cf98031011a5bc71b756ee1417fe0200c179bde3adfd9dd72dcb5edd553abb98a5c6845b1c42d3e7672038fb7bc115
-
SSDEEP
24576:+XH+j3CgxpmJI+QhQ3r+HVqQUEHpGzOUPZ:Jj3CgxpNhN16EHpCx
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 56 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
NSIS installer 2 IoCs
-
Modifies data under HKEY_USERS 23 IoCs
-
Modifies registry class 32 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider2⤵
-
C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-0849838.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-0849838.pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-0849838.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-0849838.pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\dkyedvf.exeC:\Users\Admin\AppData\Local\Temp\dkyedvf.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dkyedvf.exeC:\Users\Admin\AppData\Local\Temp\dkyedvf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 6363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 6523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2320 -ip 23201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2320 -ip 23201⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\suaiukaFilesize
654B
MD52d18045636569317c440a98a1dfe8924
SHA176c687fb67972b8f2e7277351b410f1270312a1a
SHA256e97e45480be43f772878c2624d1548f2b6ad25db626a4ecdcd75285a3c8e810e
SHA5126446c99a4f511415145a3888398557edd4197b65823382a34efb6aa4011e1a92a91553e96a3502e39833ef74c9955d08ab79040d73bb39b4aad24d4348ed56df
-
C:\Users\Admin\AppData\Local\Temp\dkyedvf.exeFilesize
867KB
MD5921023d253b6dfac1eaabe38f3b36a45
SHA182ae601f2eb5202a5314feffb2a9bd07c5f33327
SHA256a2deb60615b3bd20beeb9253547a41c0a970139bfb59d9f88854b8b61880ead1
SHA51286229692b51a24e3f29aec482f6aca2109cf98031011a5bc71b756ee1417fe0200c179bde3adfd9dd72dcb5edd553abb98a5c6845b1c42d3e7672038fb7bc115
-
C:\Users\Admin\AppData\Local\Temp\nsb3190.tmp\System.dllFilesize
11KB
MD5883eff06ac96966270731e4e22817e11
SHA1523c87c98236cbc04430e87ec19b977595092ac8
SHA25644e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
SHA51260333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390
-
C:\Users\Admin\AppData\Roaming\LICENSE_en_US.TXTFilesize
2KB
MD500d7ffb88aeb3f3fa5ae3178591139ef
SHA1b5edc99a205912d98207c1314d696dfe48192118
SHA256f8dfac00ca2636f16dbb824c1626a607308bb582356fb736d1ee3f5f2656d861
SHA51203e9df7a1cd6b214b03830b184bf0e7c0abb48da36a184402f2bb3590991bb027cff95cc8751d83cb5c7f7fcddc6969e746056a307d30cfc9fe937010f9a4fa7
-
C:\Users\Admin\AppData\Roaming\NsResize.dllFilesize
60KB
MD59c655b0c142db0494026c1ebb1b3923f
SHA12dbebe42968e78200688e40ab5b8d25bf8e0b4df
SHA256ef2d114896f07fc20aed5c3045754de0103813aa31bedb188262cec6fb3263dd
SHA51251d7efab18f6909daf61534befa2e20eec437c24114f7c21b383004806d4b8869dc12395a972965c89dbeb66fe0282833207b5aa93ec7f085ca7054d0a0d9f1d
-
C:\Users\Admin\AppData\Roaming\README_kn_IN.TXTFilesize
409B
MD5ade6c65fd0eeb73a60e279fdc7da023b
SHA14af90b3176b51d1e70e5561e27a2a2fd2277edcb
SHA25656c2ecc106829db1020d48fe49a4802a4ee24875a8a873fff86ff0c413a3e226
SHA5126bce13814640b256b83fa54b9d8df0e34076734baaa090b9aa433eefff87324b6782dd36567ea1c231480714c15df30dafb0cc665ea8194c1ada2f956ec0b83e
-
C:\Users\Admin\AppData\Roaming\default_hash.JSFilesize
136B
MD506a09bda9d5dd7dba611b2dd460d545e
SHA173946d0150e298464b8a55a107bb22be6368029c
SHA256c062646586359c92950920a9e5a51bcec73afeb863dc01337a88adadc789f05e
SHA512b104418ebc3eabf7a3d4aae3a23bdeea63d0118f56397e3763318397baa0b59ed5756a354a922c2c6206636ab761197e379e6fa5b4aa7cf2a60c24416a2ad459
-
C:\Users\Admin\AppData\Roaming\setup.ISSFilesize
241B
MD5698f513c0c9d50ac789cfbe4bde1b467
SHA1122acd3c51b72fc2bf4dc556cac09f9e6c6445fa
SHA256f19b204261a5524ed3f5204fbd01d91f06fe1b2181b2fa2c2c7629ccb4e54b16
SHA512c2b5ef941d332d2faa780d044ee5fee6f59d7852e5b0a5974fa47c9b9f03c2b3d867423004eae788ac765f30dbe65bc3b71cd9b679b1ff5dee78eb8fc82f41fc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\zy______.pfmFilesize
684B
MD57d3be2ec810fa01a9ea7d2a26551cff7
SHA17962465ce36a83666fe7a3edcb31e125ed597e93
SHA2561a5660f3f8bb9d18fd6a710d70af26cf1e167fe040d7daf3ce41e527236e1fec
SHA512cd4ba616364f37aa8294c9a2a6b64ed3cf0b011cfcffa9056295b5fc23348c2b3cfa96a25954c6dc472053daa1f9f4b08176a515c95abab6ffd7077deb8d7959
-
memory/780-177-0x00000000390B0000-0x0000000039127000-memory.dmpFilesize
476KB
-
memory/780-188-0x00000000390B0000-0x0000000039127000-memory.dmpFilesize
476KB
-
memory/780-3525-0x00000000390B0000-0x0000000039127000-memory.dmpFilesize
476KB
-
memory/780-155-0x00000000390B0000-0x0000000039127000-memory.dmpFilesize
476KB
-
memory/780-158-0x00000000390B0000-0x0000000039127000-memory.dmpFilesize
476KB
-
memory/780-163-0x00000000390B0000-0x0000000039127000-memory.dmpFilesize
476KB
-
memory/780-161-0x00000000390B0000-0x0000000039127000-memory.dmpFilesize
476KB
-
memory/780-370-0x00000000390B0000-0x0000000039127000-memory.dmpFilesize
476KB
-
memory/780-157-0x00000000390B0000-0x0000000039127000-memory.dmpFilesize
476KB
-
memory/2144-72-0x0000000000400000-0x00000000004A4600-memory.dmpFilesize
657KB
-
memory/2144-73-0x00000000009B0000-0x0000000000BFB000-memory.dmpFilesize
2.3MB
-
memory/2144-71-0x0000000000790000-0x00000000009AA000-memory.dmpFilesize
2.1MB
-
memory/2144-70-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/2144-68-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/2320-152-0x00000000008A0000-0x0000000000AEB000-memory.dmpFilesize
2.3MB
-
memory/3272-64-0x00000000022B0000-0x00000000022C0000-memory.dmpFilesize
64KB
-
memory/4224-141-0x0000000001BB0000-0x0000000001BC0000-memory.dmpFilesize
64KB