9a8ee4ec71108d8bb800d9747ee09c1104716077c85872976ac68cd573f77e71

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

facture.exe
Size

1.8MB
MD5

d53029c32822e837f1e6fbfcbeaf7abc
SHA1

5f48681df5f654798ad7f08c56a125ed2011c6a4
SHA256

f5e1954809ccaac3bb708806467fc5f44a1f64d5482006c27c7bdf074ba09f14
SHA512

0267dc7597f755954eff9a37482b272801a9ddf00ab839491fe524fe8120cbb702e750c6e027105a12db8f382777b5b42ecc5755eb7d3ad95fe33b298f7749db
SSDEEP

24576:i7bl46OlC/oL3BczLgbyGDPb0BScBuayJzJhliRLpDC5kwhPEDeJf8H6zB35H:i75j/qcYbd7b0fSFQp22whPEDeCH615H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2440	facture.tmp
2240	firefox.exe

Loads dropped DLL 31 IoCs

pid	Process
2912	facture.exe
2440	facture.tmp
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
1280	WerFault.exe
1280	WerFault.exe
1280	WerFault.exe
1280	WerFault.exe
1280	WerFault.exe
1280	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1280	2240	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2440	facture.tmp
2440	facture.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	facture.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2440	facture.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2440	2912	facture.exe	28
PID 2912 wrote to memory of 2440	2912	facture.exe	28
PID 2912 wrote to memory of 2440	2912	facture.exe	28
PID 2912 wrote to memory of 2440	2912	facture.exe	28
PID 2912 wrote to memory of 2440	2912	facture.exe	28
PID 2912 wrote to memory of 2440	2912	facture.exe	28
PID 2912 wrote to memory of 2440	2912	facture.exe	28
PID 2440 wrote to memory of 2240	2440	facture.tmp	29
PID 2440 wrote to memory of 2240	2440	facture.tmp	29
PID 2440 wrote to memory of 2240	2440	facture.tmp	29
PID 2440 wrote to memory of 2240	2440	facture.tmp	29
PID 2240 wrote to memory of 1280	2240	firefox.exe	30
PID 2240 wrote to memory of 1280	2240	firefox.exe	30
PID 2240 wrote to memory of 1280	2240	firefox.exe	30
PID 2240 wrote to memory of 1280	2240	firefox.exe	30

C:\Users\Admin\AppData\Local\Temp\facture.exe
"C:\Users\Admin\AppData\Local\Temp\facture.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\is-FRHUV.tmp\facture.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FRHUV.tmp\facture.tmp" /SL5="$4001C,1583987,433664,C:\Users\Admin\AppData\Local\Temp\facture.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\firefox.exe
    "C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\firefox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 116
      4⤵
      Loads dropped DLL
      Program crash
      PID:1280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\MSVCP140.dll

Filesize
429KB

MD5
d25c3ff7a4cbbffc7c9fff4f659051ce

SHA1
02fe8d84d7f74c2721ff47d72a6916028c8f2e8a

SHA256
9c1dc36d319382e1501cdeaae36bad5b820ea84393ef6149e377d2fb2fc361a5

SHA512
945fe55b43326c95f1eee643d46a53b69a463a88bd149f90e9e193d71b84f4875455d37fd4f06c1307bb2cdbe99c1f6e18cb33c0b8679cd11fea820d7e728065

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\VCRUNTIME140.dll

Filesize
81KB

MD5
a2523ea6950e248cbdf18c9ea1a844f6

SHA1
549c8c2a96605f90d79a872be73efb5d40965444

SHA256
6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4

SHA512
2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-core-file-l1-2-0.dll

Filesize
17KB

MD5
ea4ae42721460002dc31515f295ad1c4

SHA1
8a970d589aa4c178083ee8fb65798a6ddecdc1cf

SHA256
668f91e94e76db4457184909e6a1ab4655e81a8ef37dc37b4ecfe93146c29a88

SHA512
5ea1f2fb8be9ffdf80250b47a440ddb3a41e46a8ce73b6f4834e59cb8d30a1b474f6a33d716efa43ac7ee52d37ac941f3d51021792b9d1439c831b8a368781b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-core-file-l2-1-0.dll

Filesize
17KB

MD5
ad895b2a99a3ec18f1690bbac1e2037a

SHA1
19fab11ca8d2ab4a3c1a863209cbdc77a69e1aed

SHA256
a11c772b2451b0c9c706b03381819e4a1def3e2fbbba8362509bbe57dbd5c666

SHA512
d021a5b8451bb8bac27b4f496a1a25e0a2b2f90c93a7e27850303c5feb9441f9b926b13ef024c176827e190f2dc04f401205983510dfab0946674d18994bbe8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
41a0d67ba3833d230f1229ff058be057

SHA1
a66fda76d97d059067f11c3e03869a1b9da439a0

SHA256
4f11443a2fa6c714d3e33597f0d08de4e11a6a2fdb7de2e4a01addd5977665c5

SHA512
a4138cc25ac899059a702f4e078e7662f15b7059089e53b6eb1a78a1bbebc03704421bdd0a5fcbdffd48be2842d587e4e3e56d881f0462f60cddc5c75fc14f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-core-synch-l1-2-0.dll

Filesize
18KB

MD5
2674310f6fc087862b215b26a5d6da5b

SHA1
6e226a29124716fb6c5c54cbbf3c2b6f727c9e5a

SHA256
e29eaa099be15958cb65d03d47959cae2dac342402856c5f0e4da672193c329d

SHA512
86964e2a71a32d7fd0c6f3061ecbe66dd10d4938e0f5e3572f962b53107524259f62001bdff7e4c9173a6b8270f46b76c1037dc69b8343f10e4b4e59bd8d6782

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-core-timezone-l1-1-0.dll

Filesize
17KB

MD5
fd14fcd1550f17701fbf239645b606fa

SHA1
0d7b1de80db94dabad3ce91d31fda1a8a1a6cfab

SHA256
a5453cd2b5e98d40ca17dd20a8f5974f29de7236a076867a3bc3cbca441be928

SHA512
162559d9e6e36bffe32be41f75075e711e6947adab2ad3bb37cf03e02e787ad5a6f3fb93af4b6c3f82e1107dc401d32dbd53fcba39f85839910e852c1109db5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-crt-convert-l1-1-0.dll

Filesize
21KB

MD5
bc0be695e63548171105c57d2e9b98e7

SHA1
0c4506b330487c4b45900b06dfe0a3249f6b9d88

SHA256
d16c5b0e19870e86354b5e6cdc4c81e80777749f6bbe6b675f680cec0ffae35d

SHA512
095ef210f55233a0c0eb80fc2d94646de96cb2e66d1994d631fa82e5a71a5c26b32d33abc19ac69e64bd3e4789eb1a7595818a90494038ea1771c210cd81cb2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
19KB

MD5
07ba5f40c64134e5749df0e8cfee082e

SHA1
5b872a7ea316b6b3ba604b88045b9b6f34ba4c8b

SHA256
136e5de4b535aabf6368c06f82339d2ef6c34165661f40433bcef4ebb90b30fe

SHA512
55b5c739d08f5627d9453709cc0d3d20c3fc08e9a1168f70381b49f8fdc8d91f15db85db51d47aaae612cbe920bb3ba83075e74888b2d62e3a962f181b3d2c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
49a69484b524c6f9fd641e015dd15154

SHA1
f6ec9e38d05ed66e8431b909aba0451ef8c9b540

SHA256
69c637c0be7ddfe0690d8c642ec6d0850085617c3c3dda9531cac818f06f66e8

SHA512
802d186f4b580541916c038999c0653765f2cb01c345549f6d927f7688b671b234c7ee05f2a9eba6c139f25c459e579da4437ee2ac03ed3fe3ebef849f178553

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
11218c9f81404a51d1eb6b56ba60f9ab

SHA1
acc303d1b1a5822ed7bcf8f666860a0a7aaffe91

SHA256
882da90b6368056908e9cd21c4719a016e9a3ca597eca9183892a5806b4a8d4a

SHA512
86928d70aec7bd7170863c0cdea110f8a4aa244efb30577310ad1908d71817b8a2aeb45833d5f710b15df8fe096234cfb069819b0f2b706cfcd15b5614615929

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-crt-string-l1-1-0.dll

Filesize
23KB

MD5
e65f76759251845fa1e6a3cf41b5f231

SHA1
de4517eb0d8b330d3c2717e786f485150caf82ec

SHA256
034a8abf2bf027ad950fdf8fbdf488188c8d02eba8e160aa95de376ff1f32fe6

SHA512
afc7d0a26b2ffefb43846d621585fc35a2ce280eef1d046da5a327f20ae7b023cceb2bfd64176787ab86a76567e233215427686243e62eca5ded1ad14b19b5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-crt-utility-l1-1-0.dll

Filesize
18KB

MD5
f7af6bb63229721005c8ac85dc86f5c2

SHA1
35ddd88fbea433a7e934ab0ca64907f8b0a85d9a

SHA256
fa10f7e2ab54c2ebcd4688e39bc4af1544fa21b73be7fd0562b3ff7cff041f7a

SHA512
e4f242ec6204dd481ea5b8b1edbfb9a7c8b136d9869fb85868325b21248aa170fecdf43075361e188b20a6f138f3760226b4cfb302929e04cd3901e6cb03961a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\dependentlibs.list

Filesize
8B

MD5
51356efebb94ce2c9a7f0a2a65ecf72a

SHA1
abe24fc811073b7e715864b23398549e2ff85244

SHA256
40f380ddd93e89986f68f59d045194c788829f75f3212998c6670ae69a2a6b82

SHA512
edff705603c3452b8193a7f81f11f08360bb09070fe045e8edd0ecf97b114b855a6ace5378278296f3dd0557c2467178ebeaba8749ba3240d9db613b01f4eca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\load.dll

Filesize
156KB

MD5
7c6653ace1c0c93a50838103bce58b89

SHA1
1be294c830e54d1b49eac436632df6851c8d4542

SHA256
2a6426da086fdccb85de8cb437350cc2d3532c09c6fcc7d32bf456ca13a9c412

SHA512
f191cae37b39085690be108123d39d797c90455708f42d4fb0f7c169d039f1948b699a55e4b444c87d4b8969f8e653013e171f0af849670eeca8350dd715a4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\mozglue.dll

Filesize
129KB

MD5
e2f7b050c6c83505611807e81db58e16

SHA1
a06a6fd60486e8b27e926f30b7d20fc7b2354eed

SHA256
9019976df7d3423dcceff61397360bb300f693a1bf98e5bfd33ad3fbeadd24d8

SHA512
efb432a1389136a9f87b8834b9c78c1baf953b84d338621e4841376d03b0a31d1f92186786c3cd8fb390a25a2ed77a2c0f1e3c49f73c57994ef684e552969407

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\ucrtbase.DLL

Filesize
895KB

MD5
d2c5233317767ee9329f470c39b046b1

SHA1
42493597d3ded76daa9a3c5cad5d4343958d0d55

SHA256
f085b1b009ab89049ba95dd4ffde276d5b1f6fa0055f58dc3fc0d4b03ae8116d

SHA512
930b31042b5ddc507d4810c10677db9786b8a16ad8a3ed09ba0a6256dddc9c2706d1957abbe3071d09c8cdcc2f142914ae7f7b727dc3e9f8dd7d821d118b715a

Download Submit
\Users\Admin\AppData\Local\Temp\is-FRHUV.tmp\facture.tmp

Filesize
1.0MB

MD5
8b5d7436be69f0d05b2a0e068e53459b

SHA1
6bc52978009d8369bfe7e3bdd5c644a8c1dd9a91

SHA256
705e35d97bbdb92e919f382928ec405459cada6cf671d4e61060c813ef07ea3a

SHA512
7236fe8b50467a4eb5939b270df0db867fc4cbb76445aa54ac9792a615b4c5134c17edb6e8a63f5348ffbe425bc71acad1c3ac33a26e413569d47b2bc9e8c002

Download Submit
\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
18KB

MD5
f43a8e9cd787b6d91bb29dbb8eb1a4e5

SHA1
336b61853627e6e64a10fbb930577d30334e615e

SHA256
5bacbbe62e36ad0f6d7742e70361f26bc56a44dbd28cc0291f588420e0c218a6

SHA512
1fdc1170907346ef0eced900de9091136a6626c4bfc8b4416dfebbe356f35f9c2be0d2cf6c37e3dd231f3db8b5a3afe8973f15a45544c0c1c10682fe03911616

Download Submit
\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-crt-environment-l1-1-0.dll

Filesize
18KB

MD5
6bfbf95b7253f32a77bacdf119b678f3

SHA1
3e3522a9d62940e1e3c0ed6f785af0b5e3a33600

SHA256
9fc2486ed5d3fff78deb69a7386f4575451d43b67f759afb056ac66b82041e3d

SHA512
603a5a199a19028b2e496051772517c488fd3fcc05dd6bec51e15c58dad2981f7dab44c3d7e1be836afe8f3cf35ac90e574f0062737c353079e33096dba26f10

Download Submit
\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-crt-heap-l1-1-0.dll

Filesize
18KB

MD5
cb4e401ce4fc657ccebb85f96840cc8b

SHA1
359910f84b5faf0d194d534c2f631db5074ea28d

SHA256
b90bffa9e03ffd4ecf1d0d709c60f61d13490e84c4550ef06586bc9b1024ed00

SHA512
382df8909dc347dd86696756cd22650ee9be45146ffdf3b400da4e370c7c42bcdd4c7fdb807e5a9161211b975b9750ee6cb2b2e2132aad9d3f90db9956c2275e

Download Submit
\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-crt-locale-l1-1-0.dll

Filesize
18KB

MD5
b53d96644f5774fe29ba8bb12d6e5f66

SHA1
260cbbada90e29ee8e308996e973ce635496d53c

SHA256
be19250a19ed49ce247999d6f0b953edc2ab7c66b46f1cfbd0c24be91b84b297

SHA512
e894cae26ea86325a9012ec2a00086e136afe64f38f8da8b3c5ee1ccad87b1dcf502ad41e050c1ecfbc1c45d2c69a3c35c5322765ef92ddaf00e5e9953f3436f

Download Submit
\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
25KB

MD5
66f65b59dff2f8927dc3c8045d8c3a0a

SHA1
ae459d1b4d6615587d8b9133ec72162c717287fc

SHA256
414a2bd84b042e2ccf758270647bcfa02d78eb0125c0584dd53f7245481d66b9

SHA512
4fa559f7e3b423a736081a67c8a19084288a870307547b19b2dccad935afdc56311a2045ceb4791d1ca33a05f7f1f906c21363a2076436431a118667f298d577

Download Submit
\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
23KB

MD5
d67520bff673cab4b2ed1af12de37a1f

SHA1
752deacc54982012852e68c37253e95b8bb89aee

SHA256
44bbb2aec747e1cbc63fc7c4d2e8c5ec1ca9f9d026835ac2ccb0d60971b6107a

SHA512
a960ec529e6889b0f3253869fc72c4f65615141d23f42d808de99e192b89b15dbc24b1d37812dc89f68576662173f18bc047a46b92598567e8c7e37e51821ab0

Download Submit
\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\api-ms-win-crt-time-l1-1-0.dll

Filesize
20KB

MD5
1622347a34eba068916713cf28f46b67

SHA1
18b3960e88118195f17c4bef47df1f7935cee459

SHA256
9766c4200b3f51630097fce8d4f10b33383e663601802ada72660604876c99e9

SHA512
90b2398918487e0ccfe8f859aee6e729a4063a110204644a75649331f10895b6c4de09e57b6e20e8fac04ac413f54a82889e602d05f5f42690b87d9c2253fa2e

Download Submit
\Users\Admin\AppData\Local\Temp\is-TMQQF.tmp\firefox.exe

Filesize
518KB

MD5
52ffaba4273678bae75442f2bc85b470

SHA1
66a4c6cf92a4190a1480fd2b19ac84952fa715bd

SHA256
70225f14a28007815b0410b1f41f7ea6a16b6329fd69f7ec06386b05862cf5c4

SHA512
4d6e222378cc99b7ca64ec6738b97504201364760e94ba0276f272860608952e5a260b70a28246d6857404209c7b2ecefd0c22eba59b3788069da7a1b39266f2

Download Submit
memory/2240-157-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2240-156-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2440-9-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2440-168-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2912-3-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/2912-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2912-167-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download