9a8ee4ec71108d8bb800d9747ee09c1104716077c85872976ac68cd573f77e71

Analysis

max time kernel
144s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

facture.exe
Size

1.8MB
MD5

d53029c32822e837f1e6fbfcbeaf7abc
SHA1

5f48681df5f654798ad7f08c56a125ed2011c6a4
SHA256

f5e1954809ccaac3bb708806467fc5f44a1f64d5482006c27c7bdf074ba09f14
SHA512

0267dc7597f755954eff9a37482b272801a9ddf00ab839491fe524fe8120cbb702e750c6e027105a12db8f382777b5b42ecc5755eb7d3ad95fe33b298f7749db
SSDEEP

24576:i7bl46OlC/oL3BczLgbyGDPb0BScBuayJzJhliRLpDC5kwhPEDeJf8H6zB35H:i75j/qcYbd7b0fSFQp22whPEDeCH615H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1660	facture.tmp
2720	firefox.exe

Loads dropped DLL 5 IoCs

pid	Process
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
628	2720	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1660	facture.tmp
1660	facture.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1660	facture.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 1660	2716	facture.exe	82
PID 2716 wrote to memory of 1660	2716	facture.exe	82
PID 2716 wrote to memory of 1660	2716	facture.exe	82
PID 1660 wrote to memory of 2720	1660	facture.tmp	86
PID 1660 wrote to memory of 2720	1660	facture.tmp	86
PID 1660 wrote to memory of 2720	1660	facture.tmp	86

C:\Users\Admin\AppData\Local\Temp\facture.exe
"C:\Users\Admin\AppData\Local\Temp\facture.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\is-7HGLE.tmp\facture.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7HGLE.tmp\facture.tmp" /SL5="$70092,1583987,433664,C:\Users\Admin\AppData\Local\Temp\facture.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\is-3EL4E.tmp\firefox.exe
    "C:\Users\Admin\AppData\Local\Temp\is-3EL4E.tmp\firefox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 276
      4⤵
      Program crash
      PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2720 -ip 2720
1⤵
PID:676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3EL4E.tmp\dependentlibs.list

Filesize
8B

MD5
51356efebb94ce2c9a7f0a2a65ecf72a

SHA1
abe24fc811073b7e715864b23398549e2ff85244

SHA256
40f380ddd93e89986f68f59d045194c788829f75f3212998c6670ae69a2a6b82

SHA512
edff705603c3452b8193a7f81f11f08360bb09070fe045e8edd0ecf97b114b855a6ace5378278296f3dd0557c2467178ebeaba8749ba3240d9db613b01f4eca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3EL4E.tmp\firefox.exe

Filesize
518KB

MD5
52ffaba4273678bae75442f2bc85b470

SHA1
66a4c6cf92a4190a1480fd2b19ac84952fa715bd

SHA256
70225f14a28007815b0410b1f41f7ea6a16b6329fd69f7ec06386b05862cf5c4

SHA512
4d6e222378cc99b7ca64ec6738b97504201364760e94ba0276f272860608952e5a260b70a28246d6857404209c7b2ecefd0c22eba59b3788069da7a1b39266f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3EL4E.tmp\load.dll

Filesize
156KB

MD5
7c6653ace1c0c93a50838103bce58b89

SHA1
1be294c830e54d1b49eac436632df6851c8d4542

SHA256
2a6426da086fdccb85de8cb437350cc2d3532c09c6fcc7d32bf456ca13a9c412

SHA512
f191cae37b39085690be108123d39d797c90455708f42d4fb0f7c169d039f1948b699a55e4b444c87d4b8969f8e653013e171f0af849670eeca8350dd715a4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3EL4E.tmp\mozglue.dll

Filesize
129KB

MD5
e2f7b050c6c83505611807e81db58e16

SHA1
a06a6fd60486e8b27e926f30b7d20fc7b2354eed

SHA256
9019976df7d3423dcceff61397360bb300f693a1bf98e5bfd33ad3fbeadd24d8

SHA512
efb432a1389136a9f87b8834b9c78c1baf953b84d338621e4841376d03b0a31d1f92186786c3cd8fb390a25a2ed77a2c0f1e3c49f73c57994ef684e552969407

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3EL4E.tmp\msvcp140.dll

Filesize
429KB

MD5
d25c3ff7a4cbbffc7c9fff4f659051ce

SHA1
02fe8d84d7f74c2721ff47d72a6916028c8f2e8a

SHA256
9c1dc36d319382e1501cdeaae36bad5b820ea84393ef6149e377d2fb2fc361a5

SHA512
945fe55b43326c95f1eee643d46a53b69a463a88bd149f90e9e193d71b84f4875455d37fd4f06c1307bb2cdbe99c1f6e18cb33c0b8679cd11fea820d7e728065

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3EL4E.tmp\vcruntime140.dll

Filesize
81KB

MD5
a2523ea6950e248cbdf18c9ea1a844f6

SHA1
549c8c2a96605f90d79a872be73efb5d40965444

SHA256
6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4

SHA512
2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7HGLE.tmp\facture.tmp

Filesize
1.0MB

MD5
8b5d7436be69f0d05b2a0e068e53459b

SHA1
6bc52978009d8369bfe7e3bdd5c644a8c1dd9a91

SHA256
705e35d97bbdb92e919f382928ec405459cada6cf671d4e61060c813ef07ea3a

SHA512
7236fe8b50467a4eb5939b270df0db867fc4cbb76445aa54ac9792a615b4c5134c17edb6e8a63f5348ffbe425bc71acad1c3ac33a26e413569d47b2bc9e8c002

Download Submit
memory/1660-7-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/1660-121-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2716-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/2716-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2716-123-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2720-115-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/2720-116-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download