Overview

overview

10

Static

static

3

Uw Factuur...df.exe

windows7-x64

10

Uw Factuur...df.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

403-16.htm

windows7-x64

1

403-16.htm

windows10-2004-x64

1

403-18.htm

windows7-x64

1

403-18.htm

windows10-2004-x64

1

404.htm

windows7-x64

1

404.htm

windows10-2004-x64

1

Linker.dll

windows7-x64

1

Linker.dll

windows10-2004-x64

3

Warn If RGB.js

windows7-x64

3

Warn If RGB.js

windows10-2004-x64

3

asyncqueue.js

windows7-x64

3

asyncqueue.js

windows10-2004-x64

3

compare-wi...cks.js

windows7-x64

3

compare-wi...cks.js

windows10-2004-x64

3

head.js

windows7-x64

3

head.js

windows10-2004-x64

3

Analysis

  • max time kernel
    143s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 18:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Uw Factuur 0092-0287492-39238.pdf.exe

  • Size

    804KB

  • MD5

    88a509f4974b099b9a18c97e93d23f6b

  • SHA1

    215f031e777464de6a253be0c520c6ce815bdf88

  • SHA256

    5930f3589545070d4ab4e09c857db89b9b60e882d12ee6dc0b7213e37d32a50e

  • SHA512

    f9b378d7819f7087ef6abf276c59acf8b528d675e69f1da6d63b6690fb3d9f241c5702ae7e23f35bd21547bfe5e3202c2c5879326003caacc817d3ddc1b0cb4f

  • SSDEEP

    12288:7W02CHYwXcuevg6KILXB6iVZdXlQgBI7SJrydLCf6WsfrZBIr5kei+o3cw5s7CRH:7ACHnXcEILxtZtSg+SBzf9uIuvMqkk

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 36 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • NSIS installer 2 IoCs
    installer
  • Modifies data under HKEY_USERS 23 IoCs
  • Modifies registry class 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:844
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
      2⤵
        PID:4692
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        2⤵
          PID:100
        • C:\Windows\system32\backgroundTaskHost.exe
          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
          2⤵
            PID:3448
          • C:\Windows\system32\BackgroundTransferHost.exe
            "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
            2⤵
              PID:3904
            • C:\Windows\system32\backgroundTaskHost.exe
              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
              2⤵
                PID:5500
              • C:\Windows\system32\BackgroundTransferHost.exe
                "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                2⤵
                  PID:2740
                • C:\Windows\system32\BackgroundTransferHost.exe
                  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                  2⤵
                    PID:1548
                  • C:\Windows\system32\backgroundTaskHost.exe
                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                    2⤵
                      PID:1944
                    • C:\Windows\system32\BackgroundTransferHost.exe
                      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                      2⤵
                        PID:4540
                      • C:\Windows\system32\BackgroundTransferHost.exe
                        "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                        2⤵
                          PID:968
                        • C:\Windows\system32\backgroundTaskHost.exe
                          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                          2⤵
                            PID:1028
                          • C:\Windows\system32\BackgroundTransferHost.exe
                            "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                            2⤵
                              PID:3776
                            • C:\Windows\system32\BackgroundTransferHost.exe
                              "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                              2⤵
                                PID:3324
                              • C:\Windows\system32\backgroundTaskHost.exe
                                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                2⤵
                                  PID:1116
                                • C:\Windows\system32\BackgroundTaskHost.exe
                                  "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
                                  2⤵
                                    PID:5268
                                  • C:\Windows\System32\RuntimeBroker.exe
                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                    2⤵
                                      PID:4100
                                  • C:\Users\Admin\AppData\Local\Temp\Uw Factuur 0092-0287492-39238.pdf.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Uw Factuur 0092-0287492-39238.pdf.exe"
                                    1⤵
                                    • Loads dropped DLL
                                    • Suspicious use of SetThreadContext
                                    • Suspicious use of WriteProcessMemory
                                    PID:6100
                                    • C:\Users\Admin\AppData\Local\Temp\Uw Factuur 0092-0287492-39238.pdf.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Uw Factuur 0092-0287492-39238.pdf.exe"
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:2316
                                  • C:\Users\Admin\AppData\Local\Temp\dviljgl.exe
                                    C:\Users\Admin\AppData\Local\Temp\dviljgl.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    • Suspicious use of SetThreadContext
                                    • Suspicious use of WriteProcessMemory
                                    PID:5632
                                    • C:\Users\Admin\AppData\Local\Temp\dviljgl.exe
                                      C:\Users\Admin\AppData\Local\Temp\dviljgl.exe
                                      2⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:2496
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 636
                                        3⤵
                                        • Program crash
                                        PID:5044
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 644
                                        3⤵
                                        • Program crash
                                        PID:3180
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2496 -ip 2496
                                    1⤵
                                      PID:5468
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2496 -ip 2496
                                      1⤵
                                        PID:684

                                      Network

                                      MITRE ATT&CK Matrix ATT&CK v13

                                      Initial Access

                                      Execution

                                      Persistence

                                      Privilege Escalation

                                      Defense Evasion

                                      Credential Access

                                      Discovery

                                      Query Registry

                                      1
                                      T1012

                                      Peripheral Device Discovery

                                      1
                                      T1120

                                      System Information Discovery

                                      2
                                      T1082

                                      Lateral Movement

                                      Collection

                                      Exfiltration

                                      Command and Control

                                      Impact

                                      Resource Development

                                      Reconnaissance

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\ProgramData\SoftwareDistribution\ilzjudh
                                        Filesize

                                        654B

                                        MD5

                                        81ee79f97ba12adc264b7e7fdc59f33b

                                        SHA1

                                        0a92f0791838a66ad064c0d6b3457896737132a8

                                        SHA256

                                        232642e2774026823d3ac5ca2defa643fd5c5770da07b68dea12c0917eb5423d

                                        SHA512

                                        4cfe0de45c7ead532abe77c7ce5fefbac840ee2f71a071aa2d125ea250c53a94382a0a7e60eaee5815ce10366a2dd3cd3db19e0c51f93c47d4474360b2b71e12

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\dviljgl.exe
                                        Filesize

                                        804KB

                                        MD5

                                        88a509f4974b099b9a18c97e93d23f6b

                                        SHA1

                                        215f031e777464de6a253be0c520c6ce815bdf88

                                        SHA256

                                        5930f3589545070d4ab4e09c857db89b9b60e882d12ee6dc0b7213e37d32a50e

                                        SHA512

                                        f9b378d7819f7087ef6abf276c59acf8b528d675e69f1da6d63b6690fb3d9f241c5702ae7e23f35bd21547bfe5e3202c2c5879326003caacc817d3ddc1b0cb4f

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\nsq3019.tmp\System.dll
                                        Filesize

                                        11KB

                                        MD5

                                        883eff06ac96966270731e4e22817e11

                                        SHA1

                                        523c87c98236cbc04430e87ec19b977595092ac8

                                        SHA256

                                        44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

                                        SHA512

                                        60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

                                        Download Submit
                                      • C:\Users\Admin\AppData\Roaming\Linker.dll
                                        Filesize

                                        20KB

                                        MD5

                                        d4347e5ece1d7cc8a2fffb1afef7ea32

                                        SHA1

                                        4a656426fdc156a914494cef7f8fc437d6ca28dc

                                        SHA256

                                        6f7a21dd4e3539e81113a54f5f1ab70fb3e5457033e923fbb95fdb80b7c433cd

                                        SHA512

                                        0923dd987ef862f4341643627c68fdf276a749aa647c29509d72ec9ee77accb79a5fde7e1387696534e096c8c1714ce694c9c826faff2a06178b7068e7d48d56

                                        Download Submit
                                      • C:\Users\Admin\AppData\Roaming\asyncqueue.JS
                                        Filesize

                                        4KB

                                        MD5

                                        97c2cce0b8038bd21abaf457b50f8112

                                        SHA1

                                        ac6fc6496817e98c7701fc9afc5e0b6eb78d74bb

                                        SHA256

                                        f59ee97d7d97c887e5da91778ce8d3583b1e448680581e1796312d017e699059

                                        SHA512

                                        874ff6ce0ca3ed1a57e379e91a9ff94e3893b3ceb9e7c1b6bf715565347c14e3e8b8a3bdeb86ae55a9ce9d67eeb3dd6289e63b756dbb4b1db91ef08a88798fc3

                                        Download Submit
                                      • C:\Users\Admin\AppData\Roaming\compare-with-callbacks.JS
                                        Filesize

                                        1KB

                                        MD5

                                        2c6f5684ce8e64e2ac4d106ec6c361dd

                                        SHA1

                                        78f431b04243778cf02f29c63ec1f10e464bde6a

                                        SHA256

                                        1d552bba9fdb2557c0a0b55c79eb322852df0e6a0bcb3b48cfbdd335f32b3552

                                        SHA512

                                        0e53cd5e0c943e9c2014b8b778811b4aa83610347f7156ef4b5f616a13a7d29552f72087fe8a956c1c9464af224dcf113232d65e913049e8be8966aa7f2887a6

                                        Download Submit
                                      • C:\Users\Admin\AppData\Roaming\head.JS
                                        Filesize

                                        25B

                                        MD5

                                        19ebe25a2df3c27bfc3c692ba7ce9158

                                        SHA1

                                        f7f5514d24f03611b055af2fc9a541ecf579142e

                                        SHA256

                                        f5f9b7e1859d47775dfe65573624e84f1e2d6f9c2a3a08f684b8148cefb720e8

                                        SHA512

                                        76c4e82aa9bf6d64c956788eacb9c8bc13db2e626c44a548ab7a49dda9569ea06b48dc46b92e725ce2ab4a7a7124cf01565923adbc7a4c529ac429184639659b

                                        Download Submit
                                      • memory/844-155-0x00000000148F0000-0x0000000014967000-memory.dmp
                                        Filesize

                                        476KB

                                        Download
                                      • memory/844-321-0x00000000148F0000-0x0000000014967000-memory.dmp
                                        Filesize

                                        476KB

                                        Download
                                      • memory/844-113-0x00000000148F0000-0x0000000014967000-memory.dmp
                                        Filesize

                                        476KB

                                        Download
                                      • memory/844-115-0x00000000148F0000-0x0000000014967000-memory.dmp
                                        Filesize

                                        476KB

                                        Download
                                      • memory/844-116-0x00000000148F0000-0x0000000014967000-memory.dmp
                                        Filesize

                                        476KB

                                        Download
                                      • memory/844-122-0x00000000148F0000-0x0000000014967000-memory.dmp
                                        Filesize

                                        476KB

                                        Download
                                      • memory/844-119-0x00000000148F0000-0x0000000014967000-memory.dmp
                                        Filesize

                                        476KB

                                        Download
                                      • memory/844-3469-0x00000000148F0000-0x0000000014967000-memory.dmp
                                        Filesize

                                        476KB

                                        Download
                                      • memory/2316-52-0x00000000008B0000-0x0000000000AFB000-memory.dmp
                                        Filesize

                                        2.3MB

                                        Download
                                      • memory/2316-51-0x0000000000400000-0x00000000004A4600-memory.dmp
                                        Filesize

                                        657KB

                                        Download
                                      • memory/2316-49-0x0000000000400000-0x00000000004A5000-memory.dmp
                                        Filesize

                                        660KB

                                        Download
                                      • memory/2316-50-0x0000000000690000-0x00000000008AA000-memory.dmp
                                        Filesize

                                        2.1MB

                                        Download
                                      • memory/2316-47-0x0000000000400000-0x00000000004A5000-memory.dmp
                                        Filesize

                                        660KB

                                        Download
                                      • memory/2496-110-0x0000000000960000-0x0000000000BAB000-memory.dmp
                                        Filesize

                                        2.3MB

                                        Download