59f37317df6bcd623adee54e2f223ec19498ce2c7243b49c5842800403e37b4b

General

Target

facture.pdf.exe
Size

1.1MB
MD5

33bbff3ddce1b5549a0fe651a597484d
SHA1

5c3112180ff1402e487cf60e0764002c4fb4985a
SHA256

f6409eeb12e6b1171fc99cbb9ac4c4cd668bf42d2b3d426965f6ca1d2b01959f
SHA512

40690266e6e879916c615b195a13d03c0156973b3e54ce55ecaa6e5e3bd51f6b58703ecb99c40003a189bccc6e39c27be7b63c46cd8747c3a5c8e8d15326b5b1
SSDEEP

24576:62vlUs5Pm6fXrnpSm3D0EcosRatFaODMn4iLTFV/KW:622A+6znMwJHFaFnZ/KW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2576	FileManager.exe
1364	AudioDriver.exe
2644	FileManager.exe
1600	AudioDriver.exe

Loads dropped DLL 7 IoCs

pid	Process
1188	Process not Found
1188	Process not Found
1188	Process not Found
2404	facture.pdf.exe
1364	AudioDriver.exe
1188	Process not Found
1188	Process not Found

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1012 set thread context of 2404	1012	facture.pdf.exe	31
PID 1364 set thread context of 1600	1364	AudioDriver.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1012	facture.pdf.exe
1012	facture.pdf.exe
1012	facture.pdf.exe
1364	AudioDriver.exe
1364	AudioDriver.exe
1364	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe
1600	AudioDriver.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	facture.pdf.exe
Token: SeDebugPrivilege	1364	AudioDriver.exe
Token: SeDebugPrivilege	1600	AudioDriver.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 2404	1012	facture.pdf.exe	31
PID 1012 wrote to memory of 2404	1012	facture.pdf.exe	31
PID 1012 wrote to memory of 2404	1012	facture.pdf.exe	31
PID 1012 wrote to memory of 2404	1012	facture.pdf.exe	31
PID 1012 wrote to memory of 2404	1012	facture.pdf.exe	31
PID 1012 wrote to memory of 2404	1012	facture.pdf.exe	31
PID 1012 wrote to memory of 2404	1012	facture.pdf.exe	31
PID 1012 wrote to memory of 2404	1012	facture.pdf.exe	31
PID 1012 wrote to memory of 2404	1012	facture.pdf.exe	31
PID 2404 wrote to memory of 1364	2404	facture.pdf.exe	32
PID 2404 wrote to memory of 1364	2404	facture.pdf.exe	32
PID 2404 wrote to memory of 1364	2404	facture.pdf.exe	32
PID 2404 wrote to memory of 1364	2404	facture.pdf.exe	32
PID 1364 wrote to memory of 1600	1364	AudioDriver.exe	34
PID 1364 wrote to memory of 1600	1364	AudioDriver.exe	34
PID 1364 wrote to memory of 1600	1364	AudioDriver.exe	34
PID 1364 wrote to memory of 1600	1364	AudioDriver.exe	34
PID 1364 wrote to memory of 1600	1364	AudioDriver.exe	34
PID 1364 wrote to memory of 1600	1364	AudioDriver.exe	34
PID 1364 wrote to memory of 1600	1364	AudioDriver.exe	34
PID 1364 wrote to memory of 1600	1364	AudioDriver.exe	34
PID 1364 wrote to memory of 1600	1364	AudioDriver.exe	34

C:\Users\Admin\AppData\Local\Temp\facture.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\facture.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Users\Admin\Desktop\FileManager.exe
  "C:\Users\Admin\Desktop\FileManager.exe"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\facture.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\facture.pdf.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Users\Admin\Desktop\FileManager.exe
      "C:\Users\Admin\Desktop\FileManager.exe"
      4⤵
      Executes dropped EXE
      PID:2644
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\FileManager.exe

Filesize
92KB

MD5
4aa530f8f464d176d731f734a8cb1850

SHA1
fd84a600f6450434773ffe7c4f38f7d1b7408398

SHA256
a6c2be00cc4c51241b67e4169c339889fbd5db47d32932772774a18143665e34

SHA512
d62a76ddba979c51bf7b82a6a87bd4c2f050887dd32b85ad7f100398b8e3ffd2fb344ee481c80376699ff1dc723933fa931b0d577d42e45a517d5708fc8e557f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
1.1MB

MD5
33bbff3ddce1b5549a0fe651a597484d

SHA1
5c3112180ff1402e487cf60e0764002c4fb4985a

SHA256
f6409eeb12e6b1171fc99cbb9ac4c4cd668bf42d2b3d426965f6ca1d2b01959f

SHA512
40690266e6e879916c615b195a13d03c0156973b3e54ce55ecaa6e5e3bd51f6b58703ecb99c40003a189bccc6e39c27be7b63c46cd8747c3a5c8e8d15326b5b1

Download Submit
memory/1012-1-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1012-2-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1012-3-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1012-12-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1012-0-0x0000000074951000-0x0000000074952000-memory.dmp

Filesize
4KB

Download
memory/1012-18-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1600-44-0x0000000000080000-0x0000000000158000-memory.dmp

Filesize
864KB

Download
memory/1600-47-0x0000000000080000-0x0000000000158000-memory.dmp

Filesize
864KB

Download
memory/1600-40-0x0000000000080000-0x0000000000158000-memory.dmp

Filesize
864KB

Download
memory/2404-17-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2404-21-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2404-20-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2404-30-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2404-19-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2404-13-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2404-15-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing