Overview

overview

10

Static

static

3

სატ�...UR.exe

windows7-x64

7

სატ�...UR.exe

windows10-2004-x64

10

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    30/05/2024, 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    სატრანსპორტო ინვოისი- შპს ელ +DE-GE 400 EUR.exe

  • Size

    801KB

  • MD5

    bd3614fa7678ce0afd0d771ac9cccda3

  • SHA1

    1edcc5e14ae650fee8c7aff90f9d83ab842d9a80

  • SHA256

    6e1d980c6302e6c39dfb64c69f8dfc056f4eea385ff865753b41d250d815f4d3

  • SHA512

    db990f88902238ac945c66ed9e354ca5290f7afc32ff547f2d8a6b298c0e52dab8189b43291ab20ee28efc2f9e7572f2034dbf8a5d09a021b1ed321e23d5b27d

  • SSDEEP

    12288:c5GdGIdeORq3eur2KKeC/hX6uSog1HzdC5FrYzBDaeLq0zqwnNyBZbV:F9rg3v2Ke/hHSogZdC5FCfjJngjbV

Score
7/10
persistence

Malware Config

Signatures

  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\სატრანსპორტო ინვოისი- შპს ელ +DE-GE 400 EUR.exe
    "C:\Users\Admin\AppData\Local\Temp\სატრანსპორტო ინვოისი- შპს ელ +DE-GE 400 EUR.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Program Files (x86)\windows mail\wab.exe
      "C:\Users\Admin\AppData\Local\Temp\სატრანსპორტო ინვოისი- შპს ელ +DE-GE 400 EUR.exe"
      2⤵
      • Checks QEMU agent file
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsd520.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    be828e6e1885cc5a25e18f123e2a76a0

    SHA1

    96432bf2da4e1c454f49f76e20855f27c2fce2f9

    SHA256

    01773690efda3c1fa609287f4bf2277f3d366fe4a1ddc099d2949fab54f0fbd4

    SHA512

    983e9a9e941b162031b8acf372c3ec12180b54f8e5f7172a6e87599e127170240841889d6e346a730f4970c9079f5f9cededc2730f910eb4e0bb897f68cfca70

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsd520.tmp\System.dll
    Filesize

    11KB

    MD5

    ee260c45e97b62a5e42f17460d406068

    SHA1

    df35f6300a03c4d3d3bd69752574426296b78695

    SHA256

    e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

    SHA512

    a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

    Download Submit

  • memory/840-37-0x0000000076FB0000-0x0000000077159000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/840-39-0x0000000072530000-0x0000000073592000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1680-35-0x0000000076FB1000-0x00000000770B2000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1680-36-0x0000000076FB0000-0x0000000077159000-memory.dmp

    Filesize

    1.7MB

    Download