e9ac7b75d3fce7318121fd04c86910feffebde6020e7c7965b045d8c1db7a67a

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr
Size

506KB
MD5

e0c9e77759bee166680888c7417a358f
SHA1

f28e61ee3a03d315962e72e4f9875281f39fc4d6
SHA256

b81db352466d0a651374b1be399fc2f1b02b638c9a1786a2556d5d7919d2486e
SHA512

8fc2324f1040bb52d5ba03d367682a9caae24c769264958822e4efa613183bc3d30940f6b7d3179fc985e80b7ea5a0b0563a16505d64bfa8ad79d22fad9b6523
SSDEEP

12288:mHadbvM/N20WJ2kva9YffxVTo1AXwcGHswMi1XZ3f88:aadLM/N7WJ2qZV01AFGMwMQU

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2044	PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr
2044	PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3304	2044	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 3304	2044	PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr	31
PID 2044 wrote to memory of 3304	2044	PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr	31
PID 2044 wrote to memory of 3304	2044	PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr	31
PID 2044 wrote to memory of 3304	2044	PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr	31

C:\Users\Admin\AppData\Local\Temp\PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr
"C:\Users\Admin\AppData\Local\Temp\PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr" /S
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 520
  2⤵
  - Program crash
  PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdA20B.tmp

Filesize
11B

MD5
bad78a997013818e85c1091ce1f575e0

SHA1
fa7b6b576c9b365194a222dfd1d3805121544fd3

SHA256
e40f87ab67d67e6a7c1784127b0bdeaa1a053cbc50cbb8155cb469016537513d

SHA512
c2f336b68df9aa5234282eb83c042ff87a0187cbd903739bbcbedd6c30be7807d9cd40f97ccd0196d5bdc84833b796197a832687e99da48f1d370d3875bface4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA20B.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA25E.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjA22D.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjA22E.tmp

Filesize
60B

MD5
efa6a699672aff20f8c8a21a97865bc4

SHA1
27d3f052ab130355de98462ec859dce2414b2358

SHA256
3848b330d58a2829f8b8dcc21f034859930c30874686ba6c8d5bdd274182188a

SHA512
4fc2b54e7cb7d3f7d946bc91bc7f21e6060096e20fe907fa263a5fc8ec92659e1c3d54a174e7319c30a0cfeddf2e349b6939f0ec28458111de47a901277da715

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA23E.tmp

Filesize
56B

MD5
1e06318c3ec1a306a6f4e3f0ea831396

SHA1
b27b498f8f9f4140844edfa6b87f2ccabce99737

SHA256
137eb8ee9136207bb4cc40e77d61be33f04dc487456479dc98926dff5d7789bc

SHA512
b7b359759fb58a144f0e6e6d65afc76bead511268accb45e6e4c338ca9cac161c36f419e5e5e82842e1c1744b761c5633b9a3132c690b74bc3f35b0445e7e0a8

Download Submit
\Users\Admin\AppData\Local\Temp\nstA21C.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit