Overview
overview
10Static
static
3Invoice-541221.exe
windows7-x64
4Invoice-541221.exe
windows10-2004-x64
10$PLUGINSDIR/NAct.dll
windows7-x64
3$PLUGINSDIR/NAct.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$TEMP/PDF ...DS.exe
windows7-x64
7$TEMP/PDF ...DS.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 15:38
Behavioral task
behavioral1
Sample
Invoice-541221.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Invoice-541221.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/NAct.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/NAct.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$TEMP/PDF READER/@New_x32DS.exe
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
$TEMP/PDF READER/@New_x32DS.exe
Resource
win10v2004-20240802-en
General
-
Target
Invoice-541221.exe
-
Size
11.0MB
-
MD5
98427670752fdc1602d91149b17a1e91
-
SHA1
bb178d4f00416007b33b909cb9604c72833500bf
-
SHA256
dd57e25bab42325715b5ae27bf6578e309af829d8e7534db8f828b8dbc870120
-
SHA512
8f2cfd77eb4d7dda1eb77b457669e7401af86f7c64c0b0f96002284d9d3092f9bb4985beeed1d41a5b8a7be0b846eef24d6dc5aed529a573f21d0b74d09d1e03
-
SSDEEP
196608:9n6V8KNM5Fd4NpJMQ8rKI/ooTCuSq5aS6yqolsbBClg2Ml23Sl6LQgq:9n6qKafONpuQ8M2laxyLlACg2MUClv
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Executes dropped EXE 3 IoCs
pid Process 2576 @New_x32DS.exe 2484 @New_x32DS.exe 1288 Process not Found -
Loads dropped DLL 22 IoCs
pid Process 2500 Invoice-541221.exe 2500 Invoice-541221.exe 2500 Invoice-541221.exe 2576 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 2484 @New_x32DS.exe 1288 Process not Found -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016dc6-13.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Invoice-541221.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2484 @New_x32DS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 35 2484 @New_x32DS.exe Token: SeDebugPrivilege 2484 @New_x32DS.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2576 2500 Invoice-541221.exe 30 PID 2500 wrote to memory of 2576 2500 Invoice-541221.exe 30 PID 2500 wrote to memory of 2576 2500 Invoice-541221.exe 30 PID 2500 wrote to memory of 2576 2500 Invoice-541221.exe 30 PID 2576 wrote to memory of 2484 2576 @New_x32DS.exe 31 PID 2576 wrote to memory of 2484 2576 @New_x32DS.exe 31 PID 2576 wrote to memory of 2484 2576 @New_x32DS.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice-541221.exe"C:\Users\Admin\AppData\Local\Temp\Invoice-541221.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\PDF READER\@New_x32DS.exe"C:\Users\Admin\AppData\Local\Temp\PDF READER\@New_x32DS.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\PDF READER\@New_x32DS.exe"C:\Users\Admin\AppData\Local\Temp\PDF READER\@New_x32DS.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD589a24c66e7a522f1e0016b1d0b4316dc
SHA15340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA2563096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a
-
Filesize
92KB
MD5cf77513525fc652bad6c7f85e192e94b
SHA123ec3bb9cdc356500ec192cac16906864d5e9a81
SHA2568bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41
SHA512dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9
-
Filesize
177KB
MD5daccb97b9214bb1366ed40ad583679a2
SHA189554e638b62be5f388c9bdd35d9daf53a240e0c
SHA256b714423d9cad42e67937531f2634001a870f8be2bf413eacfc9f73ef391a7915
SHA51299fd5c80372d878f722e4bcb1b8c8c737600961d3a9dffc3e8277e024aaac8648c64825820e20da1ab9ad9180501218c6d796af1905d8845d41c6dbb4c6ebab0
-
Filesize
129KB
MD55e869eebb6169ce66225eb6725d5be4a
SHA1747887da0d7ab152e1d54608c430e78192d5a788
SHA256430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16
-
Filesize
38KB
MD5b32cb9615a9bada55e8f20dcea2fbf48
SHA1a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA5125c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe
-
Filesize
172KB
MD55fbb728a3b3abbdd830033586183a206
SHA1066fde2fa80485c4f22e0552a4d433584d672a54
SHA256f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b
SHA51231e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb
-
Filesize
75KB
MD58ea18d0eeae9044c278d2ea7a1dbae36
SHA1de210842da8cb1cb14318789575d65117d14e728
SHA2569822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0
-
Filesize
1000KB
MD58386cf8add72bab03573064b6e1d89d2
SHA1c451d2f3eed6b944543f19c5bd15ae7e8832bbd4
SHA2562eea4b6202a6a6f61cb4d75c78be5ec2e1052897f54973797885f2c3b24d202c
SHA5122bb61f7fac7ecc7d5654756ae8286d5fd9e2730e6ac42f3e7516f598e00fd8b9b6d3e77373994bb31d89831278e6833d379f306d52033fa5c48a786ac67da2b2
-
Filesize
8KB
MD5e8a52f61db8eb35ef3b8211bfbb821e9
SHA1835d394badb777e9c7e4ef59c72a309500a3971e
SHA2564942106eb2b86a37c63eba972a2c6c5870d4ae7535075bb5252556e2ff2357f6
SHA51248e7f25ea4a4af1dc09fe594c25e8a962304922445a1e9708873cef4578a783eea913b59cc390d0e318c9d35995f01109b9a104b6176cd8cd081449988913626
-
Filesize
3.2MB
MD5cc4cbf715966cdcad95a1e6c95592b3d
SHA1d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA5123b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477
-
Filesize
198KB
MD56500aa010c8b50ffd1544f08af03fa4f
SHA1a03f9f70d4ecc565f0fae26ef690d63e3711a20a
SHA256752cf6804aac09480bf1e839a26285ec2668405010ed7ffd2021596e49b94dec
SHA512f5f0521039c816408a5dd8b7394f9db5250e6dc14c0328898f1bed5de1e8a26338a678896f20aafa13c56b903b787f274d3dec467808787d00c74350863175d1
-
Filesize
3.6MB
MD5c4709f84e6cf6e082b80c80b87abe551
SHA1c0c55b229722f7f2010d34e26857df640182f796
SHA256ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4
-
Filesize
421KB
MD5d94eea13862fa10cc55075a7b595c3ee
SHA1af8607c0a6f67917d5f9d9136d7b981caaaa6a32
SHA25622822869023482e6d15314a8cbd7cb700e5c1ef4d89ecff65ff4144b1840da79
SHA512591359cdf1108297c49b68dc1c375f747aad19b0dc609fe625f0e8ed16d46804ae05a14c7fa3343493589bd3e5f6e8f485d7e54b1398c3f3881b4911cb38c643
-
Filesize
680KB
MD553cf89c12cd651b824bf19ea86822b7e
SHA1da16db3464f268c202670d0b379c24e3cf8a886a
SHA2561dd7f1beb75529a090e8157bac0cac3c55ed49579b48d8bcab6fc756931662fb
SHA5123ad7c7c6ba790ae4f5eef055a4af1611b5b02331abe64a4923c699cafdeafd28da307d67d3a77ea2284f6824ed04300aa46a2e7f95d8a11acebc3a8d181d4e92
-
Filesize
133KB
MD5f9d8093503c0eb02a2d30db794dbaa81
SHA1d11ac482caef0a4f3b008644e34b5c962c69a3af
SHA25647cfa248363c3e5e3c2fcd847bd73435890bac14c3403f2841fd5e138f936869
SHA512c4ce86cecef6e2b3785f076667381f3e8e4b7d9e6e7c9e48d2fedde83670df61c51bdd852c3fadc826bee6025d9c22a1cd2f1ba255a7123047ac11e2ed262fdc
-
Filesize
26KB
MD5fb4a0d7abaeaa76676846ad0f08fefa5
SHA1755fd998215511506edd2c5c52807b46ca9393b2
SHA25665a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f
-
Filesize
136KB
MD5ba792c828797ab1b1ec5062b12872540
SHA115745e8c75c7d46a08a2efc301c6d6f95d3676e9
SHA256e86a8623f4532645419bd753baf239c77198a51c0663d5441ad6e8b56093f530
SHA5120e5f02a25789d47a686a18186fd6811e1cecbbc3104b0b3135eea5cc99240c59a3c24a760f8fe77bca8bffa2b4b1e0c305c5f73a28af4f84772a67db00544b82
-
Filesize
12.5MB
MD58b6c26c4d58c33f807aac62bb60e5748
SHA173d46b6353f09bb05bfabda9c778e3f526599d4a
SHA25691b4f35d3cf26bd02c76b20cad1641877f566fe6234f62dc021a1a2df7f11a58
SHA512ebb5279fb0d5cac00bc63e045721f06e85a8ddebd6cc05720826695d50dac87b3b0c626e5e9875a6a3a212a3743297f268eccd891b13cad2214a2dbc4585de73
-
Filesize
206KB
MD5f443be9a48ce3b6aab6ddefce7565983
SHA1e3d313360ef71845a3e7ba7620325bb82ab4cfdb
SHA256d1e5b5d887fe5de2efcf084cbfa2992a04c04524d36cbe350c8c1319266eaaa7
SHA512b550ab575ce95d8342e20b394999e262788ff5cfa480fb80bf6540408fe2726747d80272e7bcac17f916995bff077a8ff0ce84d0d42c5c5024143634f3a71353
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada