41b64e5a0748356023f0050581296047bb1e2b88794509dccf978a20a5e0f86f

General

Target

Debit note Jan-Jul 2024.exe
Size

740KB
MD5

8379ff838164b21dbd287611dae13ecb
SHA1

d19e11692605f70504de8ab04a992627985facea
SHA256

3666991ba9b1b0ab338f41c37c0bfe3a8ae0fbfbde9820679a76362a610a0b23
SHA512

a4a2db5afd04a7f657520d2b84f19627a3381db5996803283868020dab1f89b56b3367585b10b2762ef57d8581fff0c36b989d5e00a63e7282813ee04d0e2b77
SSDEEP

12288:osHzOUNUSB/o5LsI1uwajJ5yvv1l2/BXyZPlcd2zhRKzdWTWTKgYzajbRtML7RQH:7iUmSB/o5d1ubcvKC5lcd2WUg3RquUjs

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
1244	name.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4044-0-0x0000000000070000-0x000000000020E000-memory.dmp	upx
behavioral2/files/0x000600000001e551-17.dat	upx
behavioral2/memory/1244-20-0x00000000006F0000-0x000000000088E000-memory.dmp	upx
behavioral2/memory/4044-19-0x0000000000070000-0x000000000020E000-memory.dmp	upx
behavioral2/memory/1244-41-0x00000000006F0000-0x000000000088E000-memory.dmp	upx

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4044-19-0x0000000000070000-0x000000000020E000-memory.dmp	autoit_exe
behavioral2/memory/1244-41-0x00000000006F0000-0x000000000088E000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1244 set thread context of 1384	1244	name.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4628	1244	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Debit note Jan-Jul 2024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1384	svchost.exe
1384	svchost.exe
1384	svchost.exe
1384	svchost.exe
1384	svchost.exe
1384	svchost.exe
1384	svchost.exe
1384	svchost.exe
1384	svchost.exe
1384	svchost.exe
1384	svchost.exe
1384	svchost.exe
1384	svchost.exe
1384	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1244	name.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4044	Debit note Jan-Jul 2024.exe
4044	Debit note Jan-Jul 2024.exe
1244	name.exe
1244	name.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4044	Debit note Jan-Jul 2024.exe
4044	Debit note Jan-Jul 2024.exe
1244	name.exe
1244	name.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 1244	4044	Debit note Jan-Jul 2024.exe	87
PID 4044 wrote to memory of 1244	4044	Debit note Jan-Jul 2024.exe	87
PID 4044 wrote to memory of 1244	4044	Debit note Jan-Jul 2024.exe	87
PID 1244 wrote to memory of 1384	1244	name.exe	89
PID 1244 wrote to memory of 1384	1244	name.exe	89
PID 1244 wrote to memory of 1384	1244	name.exe	89
PID 1244 wrote to memory of 1384	1244	name.exe	89

C:\Users\Admin\AppData\Local\Temp\Debit note Jan-Jul 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Debit note Jan-Jul 2024.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\Debit note Jan-Jul 2024.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Debit note Jan-Jul 2024.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 728
    3⤵
    - Program crash
    PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1244 -ip 1244
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holloing

Filesize
280KB

MD5
ab0b5c5c53a78a53d619bf819f588896

SHA1
ed96f282dcdb095784b217afd7b49b2e303f4da4

SHA256
d90e08bd265d05a3bcd32a193b19e854a453f252a3fafdf6022b5d13b3b8d53f

SHA512
4b915e21a008d4de536d398bb72548cd2c60c9fc3aa5042fc2b142a3f011683b842b0b11b7b3f3061b647257141ce02652b61385e14e33ea9f815b8ea734cf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\springmaker

Filesize
84KB

MD5
06df9dae77983b023eb0a3c4408a467f

SHA1
938de7ac57312441bf4ab3fd789bc07f0fca1509

SHA256
d9216e673ac432ca2af347678c87949cbdf4cf15378a82858f81c2609603073f

SHA512
b6fe5fa9a863ebe3795575ccdedea760bd3d9065c1bc08d25e8e97a1f5651f4d54127eee72ff7c1deae7ec9801f01f1a9bdbd408be0aedf4080822e14dbef6e4

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
740KB

MD5
8379ff838164b21dbd287611dae13ecb

SHA1
d19e11692605f70504de8ab04a992627985facea

SHA256
3666991ba9b1b0ab338f41c37c0bfe3a8ae0fbfbde9820679a76362a610a0b23

SHA512
a4a2db5afd04a7f657520d2b84f19627a3381db5996803283868020dab1f89b56b3367585b10b2762ef57d8581fff0c36b989d5e00a63e7282813ee04d0e2b77

Download Submit
memory/1244-20-0x00000000006F0000-0x000000000088E000-memory.dmp

Filesize
1.6MB

Download
memory/1244-41-0x00000000006F0000-0x000000000088E000-memory.dmp

Filesize
1.6MB

Download
memory/1384-38-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1384-39-0x0000000001700000-0x0000000001A4A000-memory.dmp

Filesize
3.3MB

Download
memory/1384-42-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1384-43-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4044-19-0x0000000000070000-0x000000000020E000-memory.dmp

Filesize
1.6MB

Download
memory/4044-0-0x0000000000070000-0x000000000020E000-memory.dmp

Filesize
1.6MB

Download
memory/4044-14-0x0000000001320000-0x0000000001324000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing