4c4286c3e289314f8cbdb1861fa01d3c262aaf066939fb996c7d9f4e73a4e500

Analysis

max time kernel
132s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CHEQUE COPY.exe
Size

323KB
MD5

ec067b73f3156aedbd9158f107952eb8
SHA1

6353de54ce12dfd2cd86a3dc2824c7448157a821
SHA256

3f6f1635ca9660f24bf4e9527ec6136ed50ad9a8a88e442768143d55eb73a6af
SHA512

83456705e8bed761fc5091cde0395314968327fd4929cbc79bd4350765328df66fe2ee00d9d66a0b23b1246fe44b19c6f3cb3cd3bbba88e0827442c5e8b79585
SSDEEP

6144:Lx/MKNJ1v1P/51wTavAPyVCow2do2dZo8bBU2lVWoZmriV:B5T1tPxSPyVDdLP9VBkq

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
880	CHEQUE COPY.exe
880	CHEQUE COPY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1504	880	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CHEQUE COPY.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
880	CHEQUE COPY.exe
880	CHEQUE COPY.exe
880	CHEQUE COPY.exe
880	CHEQUE COPY.exe
880	CHEQUE COPY.exe
880	CHEQUE COPY.exe
880	CHEQUE COPY.exe
880	CHEQUE COPY.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3368	880	CHEQUE COPY.exe	84
PID 880 wrote to memory of 3368	880	CHEQUE COPY.exe	84
PID 880 wrote to memory of 3368	880	CHEQUE COPY.exe	84

C:\Users\Admin\AppData\Local\Temp\CHEQUE COPY.exe
"C:\Users\Admin\AppData\Local\Temp\CHEQUE COPY.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\CHEQUE COPY.exe
  "C:\Users\Admin\AppData\Local\Temp\CHEQUE COPY.exe"
  2⤵
  PID:3368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1088
  2⤵
  - Program crash
  PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 880 -ip 880
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\l0k0ivt1gwq.dll

Filesize
10KB

MD5
8fec1fe4587680848ab0d0b5f0fd7d62

SHA1
7192af111e78841f12772d3c82e2be33efaaa28d

SHA256
553656f7c7bcccf8eff0a2f92d843c194404e5e1a743abc50c3904a1781168fa

SHA512
254390cdd8565e4a2ef92f3c450228bc470ec09f94d6aabdaaa7115eec5f2c0601f9ba88278b70c4595766a7c42a05be903fcc63444a0e1a119764ab86887bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBCAA.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/880-9-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/880-10-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download