Overview

overview

5

Static

static

5

Payment co...11.exe

windows7-x64

5

Payment co...11.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment confirmation 20240911.exe

  • Size

    1.2MB

  • MD5

    fce0847be56787ed350b9aa76990d91d

  • SHA1

    5c3d8ca6e50e763b87244d7b9e84eab52ad6464f

  • SHA256

    f5be3462bef54d4bd79a337ab058dd1663c0a3d23a27f1c7573dde13893c8db2

  • SHA512

    54a8e3b03bb72dadce15d00b0236bd1f707e943acd9729f0b070ecf16a3f61441ab425ab37e4c9b6ce11a12d7162cb0b6132dbd68865d9076ce85a4d471ac64a

  • SSDEEP

    24576:34lavt0LkLL9IMixoEgeaWOAaqiO1pD6gUAJJNzq9MmCS:Skwkn9IMHeaWJH1h5PxaPCS

Score
5/10
discovery

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment confirmation 20240911.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment confirmation 20240911.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment confirmation 20240911.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\springmaker
    Filesize

    282KB

    MD5

    2db554bf84ee0751d2503bec8eeed7b3

    SHA1

    027619a76d49ce5f7e9d83cc181ead8bc30cbdbc

    SHA256

    7b26e47f37165f960068526a4e2dcc2c49c6942e969be4fe4d2e5700a8f8c65b

    SHA512

    572ab89f1961dd2716fd8ab83c6d5775860fbd3ef16ecb70a979d260e4da2f7e6e37857bb4b3f663b83b4504b82397206f23be5ad1fbe2010854c03eb2791468

    Download Submit

  • memory/2648-6-0x0000000000240000-0x0000000000244000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2776-7-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2776-8-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2776-9-0x0000000000740000-0x0000000000A43000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2776-10-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2776-11-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download