16f5973e443c033c0fc3537f53ad0454cec9c2cbccb2f7b58e2ce5a041d92889

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

factura.Doc .exe
Size

316KB
MD5

6a742fda92d69762d107c078adf70ad3
SHA1

739f282d0fd97e29ae5211f076de165345885cf9
SHA256

b78c094b662f6aed75b48d0c4fcc6d5f302e59af9b9dabefb274c4828d65b9e0
SHA512

3b66b223c308a56b557959e8f539f4aa4ac893e5cb85dd0d71b94ba543a42d6b95b2179ef937630d4c53fdcaf1c84786255fc297017bcab80c953d6fdea2febc
SSDEEP

6144:IjDbTozsd9qV6hsp0bD6oVMPmIty5hTTJlw6Qw37jhbVRf19G3q:x4qssG6pP3Y5tPSwhvN98q

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2888	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2144	ysca.exe

Loads dropped DLL 2 IoCs

pid	Process
1688	factura.Doc .exe
1688	factura.Doc .exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\{ED60B7C8-3C80-AD4F-2955-D827011AFB3A} = "C:\\Users\\Admin\\AppData\\Roaming\\Okza\\ysca.exe"	ysca.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 2888	1688	factura.Doc .exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	factura.Doc .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Privacy	factura.Doc .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	factura.Doc .exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe
2144	ysca.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1688	factura.Doc .exe
2144	ysca.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2144	1688	factura.Doc .exe	30
PID 1688 wrote to memory of 2144	1688	factura.Doc .exe	30
PID 1688 wrote to memory of 2144	1688	factura.Doc .exe	30
PID 1688 wrote to memory of 2144	1688	factura.Doc .exe	30
PID 2144 wrote to memory of 1172	2144	ysca.exe	19
PID 2144 wrote to memory of 1172	2144	ysca.exe	19
PID 2144 wrote to memory of 1172	2144	ysca.exe	19
PID 2144 wrote to memory of 1172	2144	ysca.exe	19
PID 2144 wrote to memory of 1172	2144	ysca.exe	19
PID 2144 wrote to memory of 1284	2144	ysca.exe	20
PID 2144 wrote to memory of 1284	2144	ysca.exe	20
PID 2144 wrote to memory of 1284	2144	ysca.exe	20
PID 2144 wrote to memory of 1284	2144	ysca.exe	20
PID 2144 wrote to memory of 1284	2144	ysca.exe	20
PID 2144 wrote to memory of 1372	2144	ysca.exe	21
PID 2144 wrote to memory of 1372	2144	ysca.exe	21
PID 2144 wrote to memory of 1372	2144	ysca.exe	21
PID 2144 wrote to memory of 1372	2144	ysca.exe	21
PID 2144 wrote to memory of 1372	2144	ysca.exe	21
PID 2144 wrote to memory of 1352	2144	ysca.exe	23
PID 2144 wrote to memory of 1352	2144	ysca.exe	23
PID 2144 wrote to memory of 1352	2144	ysca.exe	23
PID 2144 wrote to memory of 1352	2144	ysca.exe	23
PID 2144 wrote to memory of 1352	2144	ysca.exe	23
PID 2144 wrote to memory of 1688	2144	ysca.exe	29
PID 2144 wrote to memory of 1688	2144	ysca.exe	29
PID 2144 wrote to memory of 1688	2144	ysca.exe	29
PID 2144 wrote to memory of 1688	2144	ysca.exe	29
PID 2144 wrote to memory of 1688	2144	ysca.exe	29
PID 1688 wrote to memory of 2888	1688	factura.Doc .exe	31
PID 1688 wrote to memory of 2888	1688	factura.Doc .exe	31
PID 1688 wrote to memory of 2888	1688	factura.Doc .exe	31
PID 1688 wrote to memory of 2888	1688	factura.Doc .exe	31
PID 1688 wrote to memory of 2888	1688	factura.Doc .exe	31
PID 1688 wrote to memory of 2888	1688	factura.Doc .exe	31
PID 1688 wrote to memory of 2888	1688	factura.Doc .exe	31
PID 1688 wrote to memory of 2888	1688	factura.Doc .exe	31
PID 1688 wrote to memory of 2888	1688	factura.Doc .exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1172

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1284

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\factura.Doc .exe
  "C:\Users\Admin\AppData\Local\Temp\factura.Doc .exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Roaming\Okza\ysca.exe
    "C:\Users\Admin\AppData\Roaming\Okza\ysca.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfcb24552.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2888

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpfcb24552.bat

Filesize
347B

MD5
1c1954e58249adcee8418a1ad464e88b

SHA1
e065ec8c92ca358da002d6f7bac5d1ac5097617d

SHA256
1a21b8588d0d6525e3e4c0d786821e3065aa40f57003a0fc2a3f4b3c59586b2a

SHA512
0a2871e5fa93a57aafc001aaa52a28972f929696afe96388b3b4245fe509383b40624e6bf8426f3a76955c7bc3024f0a0c41d56099a8fe7e2710df121315ba5a

Download Submit
C:\Users\Admin\AppData\Roaming\Okza\ysca.exe

Filesize
316KB

MD5
525eb9cd4d5768d9392ca645c727f6fd

SHA1
a190dca9f6d6b76a3a6cc13b99e8256ec57b9657

SHA256
8e6a42e332c9b3aa131acc21bfd6435d48575049e282692205346a63e6122897

SHA512
3ff0afafa5092f60a966bee212e4c2b3e078ef5ec9a377bc283e1a56a5a5286cb29851bb1646e2640400f3e676b6ba0f31594d8f54db4ecc624646b0efb3d335

Download Submit
memory/1172-19-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download
memory/1172-23-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download
memory/1172-24-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download
memory/1172-21-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download
memory/1172-22-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download
memory/1284-27-0x0000000000120000-0x0000000000162000-memory.dmp

Filesize
264KB

Download
memory/1284-28-0x0000000000120000-0x0000000000162000-memory.dmp

Filesize
264KB

Download
memory/1284-29-0x0000000000120000-0x0000000000162000-memory.dmp

Filesize
264KB

Download
memory/1284-26-0x0000000000120000-0x0000000000162000-memory.dmp

Filesize
264KB

Download
memory/1352-39-0x0000000001BF0000-0x0000000001C32000-memory.dmp

Filesize
264KB

Download
memory/1352-36-0x0000000001BF0000-0x0000000001C32000-memory.dmp

Filesize
264KB

Download
memory/1352-37-0x0000000001BF0000-0x0000000001C32000-memory.dmp

Filesize
264KB

Download
memory/1352-38-0x0000000001BF0000-0x0000000001C32000-memory.dmp

Filesize
264KB

Download
memory/1372-33-0x00000000026F0000-0x0000000002732000-memory.dmp

Filesize
264KB

Download
memory/1372-31-0x00000000026F0000-0x0000000002732000-memory.dmp

Filesize
264KB

Download
memory/1372-32-0x00000000026F0000-0x0000000002732000-memory.dmp

Filesize
264KB

Download
memory/1372-34-0x00000000026F0000-0x0000000002732000-memory.dmp

Filesize
264KB

Download
memory/1688-131-0x00000000770F0000-0x00000000770F1000-memory.dmp

Filesize
4KB

Download
memory/1688-74-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-70-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-68-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-66-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-64-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-62-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-60-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-58-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-56-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-54-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-52-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-46-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-45-0x0000000001EF0000-0x0000000001F32000-memory.dmp

Filesize
264KB

Download
memory/1688-132-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-44-0x0000000001EF0000-0x0000000001F32000-memory.dmp

Filesize
264KB

Download
memory/1688-43-0x0000000001EF0000-0x0000000001F32000-memory.dmp

Filesize
264KB

Download
memory/1688-42-0x0000000001EF0000-0x0000000001F32000-memory.dmp

Filesize
264KB

Download
memory/1688-41-0x0000000001EF0000-0x0000000001F32000-memory.dmp

Filesize
264KB

Download
memory/1688-72-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-76-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-78-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-80-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-130-0x0000000001EF0000-0x0000000001F32000-memory.dmp

Filesize
264KB

Download
memory/1688-1-0x0000000000460000-0x00000000004B2000-memory.dmp

Filesize
328KB

Download
memory/1688-48-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-0-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/1688-155-0x0000000000460000-0x00000000004B2000-memory.dmp

Filesize
328KB

Download
memory/1688-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1688-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1688-50-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1688-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1688-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1688-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1688-157-0x0000000001EF0000-0x0000000001F32000-memory.dmp

Filesize
264KB

Download
memory/2144-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2144-16-0x00000000002B0000-0x0000000000302000-memory.dmp

Filesize
328KB

Download
memory/2144-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2144-275-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2144-276-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download