Analysis
-
max time kernel
93s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 15:02
Behavioral task
behavioral1
Sample
Invoice, Parking List.exe
Resource
win7-20240903-en
General
-
Target
Invoice, Parking List.exe
-
Size
758KB
-
MD5
6e39ee33f6527364cac3cc4bbf276f26
-
SHA1
a7c12eef84ae778ce5158327d419508eb5b199c8
-
SHA256
1a52416bc054c0f2a46f2fd215d73d3285334fcdacf02ed449935bd93fb70863
-
SHA512
d06164091fe866df2626377b2d2589d9da291c73aff55b40db1844e32290c1f5e37b1ba8155ee02a351366df5a8862ce0b2e5b28a9b14b65cd568064cde28a78
-
SSDEEP
12288:v6Wq4aaE6KwyF5L0Y2D1PqLVRX3OyQsAhJYUVTx6AflSeqz2jqPB88bYVUCYH5g:tthEVaPqL7nvQlhJYATxDYeHjqPB88ZO
Malware Config
Signatures
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2800-4-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
resource yara_rule behavioral2/memory/2800-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/2800-4-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2168 2800 WerFault.exe 80 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Invoice, Parking List.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 2800 Invoice, Parking List.exe 2800 Invoice, Parking List.exe 2800 Invoice, Parking List.exe 2800 Invoice, Parking List.exe 2800 Invoice, Parking List.exe 2800 Invoice, Parking List.exe 2800 Invoice, Parking List.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 2800 Invoice, Parking List.exe 2800 Invoice, Parking List.exe 2800 Invoice, Parking List.exe 2800 Invoice, Parking List.exe 2800 Invoice, Parking List.exe 2800 Invoice, Parking List.exe 2800 Invoice, Parking List.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2800 wrote to memory of 1840 2800 Invoice, Parking List.exe 82 PID 2800 wrote to memory of 1840 2800 Invoice, Parking List.exe 82 PID 2800 wrote to memory of 1840 2800 Invoice, Parking List.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice, Parking List.exe"C:\Users\Admin\AppData\Local\Temp\Invoice, Parking List.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Invoice, Parking List.exe"2⤵PID:1840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 8322⤵
- Program crash
PID:2168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2800 -ip 28001⤵PID:1828