Analysis

  • max time kernel
    93s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 15:02

General

  • Target

    Invoice, Parking List.exe

  • Size

    758KB

  • MD5

    6e39ee33f6527364cac3cc4bbf276f26

  • SHA1

    a7c12eef84ae778ce5158327d419508eb5b199c8

  • SHA256

    1a52416bc054c0f2a46f2fd215d73d3285334fcdacf02ed449935bd93fb70863

  • SHA512

    d06164091fe866df2626377b2d2589d9da291c73aff55b40db1844e32290c1f5e37b1ba8155ee02a351366df5a8862ce0b2e5b28a9b14b65cd568064cde28a78

  • SSDEEP

    12288:v6Wq4aaE6KwyF5L0Y2D1PqLVRX3OyQsAhJYUVTx6AflSeqz2jqPB88bYVUCYH5g:tthEVaPqL7nvQlhJYATxDYeHjqPB88ZO

Score
5/10

Malware Config

Signatures

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice, Parking List.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice, Parking List.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice, Parking List.exe"
      2⤵
        PID:1840
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 832
        2⤵
        • Program crash
        PID:2168
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2800 -ip 2800
      1⤵
        PID:1828

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2800-0-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

      • memory/2800-3-0x0000000004280000-0x0000000004680000-memory.dmp

        Filesize

        4.0MB

      • memory/2800-4-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB