Overview

overview

5

Static

static

5

petronas p...ro.exe

windows7-x64

5

petronas p...ro.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    94s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 00:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    petronas profile & intro.exe

  • Size

    1.3MB

  • MD5

    59ad0918e3f6ac6c4e8b70439f3e55f5

  • SHA1

    b336366d7e5c702257986273fa69ed5058d210fe

  • SHA256

    fd98700a7e9ace0a863b0392d688b7ad07f47bb5c40685916f3ac4bb34e51448

  • SHA512

    81c22660969e5ffc0db91ba73d6ec12c4cb4d610f00bd57e6c5c7013be2e0d9bcd6f86781531fa2cca211777e95cacc9f9cfc377c26a65f20172b4d8dcd7686c

  • SSDEEP

    24576:uRmJkcoQricOIQxiZY1iaC/yWCXMPylG+ck7qVqWb+m1zslrhmK2:7JZoQrbTFZY1iaC/xPylmVVqW7pwmK2

Score
5/10
discovery

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\petronas profile & intro.exe
    "C:\Users\Admin\AppData\Local\Temp\petronas profile & intro.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\petronas profile & intro.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1648
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 752
      2⤵
      • Program crash
      PID:2208
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3132 -ip 3132
    1⤵
      PID:4764

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1648-3-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1648-4-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1648-5-0x0000000001C00000-0x0000000001F4A000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1648-6-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1648-7-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/3132-2-0x0000000004400000-0x0000000004800000-memory.dmp

            Filesize

            4.0MB

            Download