Overview

overview

10

Static

static

10

Invoice an...df.exe

windows7-x64

9

Invoice an...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice and packing list (021)_pdf.exe

  • Size

    482KB

  • MD5

    e5f62262b9f4ee67ffb7c15ebe428a89

  • SHA1

    b037adae7507ab9103ca5d30d62302c973352d6f

  • SHA256

    105d2d63ad642a68e636c975bac2b5b60cd76ecb684d6c4a85fa6562d48f0de8

  • SHA512

    5e6508a0b6ebf3633cace9b084a5bac98f77021564b62a503e9f22b4e6debfd7f0fb653150b96fd7e39a04c59fc3ef33e9bfebef4882a95cf5acca3e78c1587a

  • SSDEEP

    6144:7Tz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZmAX4crKT4:7TlrYw1RUh3NFn+N5WfIQIjbs/ZmBT4

Score
9/10
collectiondiscoveryspywarestealer

Malware Config

Signatures

  • Detected Nirsoft tools 8 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice and packing list (021)_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice and packing list (021)_pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\Invoice and packing list (021)_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice and packing list (021)_pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\taxov"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2408
    • C:\Users\Admin\AppData\Local\Temp\Invoice and packing list (021)_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice and packing list (021)_pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\euchwmlr"
      2⤵
      • Accesses Microsoft Outlook accounts
      • System Location Discovery: System Language Discovery
      PID:1240
    • C:\Users\Admin\AppData\Local\Temp\Invoice and packing list (021)_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice and packing list (021)_pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\oxiawevtrbx"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    c70d6497072467b1ab80ac1a7aa0eab9

    SHA1

    d628f176f9dad40578552383e03215ba46769ba5

    SHA256

    b54094c8605ec3736e0fb301ed58660dd409db98d2827caccdad1cfce60131ab

    SHA512

    aff05bcd4cbbbed0a28d3785bfc87f8346a8d092e4d060dc6f4af27ca722d6b2b6f500dc768d5a06d0751010d9f6e880d4e34162292ccb32f377faf03eb2ca8c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\taxov
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • memory/1240-7-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1240-9-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1240-31-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1240-13-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1240-3-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1240-15-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2064-14-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2064-20-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2064-18-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2064-8-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2064-12-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2408-16-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2408-10-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2408-25-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2408-17-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2408-6-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2408-2-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2440-32-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2440-36-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2440-35-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download