Overview

overview

10

Static

static

3

Factuur 00...df.exe

windows7-x64

10

Factuur 00...df.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2024 11:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Factuur 00078454556-00398583.pdf.exe

  • Size

    760KB

  • MD5

    73b5b2675d4391fe6c59cc596bcd2a04

  • SHA1

    4a598519786f3646d459ede621337e08d67c1b3f

  • SHA256

    34400196b5de7adde8de4f2d8a5aadd350d1ce06910b9d44c1a17969c42b1b69

  • SHA512

    9b0f5bf43ae7b001a40f9d2742c2558e6961e3058bd67ec92108cbe75dc088ec3cbc8afeb3bd88bb0d9042db36b66cc1cff1054235fdb3ae4d1b659f0e86114f

  • SSDEEP

    12288:BDcMXv3/NEK7s37/shbOnMxrUzbtvC0nNr/Bqoo0Pamhyx/iugcGfAAChCJeTlV3:VpX/uqs37/s4MKrRZqLWaE6iUSDX2b

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 23 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:1412
    • C:\Users\Admin\AppData\Local\Temp\Factuur 00078454556-00398583.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Factuur 00078454556-00398583.pdf.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Users\Admin\AppData\Local\Temp\Factuur 00078454556-00398583.pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Factuur 00078454556-00398583.pdf.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4904
    • C:\Users\Admin\AppData\Local\Temp\cyahede.exe
      C:\Users\Admin\AppData\Local\Temp\cyahede.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Users\Admin\AppData\Local\Temp\cyahede.exe
        C:\Users\Admin\AppData\Local\Temp\cyahede.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1604
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 656
          3⤵
          • Program crash
          PID:3352
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 676
        2⤵
        • Program crash
        PID:4428
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 664
        2⤵
        • Program crash
        PID:1120
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1604 -ip 1604
      1⤵
        PID:3580
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 932 -ip 932
        1⤵
          PID:3396
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 932 -ip 932
          1⤵
            PID:3708

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Packages\xwtrgtd
            Filesize

            654B

            MD5

            b34ff9eb4ba3b32de1f67ca1af126c36

            SHA1

            2a96ea33d9634d3623c8390097179f210171486b

            SHA256

            efbc4ab1bcb163b8a058f5c5de9890178e2f9020eec5372ab51d6c2979847ee0

            SHA512

            9f5b60a845d4baded1c5ff240b71db3153810c39f18d21ccd2465a75bd2d94d6fc3db37596f44745a289cc3e44ce4ef7a3465521f5b4696a57146d5c02808194

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\cyahede.exe
            Filesize

            760KB

            MD5

            73b5b2675d4391fe6c59cc596bcd2a04

            SHA1

            4a598519786f3646d459ede621337e08d67c1b3f

            SHA256

            34400196b5de7adde8de4f2d8a5aadd350d1ce06910b9d44c1a17969c42b1b69

            SHA512

            9b0f5bf43ae7b001a40f9d2742c2558e6961e3058bd67ec92108cbe75dc088ec3cbc8afeb3bd88bb0d9042db36b66cc1cff1054235fdb3ae4d1b659f0e86114f

            Download Submit

          • memory/804-20-0x0000000030CE0000-0x0000000030D57000-memory.dmp

            Filesize

            476KB

            Download

          • memory/804-23-0x0000000030CE0000-0x0000000030D57000-memory.dmp

            Filesize

            476KB

            Download

          • memory/804-28-0x0000000030CE0000-0x0000000030D57000-memory.dmp

            Filesize

            476KB

            Download

          • memory/804-26-0x0000000030CE0000-0x0000000030D57000-memory.dmp

            Filesize

            476KB

            Download

          • memory/804-22-0x0000000030CE0000-0x0000000030D57000-memory.dmp

            Filesize

            476KB

            Download

          • memory/804-30-0x0000000030CE0000-0x0000000030D57000-memory.dmp

            Filesize

            476KB

            Download

          • memory/804-228-0x0000000030CE0000-0x0000000030D57000-memory.dmp

            Filesize

            476KB

            Download

          • memory/804-3375-0x0000000030CE0000-0x0000000030D57000-memory.dmp

            Filesize

            476KB

            Download

          • memory/1604-17-0x00000000009D0000-0x0000000000C1B000-memory.dmp

            Filesize

            2.3MB

            Download

          • memory/4904-4-0x0000000000B50000-0x0000000000D9B000-memory.dmp

            Filesize

            2.3MB

            Download

          • memory/4904-2-0x0000000000930000-0x0000000000B4A000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4904-3-0x0000000000401000-0x00000000004A5000-memory.dmp

            Filesize

            656KB

            Download