2f19734e2830cc758cbdb51029bef396a0428b26c85128bc56376262f549ad0b

Analysis

max time kernel
151s
max time network
275s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AWB _Ref#5800028900pdf.exe
Size

1.1MB
MD5

bde744fbe419f73f9b44fc0570c233f4
SHA1

f7b987ce8d3e4e1f1bfc7819c70ffefcb158fd2c
SHA256

586008861c32e8f32bb841b3734614ca385ba4c554a976ce9074a27d0df5e784
SHA512

5fcafd65d155abb11fbc84c10fea30afe190c89ef7b806654887b8594d1c6793b017902a0f479ed03968e4003af71edb2f33df9073406bbdde3519fa1dc75a75
SSDEEP

24576:ffmMv6Ckr7Mny5QLnX89AOLbz+kbn/y3B:f3v+7/5QLsO8bSt3B

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs	reindulgence.exe

Executes dropped EXE 1 IoCs

pid	Process
1872	reindulgence.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a000000023b83-4.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1868	1872	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AWB _Ref#5800028900pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reindulgence.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 1872	4580	AWB _Ref#5800028900pdf.exe	87
PID 4580 wrote to memory of 1872	4580	AWB _Ref#5800028900pdf.exe	87
PID 4580 wrote to memory of 1872	4580	AWB _Ref#5800028900pdf.exe	87
PID 1872 wrote to memory of 4348	1872	reindulgence.exe	88
PID 1872 wrote to memory of 4348	1872	reindulgence.exe	88
PID 1872 wrote to memory of 4348	1872	reindulgence.exe	88

C:\Users\Admin\AppData\Local\Temp\AWB _Ref#5800028900pdf.exe
"C:\Users\Admin\AppData\Local\Temp\AWB _Ref#5800028900pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Users\Admin\AppData\Local\proximobuccal\reindulgence.exe
  "C:\Users\Admin\AppData\Local\Temp\AWB _Ref#5800028900pdf.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\AWB _Ref#5800028900pdf.exe"
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 720
    3⤵
    - Program crash
    PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1872 -ip 1872
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demonetising

Filesize
234KB

MD5
ed09d029ab0998e149dd18fe34e91f70

SHA1
fa0ee4001f1391987ce21113dda28917d5c7be6a

SHA256
5d0e72a286aa96af0e7449b32ab85ffae0b7e7e108830b370ae63e80b07475e5

SHA512
d7b49a88db4b357014268f813b6b969dee7c4f6130f8fa6294f27c6ee72ed9bffa7287acb350d4ca2f8d526b02808e86c13c3a76885138c49b7ec74fdf324005

Download Submit
C:\Users\Admin\AppData\Local\proximobuccal\reindulgence.exe

Filesize
1.1MB

MD5
bde744fbe419f73f9b44fc0570c233f4

SHA1
f7b987ce8d3e4e1f1bfc7819c70ffefcb158fd2c

SHA256
586008861c32e8f32bb841b3734614ca385ba4c554a976ce9074a27d0df5e784

SHA512
5fcafd65d155abb11fbc84c10fea30afe190c89ef7b806654887b8594d1c6793b017902a0f479ed03968e4003af71edb2f33df9073406bbdde3519fa1dc75a75

Download Submit
memory/1872-10-0x0000000003EA0000-0x00000000042A0000-memory.dmp

Filesize
4.0MB

Download
memory/4580-2-0x00000000042B0000-0x00000000046B0000-memory.dmp

Filesize
4.0MB

Download