Analysis

  • max time kernel
    130s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2024 19:42

General

  • Target

    NEW ORDER QUOTATION REQUEST.exe

  • Size

    1.2MB

  • MD5

    274886fceb562b62f7c9047ea003e7cb

  • SHA1

    4e08243ed9caf495ad6337029aad1ed207fe6a52

  • SHA256

    1ecf2326311e2c2e98ec0548958da41dafcc961c9ec07088c0c646445f51a30a

  • SHA512

    01544cf243f46ce27c59fc3ecb91df7941142d87260fae0c4c68191f6c1712e3f055040098bae7969200ea810daf03633937e6b9d194add7be0c46a14e3df2a6

  • SSDEEP

    24576:ffmMv6Ckr7Mny5QLjGFLhUQkAO6AS2GEuY5++o+:f3v+7/5QLcOYO6eLrk+

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEW ORDER QUOTATION REQUEST.exe
    "C:\Users\Admin\AppData\Local\Temp\NEW ORDER QUOTATION REQUEST.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Users\Admin\AppData\Local\Vevina\quinquennia.exe
      "C:\Users\Admin\AppData\Local\Temp\NEW ORDER QUOTATION REQUEST.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:776
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\NEW ORDER QUOTATION REQUEST.exe"
        3⤵
          PID:3156
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 760
          3⤵
          • Program crash
          PID:2792
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 776 -ip 776
      1⤵
        PID:1348

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\windigos

        Filesize

        269KB

        MD5

        5fa22afa19dad9edf04c13437065bc95

        SHA1

        88a5776c79f44e06378e83471fc8295c44224a74

        SHA256

        d6d9cb15653250a2377609a74ff533bd459f833fb3879064d1cab84e6a06c332

        SHA512

        a0684e26bb22a36b5577a60a83d56806e928d3c39da66e93b03d48f986424f243f64a6015d852461a0e86ef7f123d1a8eb1924fa6502a4c402f787d50e2ed58e

      • C:\Users\Admin\AppData\Local\Vevina\quinquennia.exe

        Filesize

        1.2MB

        MD5

        274886fceb562b62f7c9047ea003e7cb

        SHA1

        4e08243ed9caf495ad6337029aad1ed207fe6a52

        SHA256

        1ecf2326311e2c2e98ec0548958da41dafcc961c9ec07088c0c646445f51a30a

        SHA512

        01544cf243f46ce27c59fc3ecb91df7941142d87260fae0c4c68191f6c1712e3f055040098bae7969200ea810daf03633937e6b9d194add7be0c46a14e3df2a6

      • memory/764-2-0x0000000003DF0000-0x0000000003FF0000-memory.dmp

        Filesize

        2.0MB

      • memory/776-10-0x0000000003D70000-0x0000000003F70000-memory.dmp

        Filesize

        2.0MB