ded8c07fb7142ba39946dd3aaac2ec104a19cd919f4e7a7eda7781db6e3816ee

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 20:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

REVISE 50% OCTA INVOICE.exe
Size

257KB
MD5

093048c24b9994fef2130cd8457e7a4b
SHA1

f3c31eefe661b1febc80c0865af8f4fd1385ac7f
SHA256

0e803b7715385244cae58772b5b0da43b7cca6a97c5ffd182081eca8676ff5d7
SHA512

e95142b25ae3078c642df183213ed06ccb0b5b65c4b25c3844803258d8b149c3570fdd00a25b539199f44ad10877c37139e430febe304ad6860511c379d4a2ba
SSDEEP

6144:rGiHxY9gDrwfI4pppl819WDk4UQ/FENd0AVT/+yIXg:LxYMrwfI8l819Z4UsFEf0CL+Zw

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3996	REVISE 50% OCTA INVOICE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2676	3996	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REVISE 50% OCTA INVOICE.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 436	3996	REVISE 50% OCTA INVOICE.exe	82
PID 3996 wrote to memory of 436	3996	REVISE 50% OCTA INVOICE.exe	82
PID 3996 wrote to memory of 436	3996	REVISE 50% OCTA INVOICE.exe	82

C:\Users\Admin\AppData\Local\Temp\REVISE 50% OCTA INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\REVISE 50% OCTA INVOICE.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\REVISE 50% OCTA INVOICE.exe
  "C:\Users\Admin\AppData\Local\Temp\REVISE 50% OCTA INVOICE.exe"
  2⤵
  PID:436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 932
  2⤵
  - Program crash
  PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3996 -ip 3996
1⤵
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsrB17E.tmp\pqcs.dll

Filesize
33KB

MD5
f2828be237823a888b96c7d265c0ec05

SHA1
bf3b7ee29a6ff865fd6c17fd449cca42e4c6bc74

SHA256
61591ac877c329a2b715066f957ea19c164bc78c1ffaf59c769462a689f3b139

SHA512
2b94e24a27f47cac7494cc9a876e7f27a0f9a53b1a2be5e9f46efa94abd29287edae2de1784e387f28483dad99d7af12ac61e0fe450e1b00a1c5c1cdf32185c5

Download Submit
memory/3996-8-0x0000000010009000-0x000000001000B000-memory.dmp

Filesize
8KB

Download