13af3ad92eb86c2c95c816ac526b97c78e0aaed46535c61bf363d768bb2cb0c9

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fattura_855.pdf.exe
Size

240KB
MD5

068b6fd352736535c7d967673914c66a
SHA1

ae5b7ac0e73123f5b2b31e9a3b1061c9985e70bf
SHA256

df52a26061f50bed16f94038cfedb42e1b492b9ce865daabd7ce15db4db9b8a3
SHA512

0b3eff80a6cba89895c554206bb64246bc090a04015eae579e9624f71a72e750fa0d9c352f1922731698223444b1b583c3aa075fc67fb00c32f6fe19b8bb585f
SSDEEP

6144:HNeZm//7la+u61CkduDVUWurQZt1czVpwS:HNl/zlnNCyAUW1KgS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

gocbcx.exe

pid process

1352 gocbcx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4744 1352 WerFault.exe gocbcx.exe

pid	process
1352	gocbcx.exe

pid	pid_target	process	target process
4744	1352	WerFault.exe	gocbcx.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

gocbcx.exeFattura_855.pdf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gocbcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fattura_855.pdf.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Fattura_855.pdf.exegocbcx.exe

description	pid	process	target process
PID 1264 wrote to memory of 1352	1264	Fattura_855.pdf.exe	gocbcx.exe
PID 1264 wrote to memory of 1352	1264	Fattura_855.pdf.exe	gocbcx.exe
PID 1264 wrote to memory of 1352	1264	Fattura_855.pdf.exe	gocbcx.exe
PID 1352 wrote to memory of 2296	1352	gocbcx.exe	gocbcx.exe
PID 1352 wrote to memory of 2296	1352	gocbcx.exe	gocbcx.exe
PID 1352 wrote to memory of 2296	1352	gocbcx.exe	gocbcx.exe

C:\Users\Admin\AppData\Local\Temp\Fattura_855.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Fattura_855.pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\gocbcx.exe
  C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Users\Admin\AppData\Local\Temp\rnukeqm
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\gocbcx.exe
    C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Users\Admin\AppData\Local\Temp\rnukeqm
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 492
    3⤵
    - Program crash
    PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1352 -ip 1352
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gocbcx.exe

Filesize
64KB

MD5
6c310e309e2ddfe8ae53e95c525c9e52

SHA1
694861bf8fbddafc5673853c8f7c910a2b60a1b7

SHA256
ffef20b2c9b8d9cdd4f471718ef688a8bd4834b6481978574b877ab14a91228d

SHA512
8030a4b7d8d225699d4c9d71cf015dbb90895266e9006c5fee1ba9ce56ac871f1f9477ee4ccf6c62109ef23f0321d9590a3b286156d5b57e30bbe2f9d302a931

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncssrlmzyd

Filesize
184KB

MD5
02475297a79138c050381b19f13cbb88

SHA1
efeb9032605484fdea6478b224afe59af46f29a3

SHA256
a3439fba9220dbfe1fb05f3dfa24aab3e7f72071ff1f16bae20fd58c227e4b7a

SHA512
35e9e844e33c1ac1ad3ce9e035ba2ff6302e84941bcd300011c758fa6eb917292a2db480a3d1592e6a275b84621708b08109579599781c2fd28fdba8f7e25d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnukeqm

Filesize
5KB

MD5
8d73805cc88e7c5fb975ea51d44509c0

SHA1
7b3615aeb8d8a6a049dd59d2c6883c2d60c689b8

SHA256
83bd692b6115ceeb84745dac471dc333377ce29178894d0493e0d2a6acd975b4

SHA512
e50598247e565bb3d509189c107f288ee07d163913d38a2e9ebf2f5bdaed969c49c027c96e0afab8a00cefc2c4cf4e712d99b853a2b3af36694ff1784b75dff3

Download Submit
memory/1352-8-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download