Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 20:42
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
FACTURA.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/772vhhojj684oi.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/772vhhojj684oi.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
URGENT Request for Quotation.pdf.exe
Resource
win7-20240903-en
General
-
Target
FACTURA.exe
-
Size
259KB
-
MD5
dbe8f4544e6c99ac9311d37139150e9a
-
SHA1
14da5f434e987b372a2e783d49134877bcce9ebe
-
SHA256
c3192d94f1b44c9c8ce94f3865d88b1a169dde10f3dadf3a517c3de34487a5a5
-
SHA512
25a785d5d9cd19bf0e9805dee79433140de4cd5fc3384e292ec6421089f0560fdb44fcb0a2eed8a2774f9d3a89a6c30b5cc1248756d3b44125e478bc991e8a41
-
SSDEEP
3072:7Ere7GjyCaFvcm6kDbv4cYMzwdr74NVwfuSJZKSCKwlZGFs/LOC8sTkZtcEPE3fV:7PXz3AcYVaeuS7K/K6ZGVzZtNE3rZ
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2076 FACTURA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3632 2076 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FACTURA.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2076 wrote to memory of 728 2076 FACTURA.exe 83 PID 2076 wrote to memory of 728 2076 FACTURA.exe 83 PID 2076 wrote to memory of 728 2076 FACTURA.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURA.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\FACTURA.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA.exe"2⤵PID:728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 10082⤵
- Program crash
PID:3632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2076 -ip 20761⤵PID:5000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD55e3d3dadd742c63f01034fb9175caef2
SHA1a3c3cdd8ba24655f36ef248678efe1fade8bc6e8
SHA256c5e4e3bca252502d2c1b4dd9af51de6f14f495b97965e6f0cb9689ce2501afe1
SHA5126d19e6f22dd4442baf620111e4370ebe83acde452240dfb171c6492051f9cbede8d1c0a7de538d012e20ef98e07d61ed1e126050a890425f4a868f27a4d66440