Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-12-2024 15:10

General

  • Target

    Purchase order 202412.scr

  • Size

    1.6MB

  • MD5

    15214c528c41de4d5e542ebd3d4ac075

  • SHA1

    bdab48d323ab0e0c4689061db5fb08adfe1afec8

  • SHA256

    5aeb1293c473a66795bf0ff3a7892e6a6cf70aea5248a38f204632a5fdbe1f63

  • SHA512

    02b6635e4f1a98765e65ee14db0e93ab8dfdf4c7c0086addad86e4a09466ae49dc66accda0bc142828656fca994eb99255ea4c762ffc9f6706410e4877cc9fc2

  • SSDEEP

    24576:t9tWunuwwAghUBUQyXGF8X0VMMOFdYHJStLidtLw8tWVq6VdbcGstKR18+YDQZp:NWtP4+P0Vn+dYHMwwjbV6Gst2aDQZp

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase order 202412.scr
    "C:\Users\Admin\AppData\Local\Temp\Purchase order 202412.scr" /S
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 484
      2⤵
      • Program crash
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BeConf.ini

    Filesize

    75B

    MD5

    3b76d3cd0fc3eb96afae754496ad3f71

    SHA1

    4ec65df20e96a6441767c8ac8c26fd55a67053b9

    SHA256

    3c1949b5049bd316a4187cd85947e4aa97b7db97a705cae80adb257f1c8602bb

    SHA512

    5344fae101c7c27592506b2139eaa165db0d4a4686d21c424b7b86389890b462865fc00b3219bf667a0c3b8c66ecc4483d5d853bf41bf077b22759cfe09dc003

  • \Users\Admin\AppData\Local\Temp\nstF0B7.tmp\System.dll

    Filesize

    11KB

    MD5

    0063d48afe5a0cdc02833145667b6641

    SHA1

    e7eb614805d183ecb1127c62decb1a6be1b4f7a8

    SHA256

    ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

    SHA512

    71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0