Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 15:10
Static task
static1
Behavioral task
behavioral1
Sample
Purchase order 202412.scr
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Purchase order 202412.scr
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
Purchase order 202412.scr
-
Size
1.6MB
-
MD5
15214c528c41de4d5e542ebd3d4ac075
-
SHA1
bdab48d323ab0e0c4689061db5fb08adfe1afec8
-
SHA256
5aeb1293c473a66795bf0ff3a7892e6a6cf70aea5248a38f204632a5fdbe1f63
-
SHA512
02b6635e4f1a98765e65ee14db0e93ab8dfdf4c7c0086addad86e4a09466ae49dc66accda0bc142828656fca994eb99255ea4c762ffc9f6706410e4877cc9fc2
-
SSDEEP
24576:t9tWunuwwAghUBUQyXGF8X0VMMOFdYHJStLidtLw8tWVq6VdbcGstKR18+YDQZp:NWtP4+P0Vn+dYHMwwjbV6Gst2aDQZp
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 2788 Purchase order 202412.scr 2788 Purchase order 202412.scr -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\polybuny\proteolysis.dat Purchase order 202412.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2668 2788 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Purchase order 202412.scr -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2788 wrote to memory of 2668 2788 Purchase order 202412.scr 31 PID 2788 wrote to memory of 2668 2788 Purchase order 202412.scr 31 PID 2788 wrote to memory of 2668 2788 Purchase order 202412.scr 31 PID 2788 wrote to memory of 2668 2788 Purchase order 202412.scr 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase order 202412.scr"C:\Users\Admin\AppData\Local\Temp\Purchase order 202412.scr" /S1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 4842⤵
- Program crash
PID:2668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75B
MD53b76d3cd0fc3eb96afae754496ad3f71
SHA14ec65df20e96a6441767c8ac8c26fd55a67053b9
SHA2563c1949b5049bd316a4187cd85947e4aa97b7db97a705cae80adb257f1c8602bb
SHA5125344fae101c7c27592506b2139eaa165db0d4a4686d21c424b7b86389890b462865fc00b3219bf667a0c3b8c66ecc4483d5d853bf41bf077b22759cfe09dc003
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0