Overview

overview

10

Static

static

3

order payment.exe

windows7-x64

10

order payment.exe

windows10-2004-x64

7

hgdwc.exe

windows7-x64

3

hgdwc.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    94s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 22:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order payment.exe

  • Size

    291KB

  • MD5

    ec2853c83cff7b763bb603a2754749f1

  • SHA1

    0d7e640764aea9b1a8585ac57edf8e2061cd5c61

  • SHA256

    9cb67c087ee707c5878f773e00cc4d55ad3b9fa3092b9ea9614647a06a9c9003

  • SHA512

    e8f6521f398c1670f3efb5b34b52e58eb8f960a8496e81d5ea180ff763581fa7802ca1352a6ec5733d449f68e0a1918c8744fd8b824e9b15ad10086330e8ec5c

  • SSDEEP

    6144:owkx9R0tcuke6acPbZv8f3tdSUmuzpJ40N/btqbJZCZquFHyqWUG:m9R1GuPN8/VdpJD5eZATHyMG

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\order payment.exe
    "C:\Users\Admin\AppData\Local\Temp\order payment.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Users\Admin\AppData\Local\Temp\hgdwc.exe
      C:\Users\Admin\AppData\Local\Temp\hgdwc.exe C:\Users\Admin\AppData\Local\Temp\iukir
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Users\Admin\AppData\Local\Temp\hgdwc.exe
        C:\Users\Admin\AppData\Local\Temp\hgdwc.exe C:\Users\Admin\AppData\Local\Temp\iukir
        3⤵
          PID:1492
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 444
          3⤵
          • Program crash
          PID:2536
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4196 -ip 4196
      1⤵
        PID:3648

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\adf407wb8l0r7
        Filesize

        210KB

        MD5

        b601f33851f78660a0b5abc2be3e83bb

        SHA1

        c5fdb470e113470381935e9c2c10051aefb76970

        SHA256

        1b69e05ac65da2ee1ba67be6aa16cff03cf880962630932e8523ff82cd71370b

        SHA512

        82ff6b2355814f7b7a132b87f18bafec6b7d0c5f4b8b55eed13bee55c92069ea257f72305999fdfddd0620980850cf2dbc82d34bd6c5b3d3118aa3e008b08971

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\hgdwc.exe
        Filesize

        120KB

        MD5

        b1179c8714525c79f49b3e1cdbb37339

        SHA1

        7cae6fbe83da4a0a0cd4f090e731d50c7622aa05

        SHA256

        dbff6c480833bf385c392057177822a2b6c7cc988ec6305c021aacf3e89c0f94

        SHA512

        e23b43787e81f758e2758febe49c89680dbda8373acf3301b0092339f537c734425724bf13c7f210e8b76541cee68a544f8f8bc8682d24e138fd59815d0774a1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\iukir
        Filesize

        4KB

        MD5

        5cd6eb17496e11cfe215c6e123bc2091

        SHA1

        f4f8d3dd2668eb41cf435f8728f05e1771aac559

        SHA256

        0599672c94c4632563c14238136c245df9b7166afabee2a64786835e09a67ad7

        SHA512

        923cf8962aa052cc503df2ceeb18cec6f4fc29f26347146e5c0f8317ddf71f5e56724668bfe2840051433a3b83094839449a9af90dc375b23d7f46307b28d8bc

        Download Submit

      • memory/4196-8-0x0000000000AC0000-0x0000000000AC2000-memory.dmp

        Filesize

        8KB

        Download