fa2438aaa59415efd6159ece227f7f57a1f83568f6af6faa4d2e0827e8eb0dab

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment 18102022 pdf.exe
Size

703KB
MD5

eb566da5f09a5de0eaf16a15298a3334
SHA1

e31fba8a86fa6075628889c28c1eb0a8a30072c6
SHA256

8e2a59e64796ca70e6b84a15d632ebc5bff7427901b4b1f5ce854505fba40421
SHA512

2f086333a1365a5dd82d526810a7ad05afc36a8b9cb5b8bd8078bb8a2e5c738e1e9ef778f0ff60c505e8acf70455bd7e5a26a52affff4d0a3261fbc613bc24ae
SSDEEP

12288:4bmpiBDXym+cyqM8OQEpw/nVwKorUs1Ag9CACJ3aZKDOcNA5av+BjgAC7RX:4bmpOum+cy+O3EnxorUsXQAKZNA46jgF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3512	xrknt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
408	3512	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment 18102022 pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrknt.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3512	xrknt.exe
3512	xrknt.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3512	xrknt.exe
3512	xrknt.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 3512	860	Payment 18102022 pdf.exe	82
PID 860 wrote to memory of 3512	860	Payment 18102022 pdf.exe	82
PID 860 wrote to memory of 3512	860	Payment 18102022 pdf.exe	82

C:\Users\Admin\AppData\Local\Temp\Payment 18102022 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment 18102022 pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\Temp\xrknt.exe
  "C:\Users\Admin\AppData\Local\Temp\xrknt.exe" "C:\Users\Admin\AppData\Local\Temp\flsfotnhhg.au3"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 684
    3⤵
    - Program crash
    PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3512 -ip 3512
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\flsfotnhhg.au3

Filesize
5KB

MD5
dc303ae1e97f6b53051e3d0001a3f607

SHA1
e1a4eb96d39dbc0e16092a98b730f17eeccf0ebf

SHA256
3602082b3b4bcfb1a35a293677772cbdb390976ffdeca481d497a38eaeb27181

SHA512
6d221b5aacfc12d5122a748b95445647cf39d48566dc9e7895fbe60d59c18e26673d9c5b11aeebcbd104ab0d1d2785c3aa113cda06b6ec0f9e58124e44e10a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdqgism.ry

Filesize
185KB

MD5
3c0d1c359b5d0d5fce27c9a0fe1ac5e7

SHA1
12e361391c709216bde1d3c3371e50a038812084

SHA256
4d4fd178b85c749daa1a4a684e15ef4ccce5b05dd5b3e635ab5a0c546fae4577

SHA512
b9d07be3c7ae30988d18c801b4ccedee892e6283d14bc04f26df968be43086ee36f8ceb204457820028ead6d5949cc8f03405b28c6161050c0b9cfe7814d96f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqgaoyqe.y

Filesize
37KB

MD5
aacc6b463e571b0f06a9b399088aa973

SHA1
828d202192363100136184a54708515ce5f8387a

SHA256
987fa33440205e9b6ffd5fd0a1ea3e70f32d8da79a2b6ade903ebf7861d5125b

SHA512
b9f9bdcef3caacf7d77c95e579aaff22bd256358020fd7598be097f81a57c8c118920dae78ed705a0c25969c21c1cfa138c1435270d39b87868925929c9bfbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrknt.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
memory/3512-9-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download