80c30db2d99ff849295e7c0a8e6924ead10228105d0d675f02c1244ef6bd0106

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orignal Invoice_pdf.exe
Size

299KB
MD5

d9145fe0ca078e3e8ed799105e393108
SHA1

3dab0d6ac85b82314add7e0773ad05635e5dbc1f
SHA256

2aa2b861c5fad54e2a32fa2cc376871cd2d80a1485412073f5b5f461a7723e29
SHA512

8cccc42d5bf3fe345ff3dc119408de574ac3da756e9b0f2e76160b225b21dba7bfbbc61cd40bccaef3c104fb566f3bd53a4ca1c17f55867bcccfbe37fbdc1229
SSDEEP

6144:ibE/HUk01969hJRIA767oUL5J3RvZrLZcCEyBoh/uwmZZ+:ibw01969PR9xU/1EyBWmw6Z+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4360	duzcazams.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4724	4360	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orignal Invoice_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	duzcazams.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 4360	548	Orignal Invoice_pdf.exe	84
PID 548 wrote to memory of 4360	548	Orignal Invoice_pdf.exe	84
PID 548 wrote to memory of 4360	548	Orignal Invoice_pdf.exe	84

C:\Users\Admin\AppData\Local\Temp\Orignal Invoice_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Orignal Invoice_pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\duzcazams.exe
  "C:\Users\Admin\AppData\Local\Temp\duzcazams.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 656
    3⤵
    - Program crash
    PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4360 -ip 4360
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\duzcazams.exe

Filesize
133KB

MD5
9cc4b3dcc8a712968339507dfbefa5bc

SHA1
5909f209cf93e4365180ac050d663a2076e81af8

SHA256
3017920f6f2c95870bf938c2aab1c64e77c9b65e7f8ad7e3d81cdaeb58bacff3

SHA512
c5f5955302883578f4899f9250984bcedc375a7f2c1b3e1dd3912a1e334c8f247df757cb94a4ac8ed94918659b22f0070172dfbe0dc9fe567fece22a7b34364e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eecmykwj.xuq

Filesize
185KB

MD5
eb786ca8456fb02e6299292f7464fa75

SHA1
4b6939380e970bcf1cc92b3ad3fa21916ea1ddab

SHA256
3e00383dd3ada755bb6cb3394d3b8b2d3e43dce6051600f4273f82d9963521c9

SHA512
9b1f6717f845975871fd45d5d6518a20b3ec223959acdbfd23fc2693f5f15d4a72f4f16a8220ac2bada3ffccba25068196b6c5afbc0d67ce3edbc9b3964e0979

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgiybpcm.x

Filesize
4KB

MD5
f16bf3d9ad3ecf461f26e9a75e9bdc8b

SHA1
d5342aa6db4efa8e58ca7a7e379a66797c78203b

SHA256
d6f00878293204cc85c2a112f4f8160aeaa7601afcf4a64f78735a8eea11559b

SHA512
5156bcfa507faf5788bb92648a48c1cb56901798d351cdf6deff7861bd80962b52715c5e034146da07066acf434f85e7b660643dcb9d51b082067fc3dd9bcdaa

Download Submit
memory/4360-8-0x0000000001130000-0x0000000001132000-memory.dmp

Filesize
8KB

Download