81fa9837f35a889c5ad494e1b91ddb3b8d05ec4e9ae93eba19ebf21e125f0797

Analysis

max time kernel
92s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice and Quotation.exe
Size

289KB
MD5

2e07da5fa7627362c6666c94210a40fe
SHA1

8fe040d7df872ae78e702f11827bd236a6201981
SHA256

c58e97524572e398ed81f73169c0fad3cbfd691761b997cf09be2a69ef5a6be0
SHA512

23af93e3f00ca661a33e03d1063b3c1fe9b974c62ef136233092153b7b9839e8a807bcdb24c3b079c0d28aa1909e0e543dbf102a569dfa846ceb1e9db095fe5a
SSDEEP

6144:owdWxpYqbDdleIkpq7pvzkh3p1YCuzcAGz7FGpxvFu20RCp93Nn0:YxpYqbDdleMdzktTYCuAAAilNphu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
448	qxbcmmh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2504	448	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Invoice and Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qxbcmmh.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 448	2340	Invoice and Quotation.exe	82
PID 2340 wrote to memory of 448	2340	Invoice and Quotation.exe	82
PID 2340 wrote to memory of 448	2340	Invoice and Quotation.exe	82
PID 448 wrote to memory of 1072	448	qxbcmmh.exe	83
PID 448 wrote to memory of 1072	448	qxbcmmh.exe	83
PID 448 wrote to memory of 1072	448	qxbcmmh.exe	83

C:\Users\Admin\AppData\Local\Temp\Invoice and Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice and Quotation.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\qxbcmmh.exe
  C:\Users\Admin\AppData\Local\Temp\qxbcmmh.exe C:\Users\Admin\AppData\Local\Temp\cucpwml
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\qxbcmmh.exe
    C:\Users\Admin\AppData\Local\Temp\qxbcmmh.exe C:\Users\Admin\AppData\Local\Temp\cucpwml
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 492
    3⤵
    - Program crash
    PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 448 -ip 448
1⤵
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cucpwml

Filesize
4KB

MD5
1b170c978765a651c824be0f1c1e486c

SHA1
efff465225cba6bc49f377662fc6665258994e58

SHA256
db2ac9ed9296e1dfd69e9cdd5539d21772fb135b49722b5e01f8c728c8f0ffaa

SHA512
e34f4c522d8a57d3781bd61421a6574f6c236be7d5ce97590392129e76d2bae69b19c0c5e143c35211e59f89591bc4e58a48512714a8025e6ad0b98908517135

Download Submit
C:\Users\Admin\AppData\Local\Temp\l1g2u9lfjcqmh2

Filesize
211KB

MD5
827020ced381e55262695f58f84f278f

SHA1
ddc57871c40731903747162ae79bb9115b0838f2

SHA256
44bf31710fb7db97cfd76c864473981b648a5d175ce3ef0186bf2d2ff9966a5a

SHA512
9721ab681dd84abd526b36b99c59765903d9e635fe48d60c97fbea9428c0e332c72cb41bf90a73b3922170fda1b72e1ab838b27f2f19db8d898a566202ee0ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxbcmmh.exe

Filesize
117KB

MD5
65facecea332bbb51b802e66b329eb18

SHA1
019140dda8ec2d92fe2597c8949208a7ebe95c6e

SHA256
c6935a83136101694625c5904af17387b6cf2a2a0b91ae394615e4d1fa61bb28

SHA512
d9d241441345f5c2e0bbd9e41489d9907d5c722f030249fa0f8285c13c5b3c872a8805a8b673060cba16f72a4ad8feba3a1ffd93524930193fe08bbe443a3842

Download Submit
memory/448-7-0x0000000000580000-0x0000000000582000-memory.dmp

Filesize
8KB

Download