1ebcadef0f2790a5c28cc8d6100007eb6a82a0cf7fc582e7595fa9a3407d3049

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BANK RECEIPT.exe
Size

280KB
MD5

6317a0b98ebd6f0ba716fc1b73b4bf31
SHA1

6f593ad2588b2ca2e561f0b47c9654df9fd95932
SHA256

a2e99d0aabd8f0ad83b885eccf313563526a58b2da435bf34dad29294c712efe
SHA512

e29265b8cc385be1c86751dd04dd2a70d727e8e298cd0d0ca250c2c6515c8d1c189511c564de11cf9c3c85d3efed1e23f7ad4b91bcca156b6b7c4341195f449a
SSDEEP

6144:7PXvBKWuizHoEVrwSNvxsjZ+3Dd4ECaGbz3cA+A0MQ01:tKWNVrHNv2lM3yZ+Wf

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3248	BANK RECEIPT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5076	3248	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BANK RECEIPT.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 940	3248	BANK RECEIPT.exe	82
PID 3248 wrote to memory of 940	3248	BANK RECEIPT.exe	82
PID 3248 wrote to memory of 940	3248	BANK RECEIPT.exe	82

C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe
  "C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"
  2⤵
  PID:940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 988
  2⤵
  - Program crash
  PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3248 -ip 3248
1⤵
PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsp6C39.tmp\2g6ght2plrugud.dll

Filesize
5KB

MD5
64ade443342d3aa3790c2846abf93959

SHA1
d6668f6881d40dc3dc3d1f627f2721e1d333e698

SHA256
ea1deb95fa6614524006ee3260957aef27ebd563f609dde680cace5f2ea09e45

SHA512
2fdce6c768ded710d6d011be5317b184a09e10058145bdff545e83df63f5e0f46db4f679161174397b37d0fb2f43abe7275405845742e4a73bc6ef995edf4845

Download Submit
memory/3248-7-0x0000000002440000-0x0000000002442000-memory.dmp

Filesize
8KB

Download