Overview

overview

10

Static

static

10

1PDF.Fatur...07.exe

windows7-x64

8

1PDF.Fatur...07.exe

windows10-2004-x64

8

3e6642f710...5e.exe

windows7-x64

10

3e6642f710...5e.exe

windows10-2004-x64

10

4c40337094...92.exe

windows7-x64

10

4c40337094...92.exe

windows10-2004-x64

10

644d928a4a...25.exe

windows7-x64

10

644d928a4a...25.exe

windows10-2004-x64

10

64ec6562b9...2e.exe

windows7-x64

10

64ec6562b9...2e.exe

windows10-2004-x64

10

7a0395c75a...8e.exe

windows7-x64

10

7a0395c75a...8e.exe

windows10-2004-x64

10

901478668c...d4.exe

windows7-x64

10

901478668c...d4.exe

windows10-2004-x64

10

938b7e042b...98.exe

windows7-x64

10

938b7e042b...98.exe

windows10-2004-x64

10

96d1bc7dec...b7.exe

windows7-x64

10

96d1bc7dec...b7.exe

windows10-2004-x64

10

Built.exe

windows7-x64

7

Built.exe

windows10-2004-x64

8

DHL_PT5638...53.bat

windows7-x64

8

DHL_PT5638...53.bat

windows10-2004-x64

8

DTLite.exe

windows7-x64

10

DTLite.exe

windows10-2004-x64

10

PDF.Fatura...07.exe

windows7-x64

8

PDF.Fatura...07.exe

windows10-2004-x64

8

PDF.exe

windows7-x64

10

PDF.exe

windows10-2004-x64

10

SIP.03746.XSLSX.exe

windows7-x64

8

SIP.03746.XSLSX.exe

windows10-2004-x64

8

a33245a27c...8a.exe

windows7-x64

10

a33245a27c...8a.exe

windows10-2004-x64

10

Resubmissions

21-01-2025 11:18

250121-nef6aa1jfx 10

Analysis

  • max time kernel
    141s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2025 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1PDF.FaturaDetay_202407.exe

  • Size

    323KB

  • MD5

    d8bf792f818877bf4848fde9511caeb8

  • SHA1

    a8aea1abb7cf1ddb275584bb5746c97790342e80

  • SHA256

    f5d96127b34730cf3bbbccd1c35098873fc0af897cc5d6dc3dd39a8e64c511d7

  • SHA512

    28292c32d518cecb66ef0a41f583022b6c125ae758fb013dd51896c25625cc23da2a8604d794e2198939f994d15bec09d9b67003bc5bd734d27b15b167e1ebe4

  • SSDEEP

    6144:CZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6BLtsorUC7ggXpTILMYSQpIIQENMshQt:kANwRo+mv8QD4+0V161tTNjkIIFN5c

Score
8/10
defense_evasiondiscoveryexecutionpersistence

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1PDF.FaturaDetay_202407.exe
    "C:\Users\Admin\AppData\Local\Temp\1PDF.FaturaDetay_202407.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe
      2⤵
      • Hide Artifacts: Hidden Window
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c C:\TheDream\RootDesign.exe
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2304
          • C:\TheDream\RootDesign.exe
            "C:\TheDream\RootDesign.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2512
            • C:\TheDream\RootDesign.exe
              "C:\TheDream\RootDesign.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1832
              • C:\TheDream\RootDesign.exe
                "C:\TheDream\RootDesign.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1408
                • C:\TheDream\RootDesign.exe
                  "C:\TheDream\RootDesign.exe"
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:972
                  • C:\TheDream\RootDesign.exe
                    "C:\TheDream\RootDesign.exe"
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:2892
                    • C:\TheDream\RootDesign.exe
                      "C:\TheDream\RootDesign.exe"
                      10⤵
                        PID:2324

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\TheDream\log.txt
      Filesize

      17B

      MD5

      6973b88e8ca2c8c4ad67369cd211a49f

      SHA1

      cce768cc4a13cf8edd1841add873c2b0dea1738b

      SHA256

      b060331cb9f98d15d3fe25b8a311dc431c84a85bfa06426ad80cc3bef5b924ec

      SHA512

      35e2ddc683fea47325d6c7374a6a93faa71d52185b2f0f127a9cf7dec0f2347b12668eb668a267314443ed511b5e7d939f1f93640b9c6425fcc660d42f35d945

      Download Submit

    • C:\TheDream\log.txt
      Filesize

      33B

      MD5

      b1eec1f4ab428032df8fe89e1126d0eb

      SHA1

      545171c320602c976b0fc13754ddbb307724e0aa

      SHA256

      c3b9233cb90ee38b6916f27a84fcbfbd70e7d59f792a4a191e5b6adb87ca75f1

      SHA512

      f5f624a15f1f6910c25e5c1f7b292345062378972c07106c64d7139def46ee3dea7e3b99ba4216c2cd7d84a7a82906b0092b97edff86865b5e73b12156edea1a

      Download Submit

    • C:\TheDream\log.txt
      Filesize

      48B

      MD5

      1d89a8d548de37e16541372cc27300af

      SHA1

      5fd89d509296bf368c2e498a0bc72e04aea596f5

      SHA256

      93e10bc4fe7068fe7564384e1d32d850b97183d54067dcd7618c6c21aabb94fa

      SHA512

      ee0ff6bec74732277459a9a81e147e4dcc194fa8f5b57406b68424220b16f9b5ddf2a26c063566d1e120afbda37b59fc36adb94f1b7308989fa1055400e19258

      Download Submit

    • C:\TheDream\log.txt
      Filesize

      63B

      MD5

      f81d9e83620c89bfde85ab2941bb0376

      SHA1

      1fbfcc09f799a24f82e678ca1c474e1ab1f63a52

      SHA256

      385d6c604a215eb5866ae59f63656fb58d0af0782156a1546de47682174807d7

      SHA512

      b12f842f8b9f2faf6b1bca1b637b4b54821b9a9c473974322cf3af80e6eac21e398ff16d03546a94733b94909e71553a45814a9dd669dfbb9b9c6a1dd0407a5b

      Download Submit

    • C:\TheDream\log.txt
      Filesize

      78B

      MD5

      e5194869aa1e865bef36ee36b51aa863

      SHA1

      51e5896c5ae667ab0c3a6a7206a22d0332d2aa45

      SHA256

      4c8c1f2d9ef8192c3afd48d716c3c572acbde061dad28c93b96b4dd322094ee4

      SHA512

      ed523b4f21f15d1ce5c05b0856a58b45a51894e572f7dcafbc7ebb82fbf0164b9375635a0328636011e185f0b8874446c266a7591112abd23065457eb9f52747

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      5a4f2c15739c2857f1c7dd5289f50bc0

      SHA1

      124b8683e7a6ab5d26cd95615c2eeda2f4c07b96

      SHA256

      da770d48e21dde2b60a009008f4dcb9236ce0cb0387912b8e875dd3485fd6527

      SHA512

      21fb08f8d3c13ab05b2337876e8146796c3a5b2717e65390d3808666af90dd90ea6c5f800899e35db8512fbca68f847e0d38f4121d94dcabca7e80c6ee8d7e07

      Download Submit

    • C:\Users\Admin\Desktop\readme.txt
      Filesize

      1KB

      MD5

      934c538703a8d75fc9452968bd4153e4

      SHA1

      f85647d373dcafe1dc6c54d2fef2a6cb192a5172

      SHA256

      04ead23fabb8ebae8d2e271624b5059a89300c6ae824469b671d26dc5d72208d

      SHA512

      7112ac70c40ab61bfa68151ac78ff6ebee02ee8a61869ae0f083bd5fbc8d22ff585ecbb59156694cf17072363d4ffb4bf1bb51b9194e697e1bf1827f79ac0c05

      Download Submit

    • \TheDream\RootDesign.exe
      Filesize

      126KB

      MD5

      ba563203779c4ad6b2e619c42463f4a8

      SHA1

      d85458664b6c971d2e24da84a2dbbb88a03fc542

      SHA256

      a5794b8e199ca1a7c35cb4d393282fde4a73e9f9190153e97a13eb9baf3a35e6

      SHA512

      6a6b85d228ac630f6468965d5b8c66d2f7edc07f1a18444debc22b46a7923fe7021e4219cb3513ac1996d6b36052d64455267836835f5df12961039a1b858849

      Download Submit

    • memory/1736-35-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2128-21-0x00000000744E0000-0x0000000074A8B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2128-32-0x00000000744E0000-0x0000000074A8B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2128-17-0x00000000744E1000-0x00000000744E2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2128-20-0x00000000744E0000-0x0000000074A8B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2128-19-0x00000000744E0000-0x0000000074A8B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2128-18-0x00000000744E0000-0x0000000074A8B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2512-36-0x00000000002B0000-0x00000000002B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2512-33-0x0000000000C20000-0x0000000000C48000-memory.dmp

      Filesize

      160KB

      Download