Overview

overview

10

Static

static

10

1PDF.Fatur...07.exe

windows7-x64

8

1PDF.Fatur...07.exe

windows10-2004-x64

8

3e6642f710...5e.exe

windows7-x64

10

3e6642f710...5e.exe

windows10-2004-x64

10

4c40337094...92.exe

windows7-x64

10

4c40337094...92.exe

windows10-2004-x64

10

644d928a4a...25.exe

windows7-x64

10

644d928a4a...25.exe

windows10-2004-x64

10

64ec6562b9...2e.exe

windows7-x64

10

64ec6562b9...2e.exe

windows10-2004-x64

10

7a0395c75a...8e.exe

windows7-x64

10

7a0395c75a...8e.exe

windows10-2004-x64

10

901478668c...d4.exe

windows7-x64

10

901478668c...d4.exe

windows10-2004-x64

10

938b7e042b...98.exe

windows7-x64

10

938b7e042b...98.exe

windows10-2004-x64

10

96d1bc7dec...b7.exe

windows7-x64

10

96d1bc7dec...b7.exe

windows10-2004-x64

10

Built.exe

windows7-x64

7

Built.exe

windows10-2004-x64

8

DHL_PT5638...53.bat

windows7-x64

8

DHL_PT5638...53.bat

windows10-2004-x64

8

DTLite.exe

windows7-x64

10

DTLite.exe

windows10-2004-x64

10

PDF.Fatura...07.exe

windows7-x64

8

PDF.Fatura...07.exe

windows10-2004-x64

8

PDF.exe

windows7-x64

10

PDF.exe

windows10-2004-x64

10

SIP.03746.XSLSX.exe

windows7-x64

8

SIP.03746.XSLSX.exe

windows10-2004-x64

8

a33245a27c...8a.exe

windows7-x64

10

a33245a27c...8a.exe

windows10-2004-x64

10

Resubmissions

21-01-2025 11:18

250121-nef6aa1jfx 10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2025 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1PDF.FaturaDetay_202407.exe

  • Size

    323KB

  • MD5

    d8bf792f818877bf4848fde9511caeb8

  • SHA1

    a8aea1abb7cf1ddb275584bb5746c97790342e80

  • SHA256

    f5d96127b34730cf3bbbccd1c35098873fc0af897cc5d6dc3dd39a8e64c511d7

  • SHA512

    28292c32d518cecb66ef0a41f583022b6c125ae758fb013dd51896c25625cc23da2a8604d794e2198939f994d15bec09d9b67003bc5bd734d27b15b167e1ebe4

  • SSDEEP

    6144:CZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6BLtsorUC7ggXpTILMYSQpIIQENMshQt:kANwRo+mv8QD4+0V161tTNjkIIFN5c

Score
8/10
defense_evasiondiscoveryexecutionpersistence

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1PDF.FaturaDetay_202407.exe
    "C:\Users\Admin\AppData\Local\Temp\1PDF.FaturaDetay_202407.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe
      2⤵
      • Hide Artifacts: Hidden Window
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c C:\TheDream\RootDesign.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4356
          • C:\TheDream\RootDesign.exe
            "C:\TheDream\RootDesign.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3924
            • C:\TheDream\RootDesign.exe
              "C:\TheDream\RootDesign.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1852
              • C:\TheDream\RootDesign.exe
                "C:\TheDream\RootDesign.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:100
                • C:\TheDream\RootDesign.exe
                  "C:\TheDream\RootDesign.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4172
                  • C:\TheDream\RootDesign.exe
                    "C:\TheDream\RootDesign.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1136
                    • C:\TheDream\RootDesign.exe
                      "C:\TheDream\RootDesign.exe"
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\TheDream\RootDesign.exe
    Filesize

    126KB

    MD5

    ba563203779c4ad6b2e619c42463f4a8

    SHA1

    d85458664b6c971d2e24da84a2dbbb88a03fc542

    SHA256

    a5794b8e199ca1a7c35cb4d393282fde4a73e9f9190153e97a13eb9baf3a35e6

    SHA512

    6a6b85d228ac630f6468965d5b8c66d2f7edc07f1a18444debc22b46a7923fe7021e4219cb3513ac1996d6b36052d64455267836835f5df12961039a1b858849

    Download Submit

  • C:\TheDream\log.txt
    Filesize

    17B

    MD5

    6973b88e8ca2c8c4ad67369cd211a49f

    SHA1

    cce768cc4a13cf8edd1841add873c2b0dea1738b

    SHA256

    b060331cb9f98d15d3fe25b8a311dc431c84a85bfa06426ad80cc3bef5b924ec

    SHA512

    35e2ddc683fea47325d6c7374a6a93faa71d52185b2f0f127a9cf7dec0f2347b12668eb668a267314443ed511b5e7d939f1f93640b9c6425fcc660d42f35d945

    Download Submit

  • C:\TheDream\log.txt
    Filesize

    33B

    MD5

    b1eec1f4ab428032df8fe89e1126d0eb

    SHA1

    545171c320602c976b0fc13754ddbb307724e0aa

    SHA256

    c3b9233cb90ee38b6916f27a84fcbfbd70e7d59f792a4a191e5b6adb87ca75f1

    SHA512

    f5f624a15f1f6910c25e5c1f7b292345062378972c07106c64d7139def46ee3dea7e3b99ba4216c2cd7d84a7a82906b0092b97edff86865b5e73b12156edea1a

    Download Submit

  • C:\TheDream\log.txt
    Filesize

    48B

    MD5

    1d89a8d548de37e16541372cc27300af

    SHA1

    5fd89d509296bf368c2e498a0bc72e04aea596f5

    SHA256

    93e10bc4fe7068fe7564384e1d32d850b97183d54067dcd7618c6c21aabb94fa

    SHA512

    ee0ff6bec74732277459a9a81e147e4dcc194fa8f5b57406b68424220b16f9b5ddf2a26c063566d1e120afbda37b59fc36adb94f1b7308989fa1055400e19258

    Download Submit

  • C:\TheDream\log.txt
    Filesize

    63B

    MD5

    f81d9e83620c89bfde85ab2941bb0376

    SHA1

    1fbfcc09f799a24f82e678ca1c474e1ab1f63a52

    SHA256

    385d6c604a215eb5866ae59f63656fb58d0af0782156a1546de47682174807d7

    SHA512

    b12f842f8b9f2faf6b1bca1b637b4b54821b9a9c473974322cf3af80e6eac21e398ff16d03546a94733b94909e71553a45814a9dd669dfbb9b9c6a1dd0407a5b

    Download Submit

  • C:\TheDream\log.txt
    Filesize

    78B

    MD5

    e5194869aa1e865bef36ee36b51aa863

    SHA1

    51e5896c5ae667ab0c3a6a7206a22d0332d2aa45

    SHA256

    4c8c1f2d9ef8192c3afd48d716c3c572acbde061dad28c93b96b4dd322094ee4

    SHA512

    ed523b4f21f15d1ce5c05b0856a58b45a51894e572f7dcafbc7ebb82fbf0164b9375635a0328636011e185f0b8874446c266a7591112abd23065457eb9f52747

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RootDesign.exe.log
    Filesize

    1KB

    MD5

    96cca7a6ce0df83a5eaacad47f26e6c0

    SHA1

    a203126275c74e9974ba23a1269e8f5104b134b3

    SHA256

    e29461f622da1d1f9e37466f5dc1f96bb10621454cffc5fd4dc73ae2f973d344

    SHA512

    11dc5cfdf4ed957fc8ebc4894ff8e2cbbd64864032159625bd6b92daa16053cad12cb61c17416a55b76c3722174cf751bd108665402ea426225670589520cacb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    1KB

    MD5

    28854213fdaa59751b2b4cfe772289cc

    SHA1

    fa7058052780f4b856dc2d56b88163ed55deb6ab

    SHA256

    7c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915

    SHA512

    1e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    11KB

    MD5

    0622cde57bbfc979a5e9fe27d1526b06

    SHA1

    9fadc1a5f8f2b39ca318099ebf9ce12ac55d5b26

    SHA256

    d27349b6f92425847bcb6c64b98039a3167a1e9ddeefecbad0876cb66c54312d

    SHA512

    d9b7bad4111a71e00a40485c5eec5e64286d9a37af8968cea125c3dfc816b173581e934e234013b59855fa532a826f8112e4476038237f405a5dc50267d59a41

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rjmqpvy1.uoq.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\Desktop\readme.txt
    Filesize

    1KB

    MD5

    934c538703a8d75fc9452968bd4153e4

    SHA1

    f85647d373dcafe1dc6c54d2fef2a6cb192a5172

    SHA256

    04ead23fabb8ebae8d2e271624b5059a89300c6ae824469b671d26dc5d72208d

    SHA512

    7112ac70c40ab61bfa68151ac78ff6ebee02ee8a61869ae0f083bd5fbc8d22ff585ecbb59156694cf17072363d4ffb4bf1bb51b9194e697e1bf1827f79ac0c05

    Download Submit

  • memory/1508-62-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2240-21-0x0000000005C30000-0x0000000005C96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2240-33-0x00000000062E0000-0x000000000632C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2240-32-0x00000000062A0000-0x00000000062BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2240-31-0x0000000005DA0000-0x00000000060F4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2240-15-0x0000000072A5E000-0x0000000072A5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-20-0x0000000005BC0000-0x0000000005C26000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2240-59-0x0000000072A50000-0x0000000073200000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2240-19-0x00000000052F0000-0x0000000005312000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2240-18-0x00000000053E0000-0x0000000005A08000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2240-17-0x0000000072A50000-0x0000000073200000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2240-16-0x0000000002CF0000-0x0000000002D26000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3924-52-0x0000000001180000-0x0000000001186000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3924-61-0x00000000052D0000-0x00000000052DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3924-58-0x00000000053B0000-0x00000000053D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3924-57-0x0000000005310000-0x00000000053A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3924-53-0x0000000009DA0000-0x000000000A344000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3924-48-0x0000000000890000-0x00000000008B8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4356-51-0x0000000072A50000-0x0000000073200000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4356-36-0x0000000072A50000-0x0000000073200000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4356-35-0x0000000072A50000-0x0000000073200000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4356-34-0x0000000072A50000-0x0000000073200000-memory.dmp

    Filesize

    7.7MB

    Download