c56c00ca3f42026f17affef76b3752f268d1498f862b3143985ca7c1d33feb39

Resubmissions

21-01-2025 11:18

250121-nef6aa1jfx 10

Analysis

max time kernel
139s
max time network
159s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PDF.FaturaDetay_202407.exe
Size

322KB
MD5

3a2ba5be087162cfdb5d49ac32edd534
SHA1

879043e2954c4cf7f461c1381ae2a943d71bbaef
SHA256

7a285458817660143004002c76b1e1457666b1659dfbd35863541f62630430d0
SHA512

ba8dba7d1cd39b00cf6ee894809b1c09a3f72484d6dafb4ff2b2663d29247baf0565dfc3e4f0bcccb78138ffca59e9c56579485244d00f5b1bc69cfedb1c024a
SSDEEP

6144:CZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6BLGx1d0RjzV5Pnz63LLHBNy:kANwRo+mv8QD4+0V16xblLPkLLhNy

Score

8^/10

defense_evasion discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2892	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2644	RootDesign.exe
2948	RootDesign.exe
2428	RootDesign.exe
1128	RootDesign.exe
1872	RootDesign.exe

Loads dropped DLL 3 IoCs

pid	Process
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUqdates = "C:\\TheDream\\RootDesign.exe"	RootDesign.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2800	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RootDesign.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RootDesign.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RootDesign.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RootDesign.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RootDesign.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PDF.FaturaDetay_202407.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2892	powershell.exe
3024	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2800	2736	PDF.FaturaDetay_202407.exe	30
PID 2736 wrote to memory of 2800	2736	PDF.FaturaDetay_202407.exe	30
PID 2736 wrote to memory of 2800	2736	PDF.FaturaDetay_202407.exe	30
PID 2736 wrote to memory of 2800	2736	PDF.FaturaDetay_202407.exe	30
PID 2800 wrote to memory of 2892	2800	cmd.exe	32
PID 2800 wrote to memory of 2892	2800	cmd.exe	32
PID 2800 wrote to memory of 2892	2800	cmd.exe	32
PID 2800 wrote to memory of 2892	2800	cmd.exe	32
PID 2892 wrote to memory of 3024	2892	powershell.exe	33
PID 2892 wrote to memory of 3024	2892	powershell.exe	33
PID 2892 wrote to memory of 3024	2892	powershell.exe	33
PID 2892 wrote to memory of 3024	2892	powershell.exe	33
PID 3024 wrote to memory of 2644	3024	powershell.exe	34
PID 3024 wrote to memory of 2644	3024	powershell.exe	34
PID 3024 wrote to memory of 2644	3024	powershell.exe	34
PID 3024 wrote to memory of 2644	3024	powershell.exe	34
PID 2644 wrote to memory of 2948	2644	RootDesign.exe	37
PID 2644 wrote to memory of 2948	2644	RootDesign.exe	37
PID 2644 wrote to memory of 2948	2644	RootDesign.exe	37
PID 2644 wrote to memory of 2948	2644	RootDesign.exe	37
PID 2948 wrote to memory of 2428	2948	RootDesign.exe	38
PID 2948 wrote to memory of 2428	2948	RootDesign.exe	38
PID 2948 wrote to memory of 2428	2948	RootDesign.exe	38
PID 2948 wrote to memory of 2428	2948	RootDesign.exe	38
PID 2428 wrote to memory of 1128	2428	RootDesign.exe	40
PID 2428 wrote to memory of 1128	2428	RootDesign.exe	40
PID 2428 wrote to memory of 1128	2428	RootDesign.exe	40
PID 2428 wrote to memory of 1128	2428	RootDesign.exe	40
PID 1128 wrote to memory of 1872	1128	RootDesign.exe	42
PID 1128 wrote to memory of 1872	1128	RootDesign.exe	42
PID 1128 wrote to memory of 1872	1128	RootDesign.exe	42
PID 1128 wrote to memory of 1872	1128	RootDesign.exe	42

C:\Users\Admin\AppData\Local\Temp\PDF.FaturaDetay_202407.exe
"C:\Users\Admin\AppData\Local\Temp\PDF.FaturaDetay_202407.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c C:\TheDream\RootDesign.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TheDream\log.txt

Filesize
21B

MD5
3c232254a15022c8bccc67a163f2ce5a

SHA1
bd82a81e9048be79ae2b5513333d9bb9c6325999

SHA256
2af33a3f0aba7bfc582cceab6baece188696c0ab08940acb8dbe086b48e6a589

SHA512
67793fbb1dd2dde93a85bd830884ad02cac37dfd7bbb92ceb591dd866fc9e0663ab8941d8c43dc144134b661b0c7009f6f7bfbc8aa023c86d30fbe7f9bde6c18

Download Submit
C:\TheDream\log.txt

Filesize
36B

MD5
a5b0591b2f70456da9cd02ef7b388049

SHA1
c4436deecb44292acdb1aaf6e594f81f87bbd59a

SHA256
4dc16645122903c5a02cbc562d46e9b0167a4df03a7d4f331237ab299934f717

SHA512
33226836f1f8546ca287138f647062c5d2cd9f3f735020e93941a786ebd1f381bad3b486624b52c57dd62957bccb36c1c4fb5256f9cd40981647d8f04750de4c

Download Submit
C:\TheDream\log.txt

Filesize
51B

MD5
4bf48e46840fb716c7f67cb15aaf0640

SHA1
57871bd1a9084f3d16582e3a4b367e729d43f072

SHA256
71ed11b127d1bde7c75ca3e5af17c70106e8b07c728f72eaa7a0fb7186621912

SHA512
b94021a7acf4ff4190ad70823b2560952b8f683da580a1365e13a3157799b9cfb73f51bad43f2c91b78c6d34a75db84c032cef0cfd529f70a13b0005525d64de

Download Submit
C:\TheDream\log.txt

Filesize
66B

MD5
01c596cbd77a920982c9cd4d4cca3d12

SHA1
fb442b56ed6545dc6f7395ec46dacb56d084b141

SHA256
9497780664233254a6b3785a48367c6cc9cbac3b7e712c0fcf6e239d7814d842

SHA512
0e94b4b795b0f376ff5efe59f6bd1463b588a8c1154ed0b8956b0e988f93529455a69283ce1e55f2637c73fbf7dd5eaa23a45e97da4f430688c7f6eccdce29ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d3b29dae729ed55c5928e4b2cc0c1541

SHA1
3ccdc47633274087c7cfb012a832cc946c4465e6

SHA256
82c933b966ae010fbd4ec66e9f8ec65603a9166c9f6ff97365fbf3c34e0f2825

SHA512
7fa9547e1ee090cf27b4bc74b390fc39d3e95b96cb36a6c3f08d6d97956c66274c18d4c03aa7c1c4362080a1f32744e8d6ae338640f501709deacfadcec74fd9

Download Submit
C:\Users\Admin\Desktop\readme.txt

Filesize
1KB

MD5
934c538703a8d75fc9452968bd4153e4

SHA1
f85647d373dcafe1dc6c54d2fef2a6cb192a5172

SHA256
04ead23fabb8ebae8d2e271624b5059a89300c6ae824469b671d26dc5d72208d

SHA512
7112ac70c40ab61bfa68151ac78ff6ebee02ee8a61869ae0f083bd5fbc8d22ff585ecbb59156694cf17072363d4ffb4bf1bb51b9194e697e1bf1827f79ac0c05

Download Submit
\TheDream\RootDesign.exe

Filesize
125KB

MD5
e739795e2208eb8e10ee98b92b52a5ca

SHA1
0ac1bd3681544350158ff9d7c44d1732b5673178

SHA256
bbda59896347af0b13c361b9fb97c42c1903e1cd1fad498c8192416c408139c5

SHA512
ff39f09fc65d6bad6b6a5d555c453ee7a29fdb8d7e16dc4ef08cb9a3b2b0d14558dc379a87e5e170752fdac56192b1d677cbb447a880e6c0fca5f0110b63c062

Download Submit
memory/2644-35-0x0000000001080000-0x00000000010A8000-memory.dmp

Filesize
160KB

Download
memory/2644-36-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2736-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2892-17-0x0000000073ED1000-0x0000000073ED2000-memory.dmp

Filesize
4KB

Download
memory/2892-32-0x0000000073ED0000-0x000000007447B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-21-0x0000000073ED0000-0x000000007447B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-20-0x0000000073ED0000-0x000000007447B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-19-0x0000000073ED0000-0x000000007447B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-18-0x0000000073ED0000-0x000000007447B000-memory.dmp

Filesize
5.7MB

Download