Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2025, 04:53
Static task
static1
Behavioral task
behavioral1
Sample
Hsbc Payment Advice.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Hsbc Payment Advice.exe
Resource
win10v2004-20241007-en
General
-
Target
Hsbc Payment Advice.exe
-
Size
952KB
-
MD5
0a90abd17408e7c0612c753396003ef7
-
SHA1
8e73a2ec4a15a672137576027803c72c7c077a73
-
SHA256
c77ab1184e302130f2c3cf10d7352a084d5e87054534d308cafc91d2821470c0
-
SHA512
30f1d1bda2ee4909d3d0eeeabaf81f9acbf92045a379cddea1848e095c095cb9114bd052df28ffcf52b4284c656678af334c3339ae3f32b6f11d9c148efa0769
-
SSDEEP
24576:DAHnh+eWsN3skA4RV1Hom2KXFmIaRzbx+Dj5:Oh+ZkldoPK1XaRzl+J
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1692 3804 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hsbc Payment Advice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hsbc Payment Advice.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 452 Hsbc Payment Advice.exe 3804 Hsbc Payment Advice.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 452 Hsbc Payment Advice.exe 452 Hsbc Payment Advice.exe 3804 Hsbc Payment Advice.exe 3804 Hsbc Payment Advice.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 452 Hsbc Payment Advice.exe 452 Hsbc Payment Advice.exe 3804 Hsbc Payment Advice.exe 3804 Hsbc Payment Advice.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 452 wrote to memory of 996 452 Hsbc Payment Advice.exe 83 PID 452 wrote to memory of 996 452 Hsbc Payment Advice.exe 83 PID 452 wrote to memory of 996 452 Hsbc Payment Advice.exe 83 PID 452 wrote to memory of 3804 452 Hsbc Payment Advice.exe 84 PID 452 wrote to memory of 3804 452 Hsbc Payment Advice.exe 84 PID 452 wrote to memory of 3804 452 Hsbc Payment Advice.exe 84 PID 3804 wrote to memory of 4496 3804 Hsbc Payment Advice.exe 85 PID 3804 wrote to memory of 4496 3804 Hsbc Payment Advice.exe 85 PID 3804 wrote to memory of 4496 3804 Hsbc Payment Advice.exe 85 PID 3804 wrote to memory of 4496 3804 Hsbc Payment Advice.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hsbc Payment Advice.exe"C:\Users\Admin\AppData\Local\Temp\Hsbc Payment Advice.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Hsbc Payment Advice.exe"2⤵PID:996
-
-
C:\Users\Admin\AppData\Local\Temp\Hsbc Payment Advice.exe"C:\Users\Admin\AppData\Local\Temp\Hsbc Payment Advice.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Hsbc Payment Advice.exe"3⤵PID:4496
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 7043⤵
- Program crash
PID:1692
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3804 -ip 38041⤵PID:4840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD50919e297d5fac1ceda1cd27c8be30785
SHA1b236197b15f269b5289db6d2ebf48ed15d8c2b6f
SHA256ee134b4ace24c031745698beb0e87d27e17fe8ff36077d62b235891b80a0bbbb
SHA5120c96c0a7c22cb8ed546304845f22597efe20d29795cc47747ffccaa4cc2f7d7e12709dc16da440d6f770ad189542e94ae54a4bc20da2be3492773d085e133726