Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/01/2025, 04:53

General

  • Target

    Hsbc Payment Advice.exe

  • Size

    952KB

  • MD5

    0a90abd17408e7c0612c753396003ef7

  • SHA1

    8e73a2ec4a15a672137576027803c72c7c077a73

  • SHA256

    c77ab1184e302130f2c3cf10d7352a084d5e87054534d308cafc91d2821470c0

  • SHA512

    30f1d1bda2ee4909d3d0eeeabaf81f9acbf92045a379cddea1848e095c095cb9114bd052df28ffcf52b4284c656678af334c3339ae3f32b6f11d9c148efa0769

  • SSDEEP

    24576:DAHnh+eWsN3skA4RV1Hom2KXFmIaRzbx+Dj5:Oh+ZkldoPK1XaRzl+J

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Hsbc Payment Advice.exe
    "C:\Users\Admin\AppData\Local\Temp\Hsbc Payment Advice.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\Hsbc Payment Advice.exe"
      2⤵
        PID:996
      • C:\Users\Admin\AppData\Local\Temp\Hsbc Payment Advice.exe
        "C:\Users\Admin\AppData\Local\Temp\Hsbc Payment Advice.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3804
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\Hsbc Payment Advice.exe"
          3⤵
            PID:4496
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 704
            3⤵
            • Program crash
            PID:1692
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3804 -ip 3804
        1⤵
          PID:4840

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\Bactris

                Filesize

                56KB

                MD5

                0919e297d5fac1ceda1cd27c8be30785

                SHA1

                b236197b15f269b5289db6d2ebf48ed15d8c2b6f

                SHA256

                ee134b4ace24c031745698beb0e87d27e17fe8ff36077d62b235891b80a0bbbb

                SHA512

                0c96c0a7c22cb8ed546304845f22597efe20d29795cc47747ffccaa4cc2f7d7e12709dc16da440d6f770ad189542e94ae54a4bc20da2be3492773d085e133726

              • memory/452-11-0x0000000000FB0000-0x00000000013B0000-memory.dmp

                Filesize

                4.0MB

              • memory/3804-25-0x0000000001630000-0x0000000001A30000-memory.dmp

                Filesize

                4.0MB