eb3dcc6f02b890aeaa2368161d863b645a4c115bb4385278f80335ffb6143041

General

Target

EFT Remittance Slip for Due Invoice.exe
Size

1.2MB
MD5

8c6ad00d939323abfb5ebef28bc8ca00
SHA1

b80b7621a8af48cd62361b938f8727d181661f2f
SHA256

eb3dcc6f02b890aeaa2368161d863b645a4c115bb4385278f80335ffb6143041
SHA512

2b3365e3c5d865502121fbae148158aef1d3a9ada2b9152d997c96bad5aa51247a7c1eea1dcea48c98ba09b547b0f58450e2c3e3c62ba80d15571a432d72fc04
SSDEEP

24576:KAHnh+eWsN3skA4RV1Hom2KXFmIaIcPGZV+2urmZ5XEo5:dh+ZkldoPK1XaIcPGmrC5f

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nouses.vbs	nouses.exe

Executes dropped EXE 2 IoCs

pid	Process
1956	nouses.exe
4524	nouses.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023cc4-14.dat	autoit_exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
388	4524	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nouses.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nouses.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EFT Remittance Slip for Due Invoice.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1956	nouses.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3204	EFT Remittance Slip for Due Invoice.exe
3204	EFT Remittance Slip for Due Invoice.exe
1956	nouses.exe
1956	nouses.exe
4524	nouses.exe
4524	nouses.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3204	EFT Remittance Slip for Due Invoice.exe
3204	EFT Remittance Slip for Due Invoice.exe
1956	nouses.exe
1956	nouses.exe
4524	nouses.exe
4524	nouses.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 1956	3204	EFT Remittance Slip for Due Invoice.exe	85
PID 3204 wrote to memory of 1956	3204	EFT Remittance Slip for Due Invoice.exe	85
PID 3204 wrote to memory of 1956	3204	EFT Remittance Slip for Due Invoice.exe	85
PID 1956 wrote to memory of 2008	1956	nouses.exe	86
PID 1956 wrote to memory of 2008	1956	nouses.exe	86
PID 1956 wrote to memory of 2008	1956	nouses.exe	86
PID 1956 wrote to memory of 4524	1956	nouses.exe	87
PID 1956 wrote to memory of 4524	1956	nouses.exe	87
PID 1956 wrote to memory of 4524	1956	nouses.exe	87
PID 4524 wrote to memory of 4612	4524	nouses.exe	88
PID 4524 wrote to memory of 4612	4524	nouses.exe	88
PID 4524 wrote to memory of 4612	4524	nouses.exe	88

C:\Users\Admin\AppData\Local\Temp\EFT Remittance Slip for Due Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\EFT Remittance Slip for Due Invoice.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Local\directiveness\nouses.exe
  "C:\Users\Admin\AppData\Local\Temp\EFT Remittance Slip for Due Invoice.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\EFT Remittance Slip for Due Invoice.exe"
    3⤵
    PID:2008
- - C:\Users\Admin\AppData\Local\directiveness\nouses.exe
    "C:\Users\Admin\AppData\Local\directiveness\nouses.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\directiveness\nouses.exe"
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 696
      4⤵
      Program crash
      PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4524 -ip 4524
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut8D4C.tmp

Filesize
11KB

MD5
3b1fcd9f082d614c7d1de3f5db5f4fd2

SHA1
dac3aeccb897e2304d5270bed9f23e8dfa56a224

SHA256
7f15349a0b2955caa57008acd1221eedfa6ff95b72c9f3fb5bf7d2d3bcebaa9b

SHA512
26d59dff834e3f979af65c6040d2896abac0b7f99e7fa7f75b314fd5bf6e3f28327f5c7f4a8a7b111f16823c73271070a695c09fa84da19f4f8ab5e19d4bdbab

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut8DE9.tmp

Filesize
243KB

MD5
02c20f2fa41808a33a10b3e98a179ed9

SHA1
a108336cd433e9676aa3db0dc8aee175f39c9ec3

SHA256
1e512763f2103b03e7784edc18c547a41081fb7a58224ca2829749e5b1729199

SHA512
00f2dcca56893dba042a415a8d573df56fb02b3340debd9a8b743b5fff1171d4f757d52a673c167a889be8e8a12293939c4fb5c5f76c0e4156f9edc371203cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\maneuverability

Filesize
56KB

MD5
a244c8146db80a29c4406636da8ad680

SHA1
309f1aa03b8f906b9538b2fa147d004824d456dd

SHA256
5800960034dc44149efdec18a2f7630ae85fd59ede70420586d2b834fc2adbb0

SHA512
d5a7ce6edfffe4923943a97bc90b3f5d66b06b1e0c874116c1f25cf4cbac6dcf298d648c53079cdf884111a3ddc6855fb47b2c6f948e47d736fc52e052ceaa88

Download Submit
C:\Users\Admin\AppData\Local\Temp\recomplete

Filesize
244KB

MD5
3049b8978d95b2ea36152578ef982629

SHA1
b699d478e3557e05930e92c2245df7ef779dbf46

SHA256
f1c113b83a898563818f146577940f823cff8af668f0c56f2134c6d7e56b5f5e

SHA512
7da7c8409c64a75853051ce12d4d0d39e72d6b3261402e10389068154f4b5f6b1c21b8dcc2a64bf1a8a1c4d328172c9ae5718ce229490cf981c5a0a0a327601b

Download Submit
C:\Users\Admin\AppData\Local\directiveness\nouses.exe

Filesize
1.2MB

MD5
8c6ad00d939323abfb5ebef28bc8ca00

SHA1
b80b7621a8af48cd62361b938f8727d181661f2f

SHA256
eb3dcc6f02b890aeaa2368161d863b645a4c115bb4385278f80335ffb6143041

SHA512
2b3365e3c5d865502121fbae148158aef1d3a9ada2b9152d997c96bad5aa51247a7c1eea1dcea48c98ba09b547b0f58450e2c3e3c62ba80d15571a432d72fc04

Download Submit
memory/1956-29-0x00000000010F0000-0x00000000014F0000-memory.dmp

Filesize
4.0MB

Download
memory/3204-11-0x0000000001770000-0x0000000001B70000-memory.dmp

Filesize
4.0MB

Download
memory/4524-45-0x0000000001700000-0x0000000001B00000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing