d7821ba940b6c2a56687df8e47d53420e222e6c4a1033ce6f9367b9cd6ef1756

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2025 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RemittanceAdvice2000255566644.exe
Size

1.1MB
MD5

d3382c7ece891478f530aa870b8dfe9c
SHA1

dfc9a03d58c27797a6f22488ad4d92abc110c3ac
SHA256

d7821ba940b6c2a56687df8e47d53420e222e6c4a1033ce6f9367b9cd6ef1756
SHA512

ad37198368118b2fb87021095f03ebb3e37ff66f7b41dd982fdfc8d4a6d36fe3d2312edac0f3650d8bbe4a58831e6b3a1e7658bf2f7d139d23f1c751fa488629
SSDEEP

24576:eAHnh+eWsN3skA4RV1Hom2KXFmIaDgx0dFrhIOdcG5:Jh+ZkldoPK1XaDNhIk

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs	chordates.exe

Executes dropped EXE 1 IoCs

pid	Process
4492	chordates.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1140-11-0x0000000000C40000-0x0000000001040000-memory.dmp	autoit_exe
behavioral2/files/0x000b000000023b8d-14.dat	autoit_exe
behavioral2/memory/4492-29-0x0000000000B90000-0x0000000000CAB000-memory.dmp	autoit_exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2996	4492	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RemittanceAdvice2000255566644.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chordates.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1140	RemittanceAdvice2000255566644.exe
1140	RemittanceAdvice2000255566644.exe
4492	chordates.exe
4492	chordates.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1140	RemittanceAdvice2000255566644.exe
1140	RemittanceAdvice2000255566644.exe
4492	chordates.exe
4492	chordates.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 4492	1140	RemittanceAdvice2000255566644.exe	85
PID 1140 wrote to memory of 4492	1140	RemittanceAdvice2000255566644.exe	85
PID 1140 wrote to memory of 4492	1140	RemittanceAdvice2000255566644.exe	85
PID 4492 wrote to memory of 2020	4492	chordates.exe	86
PID 4492 wrote to memory of 2020	4492	chordates.exe	86
PID 4492 wrote to memory of 2020	4492	chordates.exe	86

C:\Users\Admin\AppData\Local\Temp\RemittanceAdvice2000255566644.exe
"C:\Users\Admin\AppData\Local\Temp\RemittanceAdvice2000255566644.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Idonna\chordates.exe
  "C:\Users\Admin\AppData\Local\Temp\RemittanceAdvice2000255566644.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RemittanceAdvice2000255566644.exe"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 696
    3⤵
    - Program crash
    PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4492 -ip 4492
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Idonna\chordates.exe

Filesize
1.1MB

MD5
d3382c7ece891478f530aa870b8dfe9c

SHA1
dfc9a03d58c27797a6f22488ad4d92abc110c3ac

SHA256
d7821ba940b6c2a56687df8e47d53420e222e6c4a1033ce6f9367b9cd6ef1756

SHA512
ad37198368118b2fb87021095f03ebb3e37ff66f7b41dd982fdfc8d4a6d36fe3d2312edac0f3650d8bbe4a58831e6b3a1e7658bf2f7d139d23f1c751fa488629

Download Submit
C:\Users\Admin\AppData\Local\Temp\myriopodous

Filesize
56KB

MD5
bac267db158dd7efe3cff819fa3c557b

SHA1
ba847404a3623777e70a1e26529a842e2caf55cd

SHA256
6fe1a22452dcdad9fd5b4714b5dc0e263828e64cbaac15d78f470e675da606c9

SHA512
63e4c117237a9801d682c4f4819a21a1635bdd1aca8e531d27992dbaab464ba5a1ada4d5e2bdb5de4b5237e5c346ddcff5b6c840d41b90893034f1314e265e73

Download Submit
memory/1140-11-0x0000000000C40000-0x0000000001040000-memory.dmp

Filesize
4.0MB

Download
memory/4492-29-0x0000000000B90000-0x0000000000CAB000-memory.dmp

Filesize
1.1MB

Download