e07a053e060ade739050f6ca9fe418e4bacda6e489cea2944d47ce457e28b217

Analysis

max time kernel
136s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

REQUEST FOR DEMISTER, HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
Size

1.0MB
MD5

3117e1fea82124f77a69bb235980a466
SHA1

6ec1f0dbee329f8b50b28e8db066ed16488dcf8d
SHA256

08bb478cb1a7ea9b27e688cb320cafd8d91073cb220d3f956b5c135a50d26c86
SHA512

07b927625a333f03aa034ae23e6fe702d4666cbdcbe1a0f05d42f94ace10141f7ad08cd998533342b6a1989469c6d6394673b92b3e4117131e80fd8ea1279524
SSDEEP

24576:Au6J33O0c+JY5UZ+XC0kGso6FajkiRFijUMaLFIWY:qu0c++OCvkGs9FajkiRFcUMaFY

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\woolpacks.vbs	woolpacks.exe

Executes dropped EXE 1 IoCs

pid	Process
5028	woolpacks.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000d000000023b2a-9.dat	autoit_exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4336	5028	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REQUEST FOR DEMISTER, HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woolpacks.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5028	woolpacks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 5028	4228	REQUEST FOR DEMISTER, HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe	88
PID 4228 wrote to memory of 5028	4228	REQUEST FOR DEMISTER, HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe	88
PID 4228 wrote to memory of 5028	4228	REQUEST FOR DEMISTER, HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe	88
PID 5028 wrote to memory of 4872	5028	woolpacks.exe	89
PID 5028 wrote to memory of 4872	5028	woolpacks.exe	89
PID 5028 wrote to memory of 4872	5028	woolpacks.exe	89

C:\Users\Admin\AppData\Local\Temp\REQUEST FOR DEMISTER, HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\REQUEST FOR DEMISTER, HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Users\Admin\AppData\Local\intemerateness\woolpacks.exe
  "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR DEMISTER, HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR DEMISTER, HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe"
    3⤵
    PID:4872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 664
    3⤵
    - Program crash
    PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5028 -ip 5028
1⤵
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hymenophyllaceae

Filesize
235KB

MD5
019d54ca6873bd71442152de27598b84

SHA1
db31c629088ed2dff08a234dd423248fd1f323a5

SHA256
38a6ca0c0c73cde2eeafb07992b69b05d9656d0df3d431622dba17d49c8ec649

SHA512
cc3473ff7a11a45df274ab17af36a12ab296b186f2e8a8049b2ca7336d5a4d87a8d63ae5b5ecb889ccd32762410a0136151a07d4cce90de0bafc6e277cda71f2

Download Submit
C:\Users\Admin\AppData\Local\intemerateness\woolpacks.exe

Filesize
1.0MB

MD5
3117e1fea82124f77a69bb235980a466

SHA1
6ec1f0dbee329f8b50b28e8db066ed16488dcf8d

SHA256
08bb478cb1a7ea9b27e688cb320cafd8d91073cb220d3f956b5c135a50d26c86

SHA512
07b927625a333f03aa034ae23e6fe702d4666cbdcbe1a0f05d42f94ace10141f7ad08cd998533342b6a1989469c6d6394673b92b3e4117131e80fd8ea1279524

Download Submit
memory/4228-6-0x0000000001860000-0x0000000001C60000-memory.dmp

Filesize
4.0MB

Download
memory/5028-18-0x0000000000C70000-0x0000000001070000-memory.dmp

Filesize
4.0MB

Download