d22cd7fc720b7fc65ab0ec5a50e8dbde8c58c499ec5c289c0e1614f24d6255f8

General

Target

Proforma Invoice 20200619.exe
Size

619KB
MD5

0c55c4e607abb7f6c593d6d8dc140a0a
SHA1

6e50f8fcf9ec02aeee70b4ce14bd44a45b29bd32
SHA256

d22cd7fc720b7fc65ab0ec5a50e8dbde8c58c499ec5c289c0e1614f24d6255f8
SHA512

713facdb87ef95d5a569ebd69067101c25a0dd3ef65af778fcefb8dffb070580badd084a4cc86bc0130e35c23f17b5a71d3fcecb3ba9a88383d14d557a6b7371

Score

8^/10

persistence evasion spyware

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1504 3928 WerFault.exe RegAsm.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

3692 REG.exe
Disables Task Manager via registry modification
evasion
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	pid_target	process	target process
1504	3928	WerFault.exe	RegAsm.exe

pid	process
3692	REG.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Proforma Invoice 20200619.exeRegAsm.exe

description	pid	process	target process
PID 4032 wrote to memory of 3928	4032	Proforma Invoice 20200619.exe	RegAsm.exe
PID 4032 wrote to memory of 3928	4032	Proforma Invoice 20200619.exe	RegAsm.exe
PID 4032 wrote to memory of 3928	4032	Proforma Invoice 20200619.exe	RegAsm.exe
PID 4032 wrote to memory of 3928	4032	Proforma Invoice 20200619.exe	RegAsm.exe
PID 3928 wrote to memory of 3692	3928	RegAsm.exe	REG.exe
PID 3928 wrote to memory of 3692	3928	RegAsm.exe	REG.exe
PID 3928 wrote to memory of 3692	3928	RegAsm.exe	REG.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Proforma Invoice 20200619.exe

description pid process target process

PID 4032 set thread context of 3928 4032 Proforma Invoice 20200619.exe RegAsm.exe

description	pid	process	target process
PID 4032 set thread context of 3928	4032	Proforma Invoice 20200619.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

RegAsm.exeWerFault.exe

pid	process
3928	RegAsm.exe
3928	RegAsm.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Proforma Invoice 20200619.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\mediafiles = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\mediafile.exe"	Proforma Invoice 20200619.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Proforma Invoice 20200619.exe

pid process

4032 Proforma Invoice 20200619.exe

pid	process
4032	Proforma Invoice 20200619.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegAsm.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3928	RegAsm.exe
Token: SeRestorePrivilege	1504	WerFault.exe
Token: SeBackupPrivilege	1504	WerFault.exe
Token: SeDebugPrivilege	1504	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Proforma Invoice 20200619.exe
"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice 20200619.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
PID:4032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 1544
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1504-3-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1504-15-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3692-2-0x0000000000000000-mapping.dmp

Download
memory/3928-8-0x000000000044B93E-mapping.dmp

Download
memory/3928-4-0x000000000044B93E-mapping.dmp

Download
memory/3928-5-0x000000000044B93E-mapping.dmp

Download
memory/3928-6-0x000000000044B93E-mapping.dmp

Download
memory/3928-7-0x000000000044B93E-mapping.dmp

Download
memory/3928-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3928-9-0x000000000044B93E-mapping.dmp

Download
memory/3928-10-0x000000000044B93E-mapping.dmp

Download
memory/3928-11-0x000000000044B93E-mapping.dmp

Download
memory/3928-12-0x000000000044B93E-mapping.dmp

Download
memory/3928-13-0x000000000044B93E-mapping.dmp

Download
memory/3928-14-0x000000000044B93E-mapping.dmp

Download
memory/3928-1-0x000000000044B93E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads