Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 05:54
Static task
static1
Behavioral task
behavioral1
Sample
Receipt.exe
Resource
win7
Behavioral task
behavioral2
Sample
Receipt.exe
Resource
win10v200430
General
-
Target
Receipt.exe
-
Size
5.1MB
-
MD5
4d37240c2a9aab1b8dfd0aee7d418adc
-
SHA1
fb684fe749432d7fb74e95a26f6614362c9b26b2
-
SHA256
9013e308218b70c038971d37c9ab446b81108079344e71f25e1d131487657c97
-
SHA512
5e84c6ff15e51d044c68b01b371b94a00d9d3806ff3bb9cad2aa4446f0f14c79cd95228f13601b88b980152eb4c85f9c0a65eed09034489062d68e93afd7d5ea
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Receipt.exebvn.exeRegAsm.exepid process 1612 Receipt.exe 1612 Receipt.exe 1612 Receipt.exe 1896 bvn.exe 1896 bvn.exe 1896 bvn.exe 1984 RegAsm.exe 1984 RegAsm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Receipt.execmd.exebvn.exedescription pid process target process PID 1612 wrote to memory of 1048 1612 Receipt.exe cmd.exe PID 1612 wrote to memory of 1048 1612 Receipt.exe cmd.exe PID 1612 wrote to memory of 1048 1612 Receipt.exe cmd.exe PID 1612 wrote to memory of 1048 1612 Receipt.exe cmd.exe PID 1048 wrote to memory of 1316 1048 cmd.exe reg.exe PID 1048 wrote to memory of 1316 1048 cmd.exe reg.exe PID 1048 wrote to memory of 1316 1048 cmd.exe reg.exe PID 1048 wrote to memory of 1316 1048 cmd.exe reg.exe PID 1612 wrote to memory of 1896 1612 Receipt.exe bvn.exe PID 1612 wrote to memory of 1896 1612 Receipt.exe bvn.exe PID 1612 wrote to memory of 1896 1612 Receipt.exe bvn.exe PID 1612 wrote to memory of 1896 1612 Receipt.exe bvn.exe PID 1896 wrote to memory of 1984 1896 bvn.exe RegAsm.exe PID 1896 wrote to memory of 1984 1896 bvn.exe RegAsm.exe PID 1896 wrote to memory of 1984 1896 bvn.exe RegAsm.exe PID 1896 wrote to memory of 1984 1896 bvn.exe RegAsm.exe PID 1896 wrote to memory of 1984 1896 bvn.exe RegAsm.exe PID 1896 wrote to memory of 1984 1896 bvn.exe RegAsm.exe PID 1896 wrote to memory of 1984 1896 bvn.exe RegAsm.exe PID 1896 wrote to memory of 1984 1896 bvn.exe RegAsm.exe PID 1896 wrote to memory of 1984 1896 bvn.exe RegAsm.exe PID 1896 wrote to memory of 1984 1896 bvn.exe RegAsm.exe PID 1896 wrote to memory of 1984 1896 bvn.exe RegAsm.exe PID 1896 wrote to memory of 1984 1896 bvn.exe RegAsm.exe -
Loads dropped DLL 2 IoCs
Processes:
bvn.exeRegAsm.exepid process 1896 bvn.exe 1984 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bvn.exedescription pid process target process PID 1896 set thread context of 1984 1896 bvn.exe RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 1984 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Receipt.exebvn.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1612 Receipt.exe Token: SeDebugPrivilege 1896 bvn.exe Token: SeDebugPrivilege 1984 RegAsm.exe -
Executes dropped EXE 2 IoCs
Processes:
bvn.exeRegAsm.exepid process 1896 bvn.exe 1984 RegAsm.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\cash = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\Desktop\\bvn.exe" reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Receipt.exe"C:\Users\Admin\AppData\Local\Temp\Receipt.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v cash /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\bvn.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v cash /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\bvn.exe"3⤵
- Adds Run entry to start application
-
C:\Users\Admin\Desktop\bvn.exe"C:\Users\Admin\Desktop\bvn.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
-
C:\Users\Admin\Desktop\bvn.exe
-
C:\Users\Admin\Desktop\bvn.exe
-
\Users\Admin\AppData\Local\Temp\RegAsm.exe
-
\Users\Admin\AppData\Local\Temp\RegAsm.exe
-
memory/1048-3-0x0000000000000000-mapping.dmp
-
memory/1316-4-0x0000000000000000-mapping.dmp
-
memory/1612-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1896-5-0x0000000000000000-mapping.dmp
-
memory/1984-16-0x000000000044B84E-mapping.dmp
-
memory/1984-18-0x0000000000090000-0x00000000000E0000-memory.dmpFilesize
320KB
-
memory/1984-19-0x0000000000090000-0x00000000000E0000-memory.dmpFilesize
320KB