Analysis
-
max time kernel
131s -
max time network
136s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 13:37
Static task
static1
Behavioral task
behavioral1
Sample
Preform Invoice.exe
Resource
win7
Behavioral task
behavioral2
Sample
Preform Invoice.exe
Resource
win10v200430
General
-
Target
Preform Invoice.exe
-
Size
390KB
-
MD5
fac2cb9080743d1c1201d307dadc66a7
-
SHA1
58445be625af49f21df9502d4f7f27d1bf43c083
-
SHA256
6d8990f56f9413f16f2dbe490367d7585b5e6165982e6929a8fd71fc60cffefd
-
SHA512
44b3a0350c78f71b1272e9a51f33c5a8275bff18ce079b8b41250bdcfb3ae8db9fc59037058999b556156cdb791f853907371fac0d74f66004100f7a169b74ca
Malware Config
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Preform Invoice.exedescription pid process Token: SeDebugPrivilege 1804 Preform Invoice.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Preform Invoice.exepid process 1804 Preform Invoice.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Preform Invoice.exedescription pid process target process PID 1060 wrote to memory of 1828 1060 Preform Invoice.exe schtasks.exe PID 1060 wrote to memory of 1828 1060 Preform Invoice.exe schtasks.exe PID 1060 wrote to memory of 1828 1060 Preform Invoice.exe schtasks.exe PID 1060 wrote to memory of 1828 1060 Preform Invoice.exe schtasks.exe PID 1060 wrote to memory of 1804 1060 Preform Invoice.exe Preform Invoice.exe PID 1060 wrote to memory of 1804 1060 Preform Invoice.exe Preform Invoice.exe PID 1060 wrote to memory of 1804 1060 Preform Invoice.exe Preform Invoice.exe PID 1060 wrote to memory of 1804 1060 Preform Invoice.exe Preform Invoice.exe PID 1060 wrote to memory of 1804 1060 Preform Invoice.exe Preform Invoice.exe PID 1060 wrote to memory of 1804 1060 Preform Invoice.exe Preform Invoice.exe PID 1060 wrote to memory of 1804 1060 Preform Invoice.exe Preform Invoice.exe PID 1060 wrote to memory of 1804 1060 Preform Invoice.exe Preform Invoice.exe PID 1060 wrote to memory of 1804 1060 Preform Invoice.exe Preform Invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Preform Invoice.exedescription pid process target process PID 1060 set thread context of 1804 1060 Preform Invoice.exe Preform Invoice.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Preform Invoice.exepid process 1804 Preform Invoice.exe 1804 Preform Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Preform Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Preform Invoice.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUvJoaHGhK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF4E8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Preform Invoice.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF4E8.tmp
-
memory/1060-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1804-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1804-5-0x0000000000446ABE-mapping.dmp
-
memory/1804-6-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1804-7-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1828-2-0x0000000000000000-mapping.dmp