Analysis
-
max time kernel
130s -
max time network
136s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 13:12
Static task
static1
Behavioral task
behavioral1
Sample
Preform Invoice ...exe
Resource
win7
Behavioral task
behavioral2
Sample
Preform Invoice ...exe
Resource
win10v200430
General
-
Target
Preform Invoice ...exe
-
Size
400KB
-
MD5
7436d6d1549b98955d6a551e2717b686
-
SHA1
d0bdfec6db5e6f53849fbaac36bc60744acc0ca6
-
SHA256
d98201be756dd6ea07c4473bcf6806f8e0ae18d48e78b26dacfd42618f0c0f0b
-
SHA512
dfc86b59a4fc58a79d81b1bb219bfee2ed3f7cf1eabdd3fdc9cab3ce74422de582456915d1098eff7e4ee42ee4791ce5ce4f7f5960582f5327545d0168ab880e
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Preform Invoice ...exedescription pid process target process PID 1060 wrote to memory of 1432 1060 Preform Invoice ...exe schtasks.exe PID 1060 wrote to memory of 1432 1060 Preform Invoice ...exe schtasks.exe PID 1060 wrote to memory of 1432 1060 Preform Invoice ...exe schtasks.exe PID 1060 wrote to memory of 1432 1060 Preform Invoice ...exe schtasks.exe PID 1060 wrote to memory of 888 1060 Preform Invoice ...exe Preform Invoice ...exe PID 1060 wrote to memory of 888 1060 Preform Invoice ...exe Preform Invoice ...exe PID 1060 wrote to memory of 888 1060 Preform Invoice ...exe Preform Invoice ...exe PID 1060 wrote to memory of 888 1060 Preform Invoice ...exe Preform Invoice ...exe PID 1060 wrote to memory of 888 1060 Preform Invoice ...exe Preform Invoice ...exe PID 1060 wrote to memory of 888 1060 Preform Invoice ...exe Preform Invoice ...exe PID 1060 wrote to memory of 888 1060 Preform Invoice ...exe Preform Invoice ...exe PID 1060 wrote to memory of 888 1060 Preform Invoice ...exe Preform Invoice ...exe PID 1060 wrote to memory of 888 1060 Preform Invoice ...exe Preform Invoice ...exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Preform Invoice ...exedescription pid process target process PID 1060 set thread context of 888 1060 Preform Invoice ...exe Preform Invoice ...exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Preform Invoice ...exedescription pid process Token: SeDebugPrivilege 888 Preform Invoice ...exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Preform Invoice ...exepid process 888 Preform Invoice ...exe 888 Preform Invoice ...exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Preform Invoice ...exepid process 888 Preform Invoice ...exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Preform Invoice ...exepid process 888 Preform Invoice ...exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Preform Invoice ...exe"C:\Users\Admin\AppData\Local\Temp\Preform Invoice ...exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzHvAXTZdO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7FB9.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Preform Invoice ...exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7FB9.tmp
-
memory/888-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/888-3-0x0000000000446B2E-mapping.dmp
-
memory/888-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/888-5-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1432-0-0x0000000000000000-mapping.dmp