Overview

overview

7

Static

static

Payment Invoice.exe

windows7_x64

7

Payment Invoice.exe

windows10_x64

3

Analysis

  • max time kernel
    147s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    08-07-2020 09:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Invoice.exe

  • Size

    336KB

  • MD5

    22997b8feb197ffc197b427c00c28f14

  • SHA1

    74e8887e1629767090f7ed4e3f8abd92e718819f

  • SHA256

    44703eacf8321a8fd05283f755a781a7cb17a55961159ab28d570c2196a79eb7

  • SHA512

    d80e15c042f71675ccf50b93201aac64722c5b6a844c9c19e79eb330eda5c4e4fa09052a33399da3a6889779a823b4f824f442ba28594e790c3d254d9ab16477

Score
7/10
evasiontrojan

Malware Config

Signatures

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SendNotifyMessage
    • Checks whether UAC is enabled
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:912
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:748
      • C:\Windows\SysWOW64\autoconv.exe
        "C:\Windows\SysWOW64\autoconv.exe"
        2⤵
          PID:816
        • C:\Windows\SysWOW64\autoconv.exe
          "C:\Windows\SysWOW64\autoconv.exe"
          2⤵
            PID:1088
          • C:\Windows\SysWOW64\autoconv.exe
            "C:\Windows\SysWOW64\autoconv.exe"
            2⤵
              PID:1068
            • C:\Windows\SysWOW64\autoconv.exe
              "C:\Windows\SysWOW64\autoconv.exe"
              2⤵
                PID:1044
              • C:\Windows\SysWOW64\autoconv.exe
                "C:\Windows\SysWOW64\autoconv.exe"
                2⤵
                  PID:1060
                • C:\Windows\SysWOW64\autoconv.exe
                  "C:\Windows\SysWOW64\autoconv.exe"
                  2⤵
                    PID:1056
                  • C:\Windows\SysWOW64\autoconv.exe
                    "C:\Windows\SysWOW64\autoconv.exe"
                    2⤵
                      PID:1516
                    • C:\Windows\SysWOW64\cmstp.exe
                      "C:\Windows\SysWOW64\cmstp.exe"
                      2⤵
                      • Suspicious use of SetThreadContext
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      PID:1512
                      • C:\Windows\SysWOW64\cmd.exe
                        /c del "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
                        3⤵
                        • Deletes itself
                        PID:1700

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Persistence

                  Privilege Escalation

                  Defense Evasion

                  Credential Access

                  Discovery

                  System Information Discovery

                  1
                  T1082

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/912-2-0x0000000000400000-0x000000000042D000-memory.dmp
                    Filesize

                    180KB

                    Download
                  • memory/912-3-0x000000000041E2C0-mapping.dmp
                    Download
                  • memory/1108-1-0x0000000000000000-0x0000000000000000-disk.dmp
                    Download
                  • memory/1512-4-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1512-5-0x0000000000920000-0x0000000000938000-memory.dmp
                    Filesize

                    96KB

                    Download
                  • memory/1512-7-0x0000000000470000-0x0000000000511000-memory.dmp
                    Filesize

                    644KB

                    Download
                  • memory/1700-6-0x0000000000000000-mapping.dmp
                    Download