44703eacf8321a8fd05283f755a781a7cb17a55961159ab28d570c2196a79eb7

General

Target

Payment Invoice.exe
Size

336KB
MD5

22997b8feb197ffc197b427c00c28f14
SHA1

74e8887e1629767090f7ed4e3f8abd92e718819f
SHA256

44703eacf8321a8fd05283f755a781a7cb17a55961159ab28d570c2196a79eb7
SHA512

d80e15c042f71675ccf50b93201aac64722c5b6a844c9c19e79eb330eda5c4e4fa09052a33399da3a6889779a823b4f824f442ba28594e790c3d254d9ab16477

Score

7^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 912	1108	Payment Invoice.exe	24
PID 912 set thread context of 1284	912	Payment Invoice.exe	20
PID 1512 set thread context of 1284	1512	cmstp.exe	20

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	Payment Invoice.exe
Token: SeDebugPrivilege	1512	cmstp.exe
Token: SeShutdownPrivilege	1284	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
1700	cmd.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 912	1108	Payment Invoice.exe	24
PID 1108 wrote to memory of 912	1108	Payment Invoice.exe	24
PID 1108 wrote to memory of 912	1108	Payment Invoice.exe	24
PID 1108 wrote to memory of 912	1108	Payment Invoice.exe	24
PID 1108 wrote to memory of 912	1108	Payment Invoice.exe	24
PID 1108 wrote to memory of 912	1108	Payment Invoice.exe	24
PID 1108 wrote to memory of 912	1108	Payment Invoice.exe	24
PID 1284 wrote to memory of 1512	1284	Explorer.EXE	33
PID 1284 wrote to memory of 1512	1284	Explorer.EXE	33
PID 1284 wrote to memory of 1512	1284	Explorer.EXE	33
PID 1284 wrote to memory of 1512	1284	Explorer.EXE	33
PID 1284 wrote to memory of 1512	1284	Explorer.EXE	33
PID 1284 wrote to memory of 1512	1284	Explorer.EXE	33
PID 1284 wrote to memory of 1512	1284	Explorer.EXE	33
PID 1512 wrote to memory of 1700	1512	cmstp.exe	34
PID 1512 wrote to memory of 1700	1512	cmstp.exe	34
PID 1512 wrote to memory of 1700	1512	cmstp.exe	34
PID 1512 wrote to memory of 1700	1512	cmstp.exe	34

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
912	Payment Invoice.exe
912	Payment Invoice.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe
1512	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
912	Payment Invoice.exe
912	Payment Invoice.exe
912	Payment Invoice.exe
1512	cmstp.exe
1512	cmstp.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
PID:1284
- C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:912
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:748
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:816
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1088
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1068
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1044
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1060
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1056
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1516
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
    3⤵
    - Deletes itself
    PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1512-5-0x0000000000920000-0x0000000000938000-memory.dmp

Filesize
96KB

Download
memory/1512-7-0x0000000000470000-0x0000000000511000-memory.dmp

Filesize
644KB

Download

Analysis

Sharing