88ac38fd4d4a5bff6e2f09c5071b6b8d654e2d65da6662c02d14fabb32047ca7

General

Target

INVOICE999990.exe
Size

550KB
MD5

005f4b79b9e9fdb2690c8e2db96daa7d
SHA1

3a5235d9f3d7c048d569d2bfea64954c71be95a8
SHA256

88ac38fd4d4a5bff6e2f09c5071b6b8d654e2d65da6662c02d14fabb32047ca7
SHA512

541993e59dd90af133dffc4df7b10fd7889cd59e852f5fd3f5388cc2e87ff0883f4f5fdda523b7ac45f50860be7bd42526a7ce30ef493a877947af7cbb819bfb

Score

1^/10

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1716	1152	INVOICE999990.exe	24
PID 1152 wrote to memory of 1716	1152	INVOICE999990.exe	24
PID 1152 wrote to memory of 1716	1152	INVOICE999990.exe	24
PID 1152 wrote to memory of 1716	1152	INVOICE999990.exe	24
PID 1152 wrote to memory of 1784	1152	INVOICE999990.exe	26
PID 1152 wrote to memory of 1784	1152	INVOICE999990.exe	26
PID 1152 wrote to memory of 1784	1152	INVOICE999990.exe	26
PID 1152 wrote to memory of 1784	1152	INVOICE999990.exe	26
PID 1152 wrote to memory of 1884	1152	INVOICE999990.exe	27
PID 1152 wrote to memory of 1884	1152	INVOICE999990.exe	27
PID 1152 wrote to memory of 1884	1152	INVOICE999990.exe	27
PID 1152 wrote to memory of 1884	1152	INVOICE999990.exe	27
PID 1152 wrote to memory of 1876	1152	INVOICE999990.exe	28
PID 1152 wrote to memory of 1876	1152	INVOICE999990.exe	28
PID 1152 wrote to memory of 1876	1152	INVOICE999990.exe	28
PID 1152 wrote to memory of 1876	1152	INVOICE999990.exe	28
PID 1152 wrote to memory of 1892	1152	INVOICE999990.exe	29
PID 1152 wrote to memory of 1892	1152	INVOICE999990.exe	29
PID 1152 wrote to memory of 1892	1152	INVOICE999990.exe	29
PID 1152 wrote to memory of 1892	1152	INVOICE999990.exe	29
PID 1152 wrote to memory of 1908	1152	INVOICE999990.exe	30
PID 1152 wrote to memory of 1908	1152	INVOICE999990.exe	30
PID 1152 wrote to memory of 1908	1152	INVOICE999990.exe	30
PID 1152 wrote to memory of 1908	1152	INVOICE999990.exe	30

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	INVOICE999990.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
1716	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE999990.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE999990.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1152
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLAgnrQTnlHGEV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C85.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\INVOICE999990.exe
  "{path}"
  2⤵
  PID:1784
- C:\Users\Admin\AppData\Local\Temp\INVOICE999990.exe
  "{path}"
  2⤵
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\INVOICE999990.exe
  "{path}"
  2⤵
  PID:1876
- C:\Users\Admin\AppData\Local\Temp\INVOICE999990.exe
  "{path}"
  2⤵
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\INVOICE999990.exe
  "{path}"
  2⤵
  PID:1908