Overview

overview

7

Static

static

invoice.exe

windows7_x64

7

invoice.exe

windows10_x64

3

Analysis

  • max time kernel
    146s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    10-07-2020 07:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice.exe

  • Size

    339KB

  • MD5

    8f76d465d04393a7e53d7ac84bc7a73f

  • SHA1

    d904130c434417ea57d2d4198743231aad25118c

  • SHA256

    fa355139bfaa9fcf4324154194f2cb280899be4863fd278c7b06440d84a14d39

  • SHA512

    1b3946e09684f0c6b7980546776164bc785e0e6e443e554360dc2f81fa38186a5a4487de928ffd8d1d12175d3b742c69501d73972b8c61c08d442267b8c3e4e9

Score
7/10
evasiontrojan

Malware Config

Signatures

  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Checks whether UAC is enabled
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1312
    • C:\Users\Admin\AppData\Local\Temp\invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\invoice.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Users\Admin\AppData\Local\Temp\invoice.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: MapViewOfSection
        • Suspicious behavior: EnumeratesProcesses
        PID:1436
        • C:\Windows\SysWOW64\raserver.exe
          "C:\Windows\SysWOW64\raserver.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • Suspicious behavior: MapViewOfSection
          • Suspicious behavior: EnumeratesProcesses
          PID:292
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\invoice.exe"
            5⤵
            • Deletes itself
            PID:672

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/292-6-0x0000000000C70000-0x0000000000C8C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/292-8-0x0000000002F70000-0x0000000003098000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1312-4-0x00000000043A0000-0x0000000004488000-memory.dmp

    Filesize

    928KB

    Download

  • memory/1312-9-0x0000000006830000-0x0000000006979000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1436-2-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download