ebc28d320cd55a376a0a3562417c47098d9468210abe553ac836b0a679131b39

General

Target

Payment Details.exe
Size

293KB
MD5

4074ddccd5e6150bb05f6231ca415e0a
SHA1

499d5776e16c73d69fa3ccf4bcaba1e87b9ae4c1
SHA256

ebc28d320cd55a376a0a3562417c47098d9468210abe553ac836b0a679131b39
SHA512

cd9f50ad40dcbe5205572aa35d1a4b1c2b8e785dc61e3782cab52d75f9945e2bd382576f75ca595fc092112d8d14c1850fd839578ef8eb62dca4f563047deef2

Score

7^/10

evasion trojan

Malware Config

Signatures

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Payment Details.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1100 wrote to memory of 1432	1100	Payment Details.exe	schtasks.exe
PID 1100 wrote to memory of 1432	1100	Payment Details.exe	schtasks.exe
PID 1100 wrote to memory of 1432	1100	Payment Details.exe	schtasks.exe
PID 1100 wrote to memory of 1432	1100	Payment Details.exe	schtasks.exe
PID 1100 wrote to memory of 544	1100	Payment Details.exe	Payment Details.exe
PID 1100 wrote to memory of 544	1100	Payment Details.exe	Payment Details.exe
PID 1100 wrote to memory of 544	1100	Payment Details.exe	Payment Details.exe
PID 1100 wrote to memory of 544	1100	Payment Details.exe	Payment Details.exe
PID 1100 wrote to memory of 544	1100	Payment Details.exe	Payment Details.exe
PID 1100 wrote to memory of 544	1100	Payment Details.exe	Payment Details.exe
PID 1100 wrote to memory of 544	1100	Payment Details.exe	Payment Details.exe
PID 1264 wrote to memory of 604	1264	Explorer.EXE	colorcpl.exe
PID 1264 wrote to memory of 604	1264	Explorer.EXE	colorcpl.exe
PID 1264 wrote to memory of 604	1264	Explorer.EXE	colorcpl.exe
PID 1264 wrote to memory of 604	1264	Explorer.EXE	colorcpl.exe
PID 604 wrote to memory of 1636	604	colorcpl.exe	cmd.exe
PID 604 wrote to memory of 1636	604	colorcpl.exe	cmd.exe
PID 604 wrote to memory of 1636	604	colorcpl.exe	cmd.exe
PID 604 wrote to memory of 1636	604	colorcpl.exe	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Payment Details.exePayment Details.execolorcpl.exe

description	pid	process	target process
PID 1100 set thread context of 544	1100	Payment Details.exe	Payment Details.exe
PID 544 set thread context of 1264	544	Payment Details.exe	Explorer.EXE
PID 604 set thread context of 1264	604	colorcpl.exe	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payment Details.exePayment Details.execolorcpl.exe

description	pid	process
Token: SeDebugPrivilege	1100	Payment Details.exe
Token: SeDebugPrivilege	544	Payment Details.exe
Token: SeDebugPrivilege	604	colorcpl.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1636 cmd.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE

pid	process
1636	cmd.exe

pid	process
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

Payment Details.exePayment Details.execolorcpl.exe

pid	process
1100	Payment Details.exe
544	Payment Details.exe
544	Payment Details.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe
604	colorcpl.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Payment Details.execolorcpl.exe

pid process

544 Payment Details.exe
544 Payment Details.exe
544 Payment Details.exe
604 colorcpl.exe
604 colorcpl.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1432 schtasks.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE

pid	process
544	Payment Details.exe
544	Payment Details.exe
544	Payment Details.exe
604	colorcpl.exe
604	colorcpl.exe

pid	process
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

pid	process
1432	schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
PID:1264

C:\Users\Admin\AppData\Local\Temp\Payment Details.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Details.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJnTIH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF32.tmp"
3⤵
- Creates scheduled task(s)
PID:1432

C:\Users\Admin\AppData\Local\Temp\Payment Details.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:544

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:604

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment Details.exe"
3⤵
- Deletes itself
PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAF32.tmp

Download Submit
memory/544-4-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/544-5-0x000000000041E2F0-mapping.dmp

Download
memory/604-6-0x0000000000000000-mapping.dmp

Download
memory/604-7-0x0000000000030000-0x0000000000048000-memory.dmp

Filesize
96KB

Download
memory/604-9-0x0000000002EB0000-0x0000000002FDA000-memory.dmp

Filesize
1.2MB

Download
memory/1100-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1432-2-0x0000000000000000-mapping.dmp

Download
memory/1636-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads