6d64f2c47bc182a160e02ceebb8e194dd627fb83d762f9d1609d4f1d7cf3ff89

Analysis

max time kernel
139s
max time network
52s
platform
windows7_x64
resource
win7v200430
submitted
16-07-2020 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payment Slip.exe
Size

824KB
MD5

f2dc2472943a80a1adb493cefc36235a
SHA1

0288a2c724051d6f42784b84dbb5cae170144358
SHA256

6d64f2c47bc182a160e02ceebb8e194dd627fb83d762f9d1609d4f1d7cf3ff89
SHA512

9ed2ee019ad571e2fe601bb78d5a4f6228734c551db00dafe2eb6752fdf20970b24306a2b60579c2bb4e63b519a4893d1ea4500bb93e42789eda045e067e02a4

Score

9^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
328	images.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	payment Slip.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	payment Slip.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	payment Slip.exe
Token: SeDebugPrivilege	1580	payment Slip.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1388	payment Slip.exe
1388	payment Slip.exe
1580	payment Slip.exe
1580	payment Slip.exe
1580	payment Slip.exe
1580	payment Slip.exe

Loads dropped DLL 1 IoCs

pid	Process
1992	payment Slip.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1756	schtasks.exe
1916	schtasks.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	payment Slip.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1756	1388	payment Slip.exe	27
PID 1388 wrote to memory of 1756	1388	payment Slip.exe	27
PID 1388 wrote to memory of 1756	1388	payment Slip.exe	27
PID 1388 wrote to memory of 1756	1388	payment Slip.exe	27
PID 1388 wrote to memory of 1588	1388	payment Slip.exe	29
PID 1388 wrote to memory of 1588	1388	payment Slip.exe	29
PID 1388 wrote to memory of 1588	1388	payment Slip.exe	29
PID 1388 wrote to memory of 1588	1388	payment Slip.exe	29
PID 1388 wrote to memory of 1580	1388	payment Slip.exe	30
PID 1388 wrote to memory of 1580	1388	payment Slip.exe	30
PID 1388 wrote to memory of 1580	1388	payment Slip.exe	30
PID 1388 wrote to memory of 1580	1388	payment Slip.exe	30
PID 1388 wrote to memory of 1580	1388	payment Slip.exe	30
PID 1388 wrote to memory of 1580	1388	payment Slip.exe	30
PID 1388 wrote to memory of 1580	1388	payment Slip.exe	30
PID 1388 wrote to memory of 1580	1388	payment Slip.exe	30
PID 1388 wrote to memory of 1580	1388	payment Slip.exe	30
PID 1580 wrote to memory of 1916	1580	payment Slip.exe	31
PID 1580 wrote to memory of 1916	1580	payment Slip.exe	31
PID 1580 wrote to memory of 1916	1580	payment Slip.exe	31
PID 1580 wrote to memory of 1916	1580	payment Slip.exe	31
PID 1580 wrote to memory of 2008	1580	payment Slip.exe	33
PID 1580 wrote to memory of 2008	1580	payment Slip.exe	33
PID 1580 wrote to memory of 2008	1580	payment Slip.exe	33
PID 1580 wrote to memory of 2008	1580	payment Slip.exe	33
PID 1580 wrote to memory of 2012	1580	payment Slip.exe	34
PID 1580 wrote to memory of 2012	1580	payment Slip.exe	34
PID 1580 wrote to memory of 2012	1580	payment Slip.exe	34
PID 1580 wrote to memory of 2012	1580	payment Slip.exe	34
PID 1580 wrote to memory of 1980	1580	payment Slip.exe	35
PID 1580 wrote to memory of 1980	1580	payment Slip.exe	35
PID 1580 wrote to memory of 1980	1580	payment Slip.exe	35
PID 1580 wrote to memory of 1980	1580	payment Slip.exe	35
PID 1580 wrote to memory of 1992	1580	payment Slip.exe	36
PID 1580 wrote to memory of 1992	1580	payment Slip.exe	36
PID 1580 wrote to memory of 1992	1580	payment Slip.exe	36
PID 1580 wrote to memory of 1992	1580	payment Slip.exe	36
PID 1580 wrote to memory of 1992	1580	payment Slip.exe	36
PID 1580 wrote to memory of 1992	1580	payment Slip.exe	36
PID 1580 wrote to memory of 1992	1580	payment Slip.exe	36
PID 1580 wrote to memory of 1992	1580	payment Slip.exe	36
PID 1580 wrote to memory of 1992	1580	payment Slip.exe	36
PID 1580 wrote to memory of 1992	1580	payment Slip.exe	36
PID 1580 wrote to memory of 1992	1580	payment Slip.exe	36
PID 1580 wrote to memory of 1992	1580	payment Slip.exe	36
PID 1992 wrote to memory of 328	1992	payment Slip.exe	37
PID 1992 wrote to memory of 328	1992	payment Slip.exe	37
PID 1992 wrote to memory of 328	1992	payment Slip.exe	37
PID 1992 wrote to memory of 328	1992	payment Slip.exe	37

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1388 set thread context of 1580	1388	payment Slip.exe	30
PID 1580 set thread context of 1992	1580	payment Slip.exe	36

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	payment Slip.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	payment Slip.exe

C:\Users\Admin\AppData\Local\Temp\payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\payment Slip.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Maps connected drives based on registry
PID:1388
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vxhZpRRd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4AC5.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\payment Slip.exe
  "{path}"
  2⤵
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\payment Slip.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - Suspicious use of SetThreadContext
  PID:1580
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWehepvFoFJKw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD46D.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1916
- - C:\Users\Admin\AppData\Local\Temp\payment Slip.exe
    "{path}"
    3⤵
    PID:2008
- - C:\Users\Admin\AppData\Local\Temp\payment Slip.exe
    "{path}"
    3⤵
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\payment Slip.exe
    "{path}"
    3⤵
    PID:1980
- - C:\Users\Admin\AppData\Local\Temp\payment Slip.exe
    "{path}"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      4⤵
      Executes dropped EXE
      PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1580-6-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1580-7-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1580-4-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1992-12-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1992-14-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download