ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42

General

Target

PAYMENT DETAILS CONFIRMATION.exe
Size

992KB
MD5

73c81dd67773b2efa5261e20adf74a5b
SHA1

fde0db688d6abb4aad0bb646db9f1c192d980b5a
SHA256

ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42
SHA512

8b2483b0dedf9d6b9329202d40544291b55601518c3b14f5df764e277114ee6538bdf6d08efcb8c3dad99ac7368471354acb1bf1ecd3f7da2c072f8c5a8e24d9

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PAYMENT DETAILS CONFIRMATION.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PAYMENT DETAILS CONFIRMATION.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PAYMENT DETAILS CONFIRMATION.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

PAYMENT DETAILS CONFIRMATION.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PAYMENT DETAILS CONFIRMATION.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	PAYMENT DETAILS CONFIRMATION.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

PAYMENT DETAILS CONFIRMATION.exe

pid	process
1088	PAYMENT DETAILS CONFIRMATION.exe
1088	PAYMENT DETAILS CONFIRMATION.exe
1088	PAYMENT DETAILS CONFIRMATION.exe
1088	PAYMENT DETAILS CONFIRMATION.exe
1088	PAYMENT DETAILS CONFIRMATION.exe
1088	PAYMENT DETAILS CONFIRMATION.exe
1088	PAYMENT DETAILS CONFIRMATION.exe
1088	PAYMENT DETAILS CONFIRMATION.exe
1088	PAYMENT DETAILS CONFIRMATION.exe
1088	PAYMENT DETAILS CONFIRMATION.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PAYMENT DETAILS CONFIRMATION.exe

description pid process

Token: SeDebugPrivilege 1088 PAYMENT DETAILS CONFIRMATION.exe

description	pid	process
Token: SeDebugPrivilege	1088	PAYMENT DETAILS CONFIRMATION.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

PAYMENT DETAILS CONFIRMATION.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"
  2⤵
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"
  2⤵
  PID:1072
- C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"
  2⤵
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"
  2⤵
  PID:1056
- C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"
  2⤵
  PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-0-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/1088-1-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1088-3-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/1088-4-0x00000000051D0000-0x0000000005293000-memory.dmp

Filesize
780KB

Download
memory/1088-5-0x0000000000530000-0x0000000000532000-memory.dmp

Filesize
8KB

Download
memory/1088-6-0x0000000004D40000-0x0000000004DF7000-memory.dmp

Filesize
732KB

Download

description	pid	process	target process
PID 1088 wrote to memory of 2004	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 2004	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 2004	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 2004	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 1072	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 1072	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 1072	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 1072	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 2036	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 2036	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 2036	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 2036	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 1056	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 1056	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 1056	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 1056	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 1992	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 1992	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 1992	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 1088 wrote to memory of 1992	1088	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads