Analysis
-
max time kernel
61s -
max time network
9s -
platform
windows7_x64 -
resource
win7 -
submitted
17-09-2020 05:09
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT DETAILS CONFIRMATION.exe
Resource
win7
Behavioral task
behavioral2
Sample
PAYMENT DETAILS CONFIRMATION.exe
Resource
win10v200722
General
-
Target
PAYMENT DETAILS CONFIRMATION.exe
-
Size
992KB
-
MD5
73c81dd67773b2efa5261e20adf74a5b
-
SHA1
fde0db688d6abb4aad0bb646db9f1c192d980b5a
-
SHA256
ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42
-
SHA512
8b2483b0dedf9d6b9329202d40544291b55601518c3b14f5df764e277114ee6538bdf6d08efcb8c3dad99ac7368471354acb1bf1ecd3f7da2c072f8c5a8e24d9
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PAYMENT DETAILS CONFIRMATION.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PAYMENT DETAILS CONFIRMATION.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PAYMENT DETAILS CONFIRMATION.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PAYMENT DETAILS CONFIRMATION.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PAYMENT DETAILS CONFIRMATION.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 PAYMENT DETAILS CONFIRMATION.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
PAYMENT DETAILS CONFIRMATION.exepid Process 1088 PAYMENT DETAILS CONFIRMATION.exe 1088 PAYMENT DETAILS CONFIRMATION.exe 1088 PAYMENT DETAILS CONFIRMATION.exe 1088 PAYMENT DETAILS CONFIRMATION.exe 1088 PAYMENT DETAILS CONFIRMATION.exe 1088 PAYMENT DETAILS CONFIRMATION.exe 1088 PAYMENT DETAILS CONFIRMATION.exe 1088 PAYMENT DETAILS CONFIRMATION.exe 1088 PAYMENT DETAILS CONFIRMATION.exe 1088 PAYMENT DETAILS CONFIRMATION.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PAYMENT DETAILS CONFIRMATION.exedescription pid Process Token: SeDebugPrivilege 1088 PAYMENT DETAILS CONFIRMATION.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
PAYMENT DETAILS CONFIRMATION.exedescription pid Process procid_target PID 1088 wrote to memory of 2004 1088 PAYMENT DETAILS CONFIRMATION.exe 29 PID 1088 wrote to memory of 2004 1088 PAYMENT DETAILS CONFIRMATION.exe 29 PID 1088 wrote to memory of 2004 1088 PAYMENT DETAILS CONFIRMATION.exe 29 PID 1088 wrote to memory of 2004 1088 PAYMENT DETAILS CONFIRMATION.exe 29 PID 1088 wrote to memory of 1072 1088 PAYMENT DETAILS CONFIRMATION.exe 30 PID 1088 wrote to memory of 1072 1088 PAYMENT DETAILS CONFIRMATION.exe 30 PID 1088 wrote to memory of 1072 1088 PAYMENT DETAILS CONFIRMATION.exe 30 PID 1088 wrote to memory of 1072 1088 PAYMENT DETAILS CONFIRMATION.exe 30 PID 1088 wrote to memory of 2036 1088 PAYMENT DETAILS CONFIRMATION.exe 31 PID 1088 wrote to memory of 2036 1088 PAYMENT DETAILS CONFIRMATION.exe 31 PID 1088 wrote to memory of 2036 1088 PAYMENT DETAILS CONFIRMATION.exe 31 PID 1088 wrote to memory of 2036 1088 PAYMENT DETAILS CONFIRMATION.exe 31 PID 1088 wrote to memory of 1056 1088 PAYMENT DETAILS CONFIRMATION.exe 32 PID 1088 wrote to memory of 1056 1088 PAYMENT DETAILS CONFIRMATION.exe 32 PID 1088 wrote to memory of 1056 1088 PAYMENT DETAILS CONFIRMATION.exe 32 PID 1088 wrote to memory of 1056 1088 PAYMENT DETAILS CONFIRMATION.exe 32 PID 1088 wrote to memory of 1992 1088 PAYMENT DETAILS CONFIRMATION.exe 33 PID 1088 wrote to memory of 1992 1088 PAYMENT DETAILS CONFIRMATION.exe 33 PID 1088 wrote to memory of 1992 1088 PAYMENT DETAILS CONFIRMATION.exe 33 PID 1088 wrote to memory of 1992 1088 PAYMENT DETAILS CONFIRMATION.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"2⤵PID:2004
-
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"2⤵PID:1072
-
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"2⤵PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"2⤵PID:1056
-
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"2⤵PID:1992
-