Analysis
-
max time kernel
54s -
max time network
56s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-12-2020 11:13
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT ADVICE.exe
Resource
win7v20201028
General
-
Target
PAYMENT ADVICE.exe
-
Size
485KB
-
MD5
7b3a0c8d0b05933156402de9a42490fc
-
SHA1
49ea0ae6f2740dbbb7231423c16f8e88566bdb92
-
SHA256
ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d
-
SHA512
49e37363637fb91c2a8325c0a6f734f194d38a3aecdbf9f271a7dc2d22241a287467f7ad672a81e8b6fe6c5a642c45c3ceba05f762b18c7f5525f6c9c8988164
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PAYMENT ADVICE.exedescription pid process target process PID 1640 set thread context of 1780 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PAYMENT ADVICE.exepid process 1640 PAYMENT ADVICE.exe 1640 PAYMENT ADVICE.exe 1640 PAYMENT ADVICE.exe 1640 PAYMENT ADVICE.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
PAYMENT ADVICE.exePAYMENT ADVICE.exedescription pid process Token: SeDebugPrivilege 1640 PAYMENT ADVICE.exe Token: SeImpersonatePrivilege 1780 PAYMENT ADVICE.exe Token: SeTcbPrivilege 1780 PAYMENT ADVICE.exe Token: SeChangeNotifyPrivilege 1780 PAYMENT ADVICE.exe Token: SeCreateTokenPrivilege 1780 PAYMENT ADVICE.exe Token: SeBackupPrivilege 1780 PAYMENT ADVICE.exe Token: SeRestorePrivilege 1780 PAYMENT ADVICE.exe Token: SeIncreaseQuotaPrivilege 1780 PAYMENT ADVICE.exe Token: SeAssignPrimaryTokenPrivilege 1780 PAYMENT ADVICE.exe Token: SeImpersonatePrivilege 1780 PAYMENT ADVICE.exe Token: SeTcbPrivilege 1780 PAYMENT ADVICE.exe Token: SeChangeNotifyPrivilege 1780 PAYMENT ADVICE.exe Token: SeCreateTokenPrivilege 1780 PAYMENT ADVICE.exe Token: SeBackupPrivilege 1780 PAYMENT ADVICE.exe Token: SeRestorePrivilege 1780 PAYMENT ADVICE.exe Token: SeIncreaseQuotaPrivilege 1780 PAYMENT ADVICE.exe Token: SeAssignPrimaryTokenPrivilege 1780 PAYMENT ADVICE.exe Token: SeImpersonatePrivilege 1780 PAYMENT ADVICE.exe Token: SeTcbPrivilege 1780 PAYMENT ADVICE.exe Token: SeChangeNotifyPrivilege 1780 PAYMENT ADVICE.exe Token: SeCreateTokenPrivilege 1780 PAYMENT ADVICE.exe Token: SeBackupPrivilege 1780 PAYMENT ADVICE.exe Token: SeRestorePrivilege 1780 PAYMENT ADVICE.exe Token: SeIncreaseQuotaPrivilege 1780 PAYMENT ADVICE.exe Token: SeAssignPrimaryTokenPrivilege 1780 PAYMENT ADVICE.exe Token: SeImpersonatePrivilege 1780 PAYMENT ADVICE.exe Token: SeTcbPrivilege 1780 PAYMENT ADVICE.exe Token: SeChangeNotifyPrivilege 1780 PAYMENT ADVICE.exe Token: SeCreateTokenPrivilege 1780 PAYMENT ADVICE.exe Token: SeBackupPrivilege 1780 PAYMENT ADVICE.exe Token: SeRestorePrivilege 1780 PAYMENT ADVICE.exe Token: SeIncreaseQuotaPrivilege 1780 PAYMENT ADVICE.exe Token: SeAssignPrimaryTokenPrivilege 1780 PAYMENT ADVICE.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
PAYMENT ADVICE.exePAYMENT ADVICE.exedescription pid process target process PID 1640 wrote to memory of 1088 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe PID 1640 wrote to memory of 1088 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe PID 1640 wrote to memory of 1088 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe PID 1640 wrote to memory of 1088 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe PID 1640 wrote to memory of 1780 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe PID 1640 wrote to memory of 1780 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe PID 1640 wrote to memory of 1780 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe PID 1640 wrote to memory of 1780 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe PID 1640 wrote to memory of 1780 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe PID 1640 wrote to memory of 1780 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe PID 1640 wrote to memory of 1780 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe PID 1640 wrote to memory of 1780 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe PID 1640 wrote to memory of 1780 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe PID 1780 wrote to memory of 776 1780 PAYMENT ADVICE.exe cmd.exe PID 1780 wrote to memory of 776 1780 PAYMENT ADVICE.exe cmd.exe PID 1780 wrote to memory of 776 1780 PAYMENT ADVICE.exe cmd.exe PID 1780 wrote to memory of 776 1780 PAYMENT ADVICE.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259324221.bat" "C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.exe" "3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259324221.batMD5
3880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
memory/776-14-0x0000000000000000-mapping.dmp
-
memory/1468-13-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmpFilesize
2.5MB
-
memory/1640-2-0x00000000745C0000-0x0000000074CAE000-memory.dmpFilesize
6.9MB
-
memory/1640-3-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/1640-5-0x00000000005F0000-0x000000000063D000-memory.dmpFilesize
308KB
-
memory/1640-8-0x0000000000500000-0x000000000050E000-memory.dmpFilesize
56KB
-
memory/1640-9-0x0000000004ED0000-0x0000000004F21000-memory.dmpFilesize
324KB
-
memory/1780-10-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1780-11-0x0000000000410621-mapping.dmp
-
memory/1780-12-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB