Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-02-2021 19:53
Static task
static1
Behavioral task
behavioral1
Sample
Payment Confirmation.exe
Resource
win7v20201028
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
cvcvsdf.execvcvsdf.exepid process 1272 cvcvsdf.exe 1316 cvcvsdf.exe -
Processes:
resource yara_rule behavioral1/memory/1316-14-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/1316-18-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Drops startup file 2 IoCs
Processes:
Payment Confirmation.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe Payment Confirmation.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe Payment Confirmation.exe -
Loads dropped DLL 3 IoCs
Processes:
Payment Confirmation.execvcvsdf.exepid process 1596 Payment Confirmation.exe 1596 Payment Confirmation.exe 1272 cvcvsdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cvcvsdf.exedescription pid process target process PID 1272 set thread context of 1316 1272 cvcvsdf.exe cvcvsdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
cvcvsdf.exedescription pid process Token: SeIncreaseQuotaPrivilege 1316 cvcvsdf.exe Token: SeSecurityPrivilege 1316 cvcvsdf.exe Token: SeTakeOwnershipPrivilege 1316 cvcvsdf.exe Token: SeLoadDriverPrivilege 1316 cvcvsdf.exe Token: SeSystemProfilePrivilege 1316 cvcvsdf.exe Token: SeSystemtimePrivilege 1316 cvcvsdf.exe Token: SeProfSingleProcessPrivilege 1316 cvcvsdf.exe Token: SeIncBasePriorityPrivilege 1316 cvcvsdf.exe Token: SeCreatePagefilePrivilege 1316 cvcvsdf.exe Token: SeBackupPrivilege 1316 cvcvsdf.exe Token: SeRestorePrivilege 1316 cvcvsdf.exe Token: SeShutdownPrivilege 1316 cvcvsdf.exe Token: SeDebugPrivilege 1316 cvcvsdf.exe Token: SeSystemEnvironmentPrivilege 1316 cvcvsdf.exe Token: SeChangeNotifyPrivilege 1316 cvcvsdf.exe Token: SeRemoteShutdownPrivilege 1316 cvcvsdf.exe Token: SeUndockPrivilege 1316 cvcvsdf.exe Token: SeManageVolumePrivilege 1316 cvcvsdf.exe Token: SeImpersonatePrivilege 1316 cvcvsdf.exe Token: SeCreateGlobalPrivilege 1316 cvcvsdf.exe Token: 33 1316 cvcvsdf.exe Token: 34 1316 cvcvsdf.exe Token: 35 1316 cvcvsdf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Payment Confirmation.execvcvsdf.exepid process 1596 Payment Confirmation.exe 1272 cvcvsdf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Payment Confirmation.execvcvsdf.exedescription pid process target process PID 1596 wrote to memory of 1272 1596 Payment Confirmation.exe cvcvsdf.exe PID 1596 wrote to memory of 1272 1596 Payment Confirmation.exe cvcvsdf.exe PID 1596 wrote to memory of 1272 1596 Payment Confirmation.exe cvcvsdf.exe PID 1596 wrote to memory of 1272 1596 Payment Confirmation.exe cvcvsdf.exe PID 1272 wrote to memory of 1316 1272 cvcvsdf.exe cvcvsdf.exe PID 1272 wrote to memory of 1316 1272 cvcvsdf.exe cvcvsdf.exe PID 1272 wrote to memory of 1316 1272 cvcvsdf.exe cvcvsdf.exe PID 1272 wrote to memory of 1316 1272 cvcvsdf.exe cvcvsdf.exe PID 1272 wrote to memory of 1316 1272 cvcvsdf.exe cvcvsdf.exe PID 1272 wrote to memory of 1316 1272 cvcvsdf.exe cvcvsdf.exe PID 1272 wrote to memory of 1316 1272 cvcvsdf.exe cvcvsdf.exe PID 1272 wrote to memory of 1316 1272 cvcvsdf.exe cvcvsdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1316
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeMD5
800b9d7f3a47c5a18da78cb6a54f90be
SHA167c825ca6d8f430fdfc4cbca78c442600db7ccf0
SHA256e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233
SHA5123f36217fc2e0afd41d16ea8e35628b00bd8e094194b892e551ba2b39fffaf16e67ece937ade136fe03286fef59718a76fc83081a7cb1dd2f8a7efa811a992e87
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeMD5
800b9d7f3a47c5a18da78cb6a54f90be
SHA167c825ca6d8f430fdfc4cbca78c442600db7ccf0
SHA256e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233
SHA5123f36217fc2e0afd41d16ea8e35628b00bd8e094194b892e551ba2b39fffaf16e67ece937ade136fe03286fef59718a76fc83081a7cb1dd2f8a7efa811a992e87
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeMD5
800b9d7f3a47c5a18da78cb6a54f90be
SHA167c825ca6d8f430fdfc4cbca78c442600db7ccf0
SHA256e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233
SHA5123f36217fc2e0afd41d16ea8e35628b00bd8e094194b892e551ba2b39fffaf16e67ece937ade136fe03286fef59718a76fc83081a7cb1dd2f8a7efa811a992e87
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeMD5
800b9d7f3a47c5a18da78cb6a54f90be
SHA167c825ca6d8f430fdfc4cbca78c442600db7ccf0
SHA256e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233
SHA5123f36217fc2e0afd41d16ea8e35628b00bd8e094194b892e551ba2b39fffaf16e67ece937ade136fe03286fef59718a76fc83081a7cb1dd2f8a7efa811a992e87
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeMD5
800b9d7f3a47c5a18da78cb6a54f90be
SHA167c825ca6d8f430fdfc4cbca78c442600db7ccf0
SHA256e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233
SHA5123f36217fc2e0afd41d16ea8e35628b00bd8e094194b892e551ba2b39fffaf16e67ece937ade136fe03286fef59718a76fc83081a7cb1dd2f8a7efa811a992e87
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeMD5
800b9d7f3a47c5a18da78cb6a54f90be
SHA167c825ca6d8f430fdfc4cbca78c442600db7ccf0
SHA256e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233
SHA5123f36217fc2e0afd41d16ea8e35628b00bd8e094194b892e551ba2b39fffaf16e67ece937ade136fe03286fef59718a76fc83081a7cb1dd2f8a7efa811a992e87
-
memory/1272-7-0x0000000000000000-mapping.dmp
-
memory/1316-14-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1316-15-0x00000000004B67A0-mapping.dmp
-
memory/1316-18-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1316-19-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/1596-4-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB