Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-03-2021 06:47
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE-ORDER CONFIRM.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
INVOICE-ORDER CONFIRM.exe
Resource
win10v20201028
General
-
Target
INVOICE-ORDER CONFIRM.exe
-
Size
3.1MB
-
MD5
6282b0c5f353fb2e52ef52934fdf4c9a
-
SHA1
351978b673a71d15ed2d3c881457e4aebb4a286f
-
SHA256
5586ef434d41ac7bb60ad57a628edf85fcc53ec6617680e3b77730054eb1076d
-
SHA512
8e7a1290422fd2cd7330c12bf91caee4335e094c0522f19a0a7750c4a6f10b9dfe0dd0c733661ec7b6815f0885bdc2b083fbfc78f91fef93ab14bb46b7895e19
Malware Config
Signatures
-
BitRAT Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1644-25-0x00000000007E1310-mapping.dmp family_bitrat -
Executes dropped EXE 2 IoCs
Processes:
micpiclined.exemicpiclined.exepid process 464 micpiclined.exe 1644 micpiclined.exe -
Processes:
resource yara_rule behavioral1/memory/1644-24-0x0000000000400000-0x00000000007E3000-memory.dmp upx behavioral1/memory/1644-28-0x0000000000400000-0x00000000007E3000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
INVOICE-ORDER CONFIRM.exepid process 1908 INVOICE-ORDER CONFIRM.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1908-7-0x0000000005F60000-0x0000000005F81000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\micpiclined = "C:\\Users\\Admin\\AppData\\Roaming\\micpiclined.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
micpiclined.exepid process 1644 micpiclined.exe 1644 micpiclined.exe 1644 micpiclined.exe 1644 micpiclined.exe 1644 micpiclined.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
micpiclined.exedescription pid process target process PID 464 set thread context of 1644 464 micpiclined.exe micpiclined.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
INVOICE-ORDER CONFIRM.exemicpiclined.exepid process 1908 INVOICE-ORDER CONFIRM.exe 1908 INVOICE-ORDER CONFIRM.exe 1908 INVOICE-ORDER CONFIRM.exe 464 micpiclined.exe 464 micpiclined.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
INVOICE-ORDER CONFIRM.exemicpiclined.exemicpiclined.exedescription pid process Token: SeDebugPrivilege 1908 INVOICE-ORDER CONFIRM.exe Token: SeDebugPrivilege 464 micpiclined.exe Token: SeDebugPrivilege 1644 micpiclined.exe Token: SeShutdownPrivilege 1644 micpiclined.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
micpiclined.exepid process 1644 micpiclined.exe 1644 micpiclined.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
INVOICE-ORDER CONFIRM.execmd.exemicpiclined.exedescription pid process target process PID 1908 wrote to memory of 412 1908 INVOICE-ORDER CONFIRM.exe cmd.exe PID 1908 wrote to memory of 412 1908 INVOICE-ORDER CONFIRM.exe cmd.exe PID 1908 wrote to memory of 412 1908 INVOICE-ORDER CONFIRM.exe cmd.exe PID 1908 wrote to memory of 412 1908 INVOICE-ORDER CONFIRM.exe cmd.exe PID 412 wrote to memory of 1152 412 cmd.exe reg.exe PID 412 wrote to memory of 1152 412 cmd.exe reg.exe PID 412 wrote to memory of 1152 412 cmd.exe reg.exe PID 412 wrote to memory of 1152 412 cmd.exe reg.exe PID 1908 wrote to memory of 464 1908 INVOICE-ORDER CONFIRM.exe micpiclined.exe PID 1908 wrote to memory of 464 1908 INVOICE-ORDER CONFIRM.exe micpiclined.exe PID 1908 wrote to memory of 464 1908 INVOICE-ORDER CONFIRM.exe micpiclined.exe PID 1908 wrote to memory of 464 1908 INVOICE-ORDER CONFIRM.exe micpiclined.exe PID 464 wrote to memory of 1644 464 micpiclined.exe micpiclined.exe PID 464 wrote to memory of 1644 464 micpiclined.exe micpiclined.exe PID 464 wrote to memory of 1644 464 micpiclined.exe micpiclined.exe PID 464 wrote to memory of 1644 464 micpiclined.exe micpiclined.exe PID 464 wrote to memory of 1644 464 micpiclined.exe micpiclined.exe PID 464 wrote to memory of 1644 464 micpiclined.exe micpiclined.exe PID 464 wrote to memory of 1644 464 micpiclined.exe micpiclined.exe PID 464 wrote to memory of 1644 464 micpiclined.exe micpiclined.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE-ORDER CONFIRM.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE-ORDER CONFIRM.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "micpiclined" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\micpiclined.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "micpiclined" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\micpiclined.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\micpiclined.exe"C:\Users\Admin\AppData\Roaming\micpiclined.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\micpiclined.exe"C:\Users\Admin\AppData\Roaming\micpiclined.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\micpiclined.exeMD5
6282b0c5f353fb2e52ef52934fdf4c9a
SHA1351978b673a71d15ed2d3c881457e4aebb4a286f
SHA2565586ef434d41ac7bb60ad57a628edf85fcc53ec6617680e3b77730054eb1076d
SHA5128e7a1290422fd2cd7330c12bf91caee4335e094c0522f19a0a7750c4a6f10b9dfe0dd0c733661ec7b6815f0885bdc2b083fbfc78f91fef93ab14bb46b7895e19
-
C:\Users\Admin\AppData\Roaming\micpiclined.exeMD5
6282b0c5f353fb2e52ef52934fdf4c9a
SHA1351978b673a71d15ed2d3c881457e4aebb4a286f
SHA2565586ef434d41ac7bb60ad57a628edf85fcc53ec6617680e3b77730054eb1076d
SHA5128e7a1290422fd2cd7330c12bf91caee4335e094c0522f19a0a7750c4a6f10b9dfe0dd0c733661ec7b6815f0885bdc2b083fbfc78f91fef93ab14bb46b7895e19
-
C:\Users\Admin\AppData\Roaming\micpiclined.exeMD5
6282b0c5f353fb2e52ef52934fdf4c9a
SHA1351978b673a71d15ed2d3c881457e4aebb4a286f
SHA2565586ef434d41ac7bb60ad57a628edf85fcc53ec6617680e3b77730054eb1076d
SHA5128e7a1290422fd2cd7330c12bf91caee4335e094c0522f19a0a7750c4a6f10b9dfe0dd0c733661ec7b6815f0885bdc2b083fbfc78f91fef93ab14bb46b7895e19
-
\Users\Admin\AppData\Roaming\micpiclined.exeMD5
6282b0c5f353fb2e52ef52934fdf4c9a
SHA1351978b673a71d15ed2d3c881457e4aebb4a286f
SHA2565586ef434d41ac7bb60ad57a628edf85fcc53ec6617680e3b77730054eb1076d
SHA5128e7a1290422fd2cd7330c12bf91caee4335e094c0522f19a0a7750c4a6f10b9dfe0dd0c733661ec7b6815f0885bdc2b083fbfc78f91fef93ab14bb46b7895e19
-
memory/412-8-0x0000000000000000-mapping.dmp
-
memory/464-22-0x00000000009A0000-0x00000000009AB000-memory.dmpFilesize
44KB
-
memory/464-21-0x0000000000571000-0x0000000000572000-memory.dmpFilesize
4KB
-
memory/464-12-0x0000000000000000-mapping.dmp
-
memory/464-18-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/464-23-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/464-15-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/464-16-0x0000000001250000-0x0000000001251000-memory.dmpFilesize
4KB
-
memory/1152-9-0x0000000000000000-mapping.dmp
-
memory/1644-25-0x00000000007E1310-mapping.dmp
-
memory/1644-24-0x0000000000400000-0x00000000007E3000-memory.dmpFilesize
3.9MB
-
memory/1644-27-0x0000000076271000-0x0000000076273000-memory.dmpFilesize
8KB
-
memory/1644-28-0x0000000000400000-0x00000000007E3000-memory.dmpFilesize
3.9MB
-
memory/1644-29-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/1644-30-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/1908-10-0x0000000004EF1000-0x0000000004EF2000-memory.dmpFilesize
4KB
-
memory/1908-7-0x0000000005F60000-0x0000000005F81000-memory.dmpFilesize
132KB
-
memory/1908-5-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/1908-2-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/1908-3-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB