Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 07:41
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip.exe
Resource
win7v20201028
General
-
Target
Payment Slip.exe
-
Size
505KB
-
MD5
2ca388f576c09252531a51474cdf74ae
-
SHA1
2d8f4f340bf642fc0f2565a20ed079cc669e18b3
-
SHA256
4f450fcf02d7006fd4fbea8c2cad999397672d44864f1e8c504633ce53c3d53d
-
SHA512
373f3f9690c9061922ea95ec24c86c87a586125949e1368268b018185be44db6cc273cec9e42821f857b733d9bbe6462e5b8ba37149f577597dcaa33f1f0e791
Malware Config
Extracted
formbook
4.1
http://www.the-techs.info/chue/
wowmovies.today
magentos6.com
bi-nav.com
atlantahawks.sucks
wluabjy.icu
kevableinsights.com
lavidaenaustralia.com
stonermadeapparel.net
sondein.com
cirquedusoleilartist.com
kanjitem.com
tomofalltrades.site
mecanico.guru
tech2020s.com
amesoneco.com
theawfulliar.com
californiaadugurus.com
rentalservicesolutions.com
fsxbhd.club
casino-seo.com
asknesto.com
get-rangextd.com
gkwill.com
juliegiles.net
pagosafreedom.com
wbpossiblellc.com
fhjfyutotyhfse.com
sexshopsatelite.com
shellykraftlaw.com
motherhenscoop.com
mboklanjar.com
redwoodcityswing.com
haier-mz.com
metalinjectionltd.asia
franquiaoriginal.com
mcronaldfood.com
mobilegymconcierge.com
haifu168.com
apeiro.life
thejosephnashvilletn.com
bensbrickstore.com
sanctumwell.com
beanexthomie.com
stylazhaircare.com
jordanvanvleet.com
jdwx400.com
francescoricco.com
gameshowsatschool.com
alqymist-monaco.com
infinitysportsmassage.com
algorithmrecruitment.com
tanyasubatang.com
impressivebackyard.com
wwwgocashwire.com
visual-pioneers.net
thememo-mobilebar.com
wagner-fahrschulegmbh.com
minterfortexas.com
codelopers.com
inyarsb.icu
ravenlightproductions.com
germiblock.com
coutinhoefelipeadv.com
diegobr1307.life
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1324-19-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/1324-20-0x000000000041ED80-mapping.dmp formbook behavioral2/memory/1560-28-0x0000000000530000-0x000000000055E000-memory.dmp formbook -
Nirsoft 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepid process 4104 AdvancedRun.exe 3004 AdvancedRun.exe 4240 AdvancedRun.exe 508 AdvancedRun.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Payment Slip.exePayment Slip.execmd.exedescription pid process target process PID 4696 set thread context of 1324 4696 Payment Slip.exe Payment Slip.exe PID 1324 set thread context of 3028 1324 Payment Slip.exe Explorer.EXE PID 1560 set thread context of 3028 1560 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exePayment Slip.exePayment Slip.execmd.exepid process 4104 AdvancedRun.exe 4104 AdvancedRun.exe 4104 AdvancedRun.exe 4104 AdvancedRun.exe 3004 AdvancedRun.exe 3004 AdvancedRun.exe 3004 AdvancedRun.exe 3004 AdvancedRun.exe 4240 AdvancedRun.exe 4240 AdvancedRun.exe 4240 AdvancedRun.exe 4240 AdvancedRun.exe 508 AdvancedRun.exe 508 AdvancedRun.exe 508 AdvancedRun.exe 508 AdvancedRun.exe 4696 Payment Slip.exe 4696 Payment Slip.exe 1324 Payment Slip.exe 1324 Payment Slip.exe 1324 Payment Slip.exe 1324 Payment Slip.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe 1560 cmd.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Payment Slip.execmd.exepid process 1324 Payment Slip.exe 1324 Payment Slip.exe 1324 Payment Slip.exe 1560 cmd.exe 1560 cmd.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exePayment Slip.exePayment Slip.execmd.exedescription pid process Token: SeDebugPrivilege 4104 AdvancedRun.exe Token: SeImpersonatePrivilege 4104 AdvancedRun.exe Token: SeDebugPrivilege 3004 AdvancedRun.exe Token: SeImpersonatePrivilege 3004 AdvancedRun.exe Token: SeDebugPrivilege 4240 AdvancedRun.exe Token: SeImpersonatePrivilege 4240 AdvancedRun.exe Token: SeDebugPrivilege 508 AdvancedRun.exe Token: SeImpersonatePrivilege 508 AdvancedRun.exe Token: SeDebugPrivilege 4696 Payment Slip.exe Token: SeDebugPrivilege 1324 Payment Slip.exe Token: SeDebugPrivilege 1560 cmd.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3028 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Payment Slip.exeAdvancedRun.exeAdvancedRun.exeExplorer.EXEcmd.exedescription pid process target process PID 4696 wrote to memory of 4104 4696 Payment Slip.exe AdvancedRun.exe PID 4696 wrote to memory of 4104 4696 Payment Slip.exe AdvancedRun.exe PID 4696 wrote to memory of 4104 4696 Payment Slip.exe AdvancedRun.exe PID 4104 wrote to memory of 3004 4104 AdvancedRun.exe AdvancedRun.exe PID 4104 wrote to memory of 3004 4104 AdvancedRun.exe AdvancedRun.exe PID 4104 wrote to memory of 3004 4104 AdvancedRun.exe AdvancedRun.exe PID 4696 wrote to memory of 4240 4696 Payment Slip.exe AdvancedRun.exe PID 4696 wrote to memory of 4240 4696 Payment Slip.exe AdvancedRun.exe PID 4696 wrote to memory of 4240 4696 Payment Slip.exe AdvancedRun.exe PID 4240 wrote to memory of 508 4240 AdvancedRun.exe AdvancedRun.exe PID 4240 wrote to memory of 508 4240 AdvancedRun.exe AdvancedRun.exe PID 4240 wrote to memory of 508 4240 AdvancedRun.exe AdvancedRun.exe PID 4696 wrote to memory of 1324 4696 Payment Slip.exe Payment Slip.exe PID 4696 wrote to memory of 1324 4696 Payment Slip.exe Payment Slip.exe PID 4696 wrote to memory of 1324 4696 Payment Slip.exe Payment Slip.exe PID 4696 wrote to memory of 1324 4696 Payment Slip.exe Payment Slip.exe PID 4696 wrote to memory of 1324 4696 Payment Slip.exe Payment Slip.exe PID 4696 wrote to memory of 1324 4696 Payment Slip.exe Payment Slip.exe PID 3028 wrote to memory of 1560 3028 Explorer.EXE cmd.exe PID 3028 wrote to memory of 1560 3028 Explorer.EXE cmd.exe PID 3028 wrote to memory of 1560 3028 Explorer.EXE cmd.exe PID 1560 wrote to memory of 1760 1560 cmd.exe cmd.exe PID 1560 wrote to memory of 1760 1560 cmd.exe cmd.exe PID 1560 wrote to memory of 1760 1560 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 41044⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 42404⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/508-17-0x0000000000000000-mapping.dmp
-
memory/1324-19-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1324-23-0x0000000000E20000-0x0000000000E34000-memory.dmpFilesize
80KB
-
memory/1324-22-0x00000000012E0000-0x0000000001600000-memory.dmpFilesize
3.1MB
-
memory/1324-20-0x000000000041ED80-mapping.dmp
-
memory/1560-25-0x0000000000000000-mapping.dmp
-
memory/1560-31-0x0000000002C70000-0x0000000002D03000-memory.dmpFilesize
588KB
-
memory/1560-28-0x0000000000530000-0x000000000055E000-memory.dmpFilesize
184KB
-
memory/1560-29-0x0000000002F00000-0x0000000003220000-memory.dmpFilesize
3.1MB
-
memory/1560-27-0x0000000000B70000-0x0000000000BC9000-memory.dmpFilesize
356KB
-
memory/1760-26-0x0000000000000000-mapping.dmp
-
memory/3004-13-0x0000000000000000-mapping.dmp
-
memory/3028-24-0x0000000006400000-0x0000000006586000-memory.dmpFilesize
1.5MB
-
memory/3028-32-0x0000000006590000-0x000000000664E000-memory.dmpFilesize
760KB
-
memory/4104-10-0x0000000000000000-mapping.dmp
-
memory/4240-15-0x0000000000000000-mapping.dmp
-
memory/4696-6-0x00000000050A0000-0x00000000050F3000-memory.dmpFilesize
332KB
-
memory/4696-8-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/4696-9-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/4696-7-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/4696-3-0x00000000006F0000-0x00000000006F1000-memory.dmpFilesize
4KB
-
memory/4696-2-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6.9MB
-
memory/4696-5-0x0000000005070000-0x0000000005072000-memory.dmpFilesize
8KB