Payment Copy.exe

General
Target

Payment Copy.exe

Filesize

258KB

Completed

24-09-2021 12:04

Score
7 /10
MD5

0d6e0449a278b6971826e0da856aed38

SHA1

f95ea74f5d687eaedc24a2abadb77229e4918698

SHA256

2dc7525f9ee6e09a25f840b457bf5b0ba228c4697e1f3d4b81bd2964d2eafc61

Malware Config
Signatures 2

Filter: none

Discovery
  • Loads dropped DLL
    Payment Copy.exe

    Reported IOCs

    pidprocess
    1096Payment Copy.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
Processes 1
  • C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"
    Loads dropped DLL
    PID:1096
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • \Users\Admin\AppData\Local\Temp\nsk5F3F.tmp\ebzkw.dll

                          MD5

                          7925977982a97c0de2c1a34af37282a8

                          SHA1

                          26b7a9bf3f1937b4153750572ca18849f56dc41c

                          SHA256

                          14f0db931a3190b4e1cc5b960cea71a1298d87ef7466bb6c24631542a2b38eed

                          SHA512

                          cb85b54c3da4a09acf26a63626880dcc4ae831d7fa77659a777aa5c2b8a91d6f96b0d70bae78b2ec6d60456869ba78847b2823f39fd6ff1b206ad06df9743623

                        • memory/1096-60-0x0000000075201000-0x0000000075203000-memory.dmp