95b6ba2be30399f87d20e021bee29f0eb46773b67407f3ed9987d22610d5249d

General

Target

Payment Slip.exe
Size

831KB
MD5

3d0d9c87ea732caf417afa0b8af62267
SHA1

dfb1e57a9cf498310cb7287f4b5792cbcd8b3974
SHA256

95b6ba2be30399f87d20e021bee29f0eb46773b67407f3ed9987d22610d5249d
SHA512

e7db51cd7baf84cf65ebead15c3e56ca9e381866a4edc7e945affe4f64f53bef08519037a5e4fc2ef8f8034e91b240b5d3511a2cdec08e308e8e473a7430a83b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

908 schtasks.exe

pid	process
908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Payment Slip.exe

pid	process
1080	Payment Slip.exe
1080	Payment Slip.exe
1080	Payment Slip.exe
1080	Payment Slip.exe
1080	Payment Slip.exe
1080	Payment Slip.exe
1080	Payment Slip.exe
1080	Payment Slip.exe
1080	Payment Slip.exe
1080	Payment Slip.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Payment Slip.exe

description pid process

Token: SeDebugPrivilege 1080 Payment Slip.exe

description	pid	process
Token: SeDebugPrivilege	1080	Payment Slip.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Payment Slip.exe

description	pid	process	target process
PID 1080 wrote to memory of 908	1080	Payment Slip.exe	schtasks.exe
PID 1080 wrote to memory of 908	1080	Payment Slip.exe	schtasks.exe
PID 1080 wrote to memory of 908	1080	Payment Slip.exe	schtasks.exe
PID 1080 wrote to memory of 908	1080	Payment Slip.exe	schtasks.exe
PID 1080 wrote to memory of 1044	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1044	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1044	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1044	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1536	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1536	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1536	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1536	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 580	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 580	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 580	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 580	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1964	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1964	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1964	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1964	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1956	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1956	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1956	1080	Payment Slip.exe	Payment Slip.exe
PID 1080 wrote to memory of 1956	1080	Payment Slip.exe	Payment Slip.exe

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uVxomBuy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4CF6.tmp"
2⤵
- Creates scheduled task(s)
PID:908

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
2⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
2⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
2⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
2⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
2⤵
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/908-66-0x0000000000000000-mapping.dmp

Download
memory/1080-60-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1080-62-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1080-63-0x0000000000300000-0x0000000000307000-memory.dmp

Filesize
28KB

Download
memory/1080-64-0x0000000005B00000-0x0000000005B5F000-memory.dmp

Filesize
380KB

Download
memory/1080-65-0x00000000006D0000-0x00000000006FF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads