82572bb673e848ff6622ce079dd07a8434290e44499846952ddda1819d315db3

General

Target

invoice-2013790008755.bat.exe
Size

269KB
MD5

c37e3d75cffedf5dfd2710d0741012b8
SHA1

e0ef0f784d7be7b19d1ebe3f37bc0380061d24eb
SHA256

82572bb673e848ff6622ce079dd07a8434290e44499846952ddda1819d315db3
SHA512

c03f377264a544b2b3116b0a4036030e814b907050abd784ebe2ea9170b31c08cb0c253d077495e0b1e1266e6f02299b39d2defa7487d07af15434c9c5d90a1b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1376 schtasks.exe

pid	process
1376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

invoice-2013790008755.bat.exe

pid	process
1672	invoice-2013790008755.bat.exe
1672	invoice-2013790008755.bat.exe
1672	invoice-2013790008755.bat.exe
1672	invoice-2013790008755.bat.exe
1672	invoice-2013790008755.bat.exe
1672	invoice-2013790008755.bat.exe
1672	invoice-2013790008755.bat.exe
1672	invoice-2013790008755.bat.exe
1672	invoice-2013790008755.bat.exe
1672	invoice-2013790008755.bat.exe
1672	invoice-2013790008755.bat.exe
1672	invoice-2013790008755.bat.exe
1672	invoice-2013790008755.bat.exe
1672	invoice-2013790008755.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

invoice-2013790008755.bat.exe

description pid process

Token: SeDebugPrivilege 1672 invoice-2013790008755.bat.exe

description	pid	process
Token: SeDebugPrivilege	1672	invoice-2013790008755.bat.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

invoice-2013790008755.bat.exe

description	pid	process	target process
PID 1672 wrote to memory of 1376	1672	invoice-2013790008755.bat.exe	schtasks.exe
PID 1672 wrote to memory of 1376	1672	invoice-2013790008755.bat.exe	schtasks.exe
PID 1672 wrote to memory of 1376	1672	invoice-2013790008755.bat.exe	schtasks.exe
PID 1672 wrote to memory of 1376	1672	invoice-2013790008755.bat.exe	schtasks.exe
PID 1672 wrote to memory of 1696	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1696	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1696	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1696	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1072	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1072	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1072	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1072	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1688	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1688	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1688	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1688	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1736	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1736	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1736	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1736	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1308	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1308	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1308	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1672 wrote to memory of 1308	1672	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe

C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe
"C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\stXLEjB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD96E.tmp"
2⤵
- Creates scheduled task(s)
PID:1376

C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe
"C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"
2⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe
"C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"
2⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe
"C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"
2⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe
"C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"
2⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe
"C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"
2⤵
PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-60-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1672-56-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1672-57-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/1672-58-0x0000000000370000-0x0000000000375000-memory.dmp

Filesize
20KB

Download
memory/1672-59-0x00000000040C0000-0x00000000040FE000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads