Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
02-12-2021 07:56
Static task
static1
Behavioral task
behavioral1
Sample
REVISE INVOICEPDF.exe
Resource
win7-en-20211014
General
-
Target
REVISE INVOICEPDF.exe
-
Size
578KB
-
MD5
e5af04f898b394a134c91d809811aed6
-
SHA1
797dadafd9fde7db95ae65e63531333ad8e128b2
-
SHA256
b00c6e64af8c667452a11c65123c37fdd9efec0eec3e05e1f03bd552edf0d8ea
-
SHA512
4524016d55d99e296249caec2514bc83a125bf0505e11892bdcfb932f345a529a71ff583b8a21f7a5601b231c922abc7959b13135bfb3d68fc12a8a5f90c1604
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
REVISE INVOICEPDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion REVISE INVOICEPDF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion REVISE INVOICEPDF.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
REVISE INVOICEPDF.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum REVISE INVOICEPDF.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 REVISE INVOICEPDF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 888 1712 WerFault.exe REVISE INVOICEPDF.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
WerFault.exepowershell.exepid process 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 1464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WerFault.exepowershell.exedescription pid process Token: SeDebugPrivilege 888 WerFault.exe Token: SeDebugPrivilege 1464 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
REVISE INVOICEPDF.exedescription pid process target process PID 1712 wrote to memory of 1464 1712 REVISE INVOICEPDF.exe powershell.exe PID 1712 wrote to memory of 1464 1712 REVISE INVOICEPDF.exe powershell.exe PID 1712 wrote to memory of 1464 1712 REVISE INVOICEPDF.exe powershell.exe PID 1712 wrote to memory of 1464 1712 REVISE INVOICEPDF.exe powershell.exe PID 1712 wrote to memory of 888 1712 REVISE INVOICEPDF.exe WerFault.exe PID 1712 wrote to memory of 888 1712 REVISE INVOICEPDF.exe WerFault.exe PID 1712 wrote to memory of 888 1712 REVISE INVOICEPDF.exe WerFault.exe PID 1712 wrote to memory of 888 1712 REVISE INVOICEPDF.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REVISE INVOICEPDF.exe"C:\Users\Admin\AppData\Local\Temp\REVISE INVOICEPDF.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\REVISE INVOICEPDF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 10722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/888-63-0x0000000000000000-mapping.dmp
-
memory/888-67-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1464-61-0x0000000000000000-mapping.dmp
-
memory/1464-64-0x0000000002310000-0x0000000002F5A000-memory.dmpFilesize
12.3MB
-
memory/1464-65-0x0000000002310000-0x0000000002F5A000-memory.dmpFilesize
12.3MB
-
memory/1464-66-0x0000000002310000-0x0000000002F5A000-memory.dmpFilesize
12.3MB
-
memory/1712-55-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/1712-57-0x00000000758C1000-0x00000000758C3000-memory.dmpFilesize
8KB
-
memory/1712-58-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/1712-59-0x00000000004F0000-0x00000000004F8000-memory.dmpFilesize
32KB
-
memory/1712-60-0x0000000004ED0000-0x0000000004F4B000-memory.dmpFilesize
492KB