Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    08-02-2022 00:25

General

  • Target

    Billing Details.exe

  • Size

    532KB

  • MD5

    a4d789c995239985f1fc547b8cd64c32

  • SHA1

    7c9fcee16ca3b81a35782be843406cecb803f448

  • SHA256

    930328b4d0e869b7d6eec8b250366523258c33c121a8515d3a78fe8d6c8c9fc1

  • SHA512

    6d6848c482eabbddb19ba2de658c5a75b9836c37093dc4be95274d19baf882e4bd599dafd48c68ea7e5f95f446360b9b455c679caf9aa27212bcfa12da628200

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Billing Details.exe
    "C:\Users\Admin\AppData\Local\Temp\Billing Details.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Receipt.bmp
      2⤵
        PID:1368
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1460

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/964-56-0x0000000076C91000-0x0000000076C93000-memory.dmp

      Filesize

      8KB

    • memory/1368-59-0x00000000004A0000-0x00000000004A2000-memory.dmp

      Filesize

      8KB

    • memory/1460-60-0x00000000000F0000-0x00000000000F2000-memory.dmp

      Filesize

      8KB

    • memory/1460-61-0x00000000004C0000-0x00000000004C1000-memory.dmp

      Filesize

      4KB