Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-02-2022 00:25
Static task
static1
Behavioral task
behavioral1
Sample
Billing Details.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Billing Details.exe
Resource
win10v2004-en-20220112
0 signatures
0 seconds
General
-
Target
Billing Details.exe
-
Size
532KB
-
MD5
a4d789c995239985f1fc547b8cd64c32
-
SHA1
7c9fcee16ca3b81a35782be843406cecb803f448
-
SHA256
930328b4d0e869b7d6eec8b250366523258c33c121a8515d3a78fe8d6c8c9fc1
-
SHA512
6d6848c482eabbddb19ba2de658c5a75b9836c37093dc4be95274d19baf882e4bd599dafd48c68ea7e5f95f446360b9b455c679caf9aa27212bcfa12da628200
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid Process 1460 DllHost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Billing Details.exepid Process 964 Billing Details.exe 964 Billing Details.exe 964 Billing Details.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Billing Details.exedescription pid Process procid_target PID 964 wrote to memory of 1368 964 Billing Details.exe 28 PID 964 wrote to memory of 1368 964 Billing Details.exe 28 PID 964 wrote to memory of 1368 964 Billing Details.exe 28 PID 964 wrote to memory of 1368 964 Billing Details.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Billing Details.exe"C:\Users\Admin\AppData\Local\Temp\Billing Details.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\Receipt.bmp2⤵PID:1368
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1460