Analysis
-
max time kernel
63s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 02:06
Static task
static1
Behavioral task
behavioral1
Sample
Inv.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Inv.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral3
Sample
New Order.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
New Order.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral5
Sample
Quotation.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
Quotation.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral7
Sample
pictures and logo.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
pictures and logo.exe
Resource
win10v2004-en-20220113
General
-
Target
Inv.exe
-
Size
744KB
-
MD5
f8433b692958fa0ce7659e63203b60de
-
SHA1
dd6595d2e6d5bdf54e718b07c94fc964eab69365
-
SHA256
69b49da3c4767d2ffcd713aeea8343e1aa2f0be88512fc9c4d86a932b4ee6cb5
-
SHA512
343ab88a59614251a2323af2b886069e5507aef04421c1b937661868a4c1c3332c60af85307b2b4dc21632c983e85372486ea6f5adfb3ffefeb11cb186718a6c
Malware Config
Signatures
-
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
Processes:
resource yara_rule behavioral2/memory/1448-149-0x00000000051F0000-0x0000000005794000-memory.dmp beds_protector -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1448-145-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral2/memory/1448-149-0x00000000051F0000-0x0000000005794000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1448-145-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral2/memory/1448-149-0x00000000051F0000-0x0000000005794000-memory.dmp WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1448-145-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral2/memory/1448-149-0x00000000051F0000-0x0000000005794000-memory.dmp Nirsoft -
Drops startup file 2 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe Powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe Powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Inv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Inv.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 whatismyipaddress.com 37 whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Inv.exedescription pid process target process PID 1568 set thread context of 1448 1568 Inv.exe Inv.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Powershell.exeInv.exepid process 2176 Powershell.exe 1568 Inv.exe 1568 Inv.exe 2176 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
Powershell.exeInv.exeInv.exesvchost.exedescription pid process Token: SeDebugPrivilege 2176 Powershell.exe Token: SeDebugPrivilege 1568 Inv.exe Token: SeDebugPrivilege 1448 Inv.exe Token: SeShutdownPrivilege 3684 svchost.exe Token: SeCreatePagefilePrivilege 3684 svchost.exe Token: SeShutdownPrivilege 3684 svchost.exe Token: SeCreatePagefilePrivilege 3684 svchost.exe Token: SeShutdownPrivilege 3684 svchost.exe Token: SeCreatePagefilePrivilege 3684 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Inv.exepid process 1448 Inv.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Inv.exedescription pid process target process PID 1568 wrote to memory of 2176 1568 Inv.exe Powershell.exe PID 1568 wrote to memory of 2176 1568 Inv.exe Powershell.exe PID 1568 wrote to memory of 2176 1568 Inv.exe Powershell.exe PID 1568 wrote to memory of 1288 1568 Inv.exe Inv.exe PID 1568 wrote to memory of 1288 1568 Inv.exe Inv.exe PID 1568 wrote to memory of 1288 1568 Inv.exe Inv.exe PID 1568 wrote to memory of 1448 1568 Inv.exe Inv.exe PID 1568 wrote to memory of 1448 1568 Inv.exe Inv.exe PID 1568 wrote to memory of 1448 1568 Inv.exe Inv.exe PID 1568 wrote to memory of 1448 1568 Inv.exe Inv.exe PID 1568 wrote to memory of 1448 1568 Inv.exe Inv.exe PID 1568 wrote to memory of 1448 1568 Inv.exe Inv.exe PID 1568 wrote to memory of 1448 1568 Inv.exe Inv.exe PID 1568 wrote to memory of 1448 1568 Inv.exe Inv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inv.exe"C:\Users\Admin\AppData\Local\Temp\Inv.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Inv.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Inv.exe"C:\Users\Admin\AppData\Local\Temp\Inv.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Inv.exe"C:\Users\Admin\AppData\Local\Temp\Inv.exe"2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inv.exe.logMD5
553cfcb8247e9e828eef0474e2134fac
SHA1362c3f93dccc66f3bbfaf5ef681a11a0c7bc7316
SHA256a753cbd5f89b034eaeeb02fa8f0924bab30e84d86d02686fdf7c0228d8a00d54
SHA51218b4174286f47b41f47e964c5368b453eba4a23331958e7b982017f965a434aa80c0d3504d13521a9f0550bba4c2b7a62543553d4ddfdf6e1f0c39c6ef542dc4
-
memory/1448-168-0x00000000051F0000-0x0000000005794000-memory.dmpFilesize
5.6MB
-
memory/1448-148-0x0000000074F60000-0x0000000075710000-memory.dmpFilesize
7.7MB
-
memory/1448-149-0x00000000051F0000-0x0000000005794000-memory.dmpFilesize
5.6MB
-
memory/1448-145-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/1448-150-0x0000000002A20000-0x0000000002A2A000-memory.dmpFilesize
40KB
-
memory/1448-151-0x0000000005290000-0x00000000052E6000-memory.dmpFilesize
344KB
-
memory/1568-134-0x00000000055D0000-0x0000000005662000-memory.dmpFilesize
584KB
-
memory/1568-130-0x0000000000B60000-0x0000000000C20000-memory.dmpFilesize
768KB
-
memory/1568-136-0x0000000005840000-0x00000000058DC000-memory.dmpFilesize
624KB
-
memory/1568-135-0x0000000006480000-0x0000000006A24000-memory.dmpFilesize
5.6MB
-
memory/1568-133-0x0000000005A00000-0x0000000005ECC000-memory.dmpFilesize
4.8MB
-
memory/1568-132-0x0000000002ED0000-0x0000000002ED1000-memory.dmpFilesize
4KB
-
memory/1568-131-0x0000000074F60000-0x0000000075710000-memory.dmpFilesize
7.7MB
-
memory/1940-177-0x000002B274000000-0x000002B274004000-memory.dmpFilesize
16KB
-
memory/1940-165-0x000002B273D30000-0x000002B273D34000-memory.dmpFilesize
16KB
-
memory/2176-137-0x00000000023A0000-0x00000000023D6000-memory.dmpFilesize
216KB
-
memory/2176-166-0x0000000006220000-0x000000000623A000-memory.dmpFilesize
104KB
-
memory/2176-142-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/2176-144-0x00000000024B2000-0x00000000024B3000-memory.dmpFilesize
4KB
-
memory/2176-143-0x0000000005660000-0x00000000056C6000-memory.dmpFilesize
408KB
-
memory/2176-141-0x0000000074F60000-0x0000000075710000-memory.dmpFilesize
7.7MB
-
memory/2176-164-0x0000000006FE0000-0x0000000007076000-memory.dmpFilesize
600KB
-
memory/2176-146-0x0000000004A40000-0x0000000004A5E000-memory.dmpFilesize
120KB
-
memory/2176-139-0x0000000004BD0000-0x0000000004BF2000-memory.dmpFilesize
136KB
-
memory/2176-167-0x0000000006290000-0x00000000062B2000-memory.dmpFilesize
136KB
-
memory/2176-140-0x00000000055F0000-0x0000000005656000-memory.dmpFilesize
408KB
-
memory/2176-138-0x0000000004EC0000-0x00000000054E8000-memory.dmpFilesize
6.2MB
-
memory/3684-176-0x000001D3581F0000-0x000001D3581F4000-memory.dmpFilesize
16KB
-
memory/3684-169-0x000001D355570000-0x000001D355580000-memory.dmpFilesize
64KB