407f8e8ab8d4141df81d49cbb94e54ec89c80cd76ca0fa23b1bb2aa0ba74b0dc

General

Target

Swift-PaymentInvoice20220331_pdf.exe
Size

520KB
MD5

72a9bcce9a210198f0d6a679b5bca7e4
SHA1

d19326cef0a76c63343fb2a762331639ed6617c2
SHA256

407f8e8ab8d4141df81d49cbb94e54ec89c80cd76ca0fa23b1bb2aa0ba74b0dc
SHA512

ec190a3a1a887f8c4cd4863c671c5da20cc24ce6cb3ed14320a07e8e0318da7833bf882843175ea6cfe29a333839adca6f2bf4c606cba2ba0a7a012bb27824c6

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

mzdtplptw.exe

pid process

904 mzdtplptw.exe

pid	process
904	mzdtplptw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mzdtplptw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cicc = "C:\\Users\\Admin\\AppData\\Roaming\\atet\\pbfpgpqobh.exe"	mzdtplptw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Swift-PaymentInvoice20220331_pdf.exemzdtplptw.exe

description	pid	process	target process
PID 1320 wrote to memory of 904	1320	Swift-PaymentInvoice20220331_pdf.exe	mzdtplptw.exe
PID 1320 wrote to memory of 904	1320	Swift-PaymentInvoice20220331_pdf.exe	mzdtplptw.exe
PID 1320 wrote to memory of 904	1320	Swift-PaymentInvoice20220331_pdf.exe	mzdtplptw.exe
PID 904 wrote to memory of 3240	904	mzdtplptw.exe	mzdtplptw.exe
PID 904 wrote to memory of 3240	904	mzdtplptw.exe	mzdtplptw.exe
PID 904 wrote to memory of 3240	904	mzdtplptw.exe	mzdtplptw.exe

C:\Users\Admin\AppData\Local\Temp\Swift-PaymentInvoice20220331_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Swift-PaymentInvoice20220331_pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe
  C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe C:\Users\Admin\AppData\Local\Temp\rhthfu
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe
    C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe C:\Users\Admin\AppData\Local\Temp\rhthfu
    3⤵
    PID:3240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e8l6g8amyw8

Filesize
281KB

MD5
cae134bb05999f1c66b0329fdc22ee66

SHA1
499fcb0b38076ff18e273a5dd6d905889444412c

SHA256
50807babb23db7da3d8ef3748d12df6bf9b7e8ee99149f915f75307fa39e82ca

SHA512
47b9e22f4de9281c736227bfbd053f5d608f24143fd20aec6b7596c10713e140200d10c06c81163b5b39fe9d42c8554449fd56b2154b4fefb9d99ce11b62ed1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe

Filesize
4KB

MD5
54559dc8cb88f66631b9669c4974b507

SHA1
24442b3b67f5ae007962321493553d135f4e44d3

SHA256
80a142ebbe3093dbc71d3f1eb9a29e680825248d0c26d394e4342dcdadc98cd4

SHA512
adee1025e60cff48eadccfd3903c3b03ea8ca9a769ec07fa3fb805f43f7fdd95f323eaca2c68a2e0df28fc4588e7319448f3f55c65b47e882a76868dc409e3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe

Filesize
4KB

MD5
54559dc8cb88f66631b9669c4974b507

SHA1
24442b3b67f5ae007962321493553d135f4e44d3

SHA256
80a142ebbe3093dbc71d3f1eb9a29e680825248d0c26d394e4342dcdadc98cd4

SHA512
adee1025e60cff48eadccfd3903c3b03ea8ca9a769ec07fa3fb805f43f7fdd95f323eaca2c68a2e0df28fc4588e7319448f3f55c65b47e882a76868dc409e3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhthfu

Filesize
7KB

MD5
feafb4af38c5b94807071b0601d22ebf

SHA1
0c81ca80b14892ae00e970d7631e1fa403052f9c

SHA256
7c813b26af97aeac39bed9802bb5d41de0aaa255da2bc07ddc98550aeec92067

SHA512
9d70489854b3c5fc3bf8f453f706c26b8a5f47628a7ec58bfd8a8b6f6eb923b7d1dbe00129e60fc82dc4e61ab1c8aafc50143396323a03acb20ce526a3c990b2

Download Submit
memory/904-124-0x0000000000000000-mapping.dmp

Download
memory/3240-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing