Analysis
-
max time kernel
303s -
max time network
314s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
09/05/2022, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
Invoice May 2 to 6 2022.exe
Resource
win7-20220414-en
General
-
Target
Invoice May 2 to 6 2022.exe
-
Size
300.0MB
-
MD5
9ee044706961afb5c1b1cc98936786b5
-
SHA1
b583dd8cb884cc786ae6ccb5c007537f42ca20d0
-
SHA256
9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
-
SHA512
255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
Malware Config
Extracted
bitrat
1.38
houseofc.duckdns.org:24993
-
communication_password
d6723e7cd6735df68d1ce4c704c29a04
-
tor_process
tor
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1300 laoqp.exe 908 laoqp.exe 1752 laoqp.exe -
resource yara_rule behavioral1/memory/364-65-0x0000000000440000-0x0000000000824000-memory.dmp upx behavioral1/memory/364-68-0x0000000000440000-0x0000000000824000-memory.dmp upx behavioral1/memory/364-69-0x0000000000440000-0x0000000000824000-memory.dmp upx behavioral1/memory/364-72-0x0000000000440000-0x0000000000824000-memory.dmp upx behavioral1/memory/364-80-0x0000000000440000-0x0000000000824000-memory.dmp upx behavioral1/memory/1472-89-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1472-92-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1472-94-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1472-95-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1472-99-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1472-100-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1472-101-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1116-127-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Loads dropped DLL 9 IoCs
pid Process 1300 laoqp.exe 1300 laoqp.exe 1300 laoqp.exe 908 laoqp.exe 908 laoqp.exe 908 laoqp.exe 1752 laoqp.exe 1752 laoqp.exe 1752 laoqp.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 364 RegAsm.exe 364 RegAsm.exe 364 RegAsm.exe 364 RegAsm.exe 1472 RegAsm.exe 1116 RegAsm.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 604 set thread context of 364 604 Invoice May 2 to 6 2022.exe 32 PID 1300 set thread context of 1472 1300 laoqp.exe 39 PID 908 set thread context of 1116 908 laoqp.exe 47 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 748 schtasks.exe 948 schtasks.exe 1732 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 364 RegAsm.exe Token: SeShutdownPrivilege 364 RegAsm.exe Token: SeDebugPrivilege 1472 RegAsm.exe Token: SeShutdownPrivilege 1472 RegAsm.exe Token: SeDebugPrivilege 1116 RegAsm.exe Token: SeShutdownPrivilege 1116 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 364 RegAsm.exe 364 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 604 wrote to memory of 2016 604 Invoice May 2 to 6 2022.exe 27 PID 604 wrote to memory of 2016 604 Invoice May 2 to 6 2022.exe 27 PID 604 wrote to memory of 2016 604 Invoice May 2 to 6 2022.exe 27 PID 604 wrote to memory of 2016 604 Invoice May 2 to 6 2022.exe 27 PID 604 wrote to memory of 2016 604 Invoice May 2 to 6 2022.exe 27 PID 604 wrote to memory of 2016 604 Invoice May 2 to 6 2022.exe 27 PID 604 wrote to memory of 2016 604 Invoice May 2 to 6 2022.exe 27 PID 604 wrote to memory of 1964 604 Invoice May 2 to 6 2022.exe 29 PID 604 wrote to memory of 1964 604 Invoice May 2 to 6 2022.exe 29 PID 604 wrote to memory of 1964 604 Invoice May 2 to 6 2022.exe 29 PID 604 wrote to memory of 1964 604 Invoice May 2 to 6 2022.exe 29 PID 604 wrote to memory of 1964 604 Invoice May 2 to 6 2022.exe 29 PID 604 wrote to memory of 1964 604 Invoice May 2 to 6 2022.exe 29 PID 604 wrote to memory of 1964 604 Invoice May 2 to 6 2022.exe 29 PID 2016 wrote to memory of 948 2016 cmd.exe 31 PID 2016 wrote to memory of 948 2016 cmd.exe 31 PID 2016 wrote to memory of 948 2016 cmd.exe 31 PID 2016 wrote to memory of 948 2016 cmd.exe 31 PID 2016 wrote to memory of 948 2016 cmd.exe 31 PID 2016 wrote to memory of 948 2016 cmd.exe 31 PID 2016 wrote to memory of 948 2016 cmd.exe 31 PID 604 wrote to memory of 364 604 Invoice May 2 to 6 2022.exe 32 PID 604 wrote to memory of 364 604 Invoice May 2 to 6 2022.exe 32 PID 604 wrote to memory of 364 604 Invoice May 2 to 6 2022.exe 32 PID 604 wrote to memory of 364 604 Invoice May 2 to 6 2022.exe 32 PID 604 wrote to memory of 364 604 Invoice May 2 to 6 2022.exe 32 PID 604 wrote to memory of 364 604 Invoice May 2 to 6 2022.exe 32 PID 604 wrote to memory of 364 604 Invoice May 2 to 6 2022.exe 32 PID 604 wrote to memory of 364 604 Invoice May 2 to 6 2022.exe 32 PID 604 wrote to memory of 364 604 Invoice May 2 to 6 2022.exe 32 PID 604 wrote to memory of 364 604 Invoice May 2 to 6 2022.exe 32 PID 604 wrote to memory of 364 604 Invoice May 2 to 6 2022.exe 32 PID 528 wrote to memory of 1300 528 taskeng.exe 34 PID 528 wrote to memory of 1300 528 taskeng.exe 34 PID 528 wrote to memory of 1300 528 taskeng.exe 34 PID 528 wrote to memory of 1300 528 taskeng.exe 34 PID 528 wrote to memory of 1300 528 taskeng.exe 34 PID 528 wrote to memory of 1300 528 taskeng.exe 34 PID 528 wrote to memory of 1300 528 taskeng.exe 34 PID 1300 wrote to memory of 956 1300 laoqp.exe 35 PID 1300 wrote to memory of 956 1300 laoqp.exe 35 PID 1300 wrote to memory of 956 1300 laoqp.exe 35 PID 1300 wrote to memory of 956 1300 laoqp.exe 35 PID 1300 wrote to memory of 956 1300 laoqp.exe 35 PID 1300 wrote to memory of 956 1300 laoqp.exe 35 PID 1300 wrote to memory of 956 1300 laoqp.exe 35 PID 1300 wrote to memory of 880 1300 laoqp.exe 37 PID 1300 wrote to memory of 880 1300 laoqp.exe 37 PID 1300 wrote to memory of 880 1300 laoqp.exe 37 PID 1300 wrote to memory of 880 1300 laoqp.exe 37 PID 1300 wrote to memory of 880 1300 laoqp.exe 37 PID 1300 wrote to memory of 880 1300 laoqp.exe 37 PID 1300 wrote to memory of 880 1300 laoqp.exe 37 PID 956 wrote to memory of 1732 956 cmd.exe 40 PID 956 wrote to memory of 1732 956 cmd.exe 40 PID 956 wrote to memory of 1732 956 cmd.exe 40 PID 956 wrote to memory of 1732 956 cmd.exe 40 PID 956 wrote to memory of 1732 956 cmd.exe 40 PID 956 wrote to memory of 1732 956 cmd.exe 40 PID 956 wrote to memory of 1732 956 cmd.exe 40 PID 1300 wrote to memory of 1472 1300 laoqp.exe 39 PID 1300 wrote to memory of 1472 1300 laoqp.exe 39 PID 1300 wrote to memory of 1472 1300 laoqp.exe 39 PID 1300 wrote to memory of 1472 1300 laoqp.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f3⤵
- Creates scheduled task(s)
PID:948
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"2⤵PID:1964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:364
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6BBE2939-C6EA-49DC-BA7C-0F84D1D31C27} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Users\Admin\AppData\Roaming\laoqp.exeC:\Users\Admin\AppData\Roaming\laoqp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f4⤵
- Creates scheduled task(s)
PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"3⤵PID:880
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
-
C:\Users\Admin\AppData\Roaming\laoqp.exeC:\Users\Admin\AppData\Roaming\laoqp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f3⤵PID:572
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f4⤵
- Creates scheduled task(s)
PID:748
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"3⤵PID:1492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
-
C:\Users\Admin\AppData\Roaming\laoqp.exeC:\Users\Admin\AppData\Roaming\laoqp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
-
Filesize
80.4MB
MD5fd219bca969edbca85a3e0ed8fa0cc2f
SHA1fbac9387fac5a888a505fca07719cddb3b9a5747
SHA2562ed0e3b8c5ff62646077e61090991da1f1fa05ba9dac70036a7317f3f4b06dc6
SHA512511f591a0486cce1ed23be1eca8c9dcd2b6eccbc3c0ff0568c13e259c35b6d598c9dc065c1080b456933abf229e8996cc4e8cfc328f49a42601525d9ef383cd3
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
-
Filesize
83.5MB
MD533430707f438839e9f65aadea523a375
SHA1caa26ec689a5bb7dc497161ba2ab08930f25de6e
SHA256586af7639e0f154d261b41d98c253b5d67d4ea4c4da7f782a86239dafcce4dd2
SHA5122b470d95e2470cb24fbcdd64d898257a9e3a68fb4e4846e2c1ad7062ef0ceaec960b30373430b7eb552e7aec32f6fec95c16c488dc1d275feb67c3e1ab500288
-
Filesize
38.6MB
MD58a1eb9eba71a520054faeb13ebc7d480
SHA1d5732b21f4c28f82bada3347631fb79262c9bee4
SHA2569ee742a63830b5c3e234a4359afbc50cb60081f1ff4c6d571810eb7431fdb7a5
SHA51201ca96f0109ad13724212cc022692509b56b7fa0ef4d87835eb66739c2048af672609f23c7c5033978661cf00246d53ae41d016d6128bdbb1f4da4312b514218
-
Filesize
42.6MB
MD5377128087de9cbca3583d900ba3dc97a
SHA166b95ddab6eaecefc4a5b6dc28b6456b3d9b4dbc
SHA25665fd19ed2a0ddbed252e8bb6dcdbe8def5708e8b6ee598b0e6b5dac965ba4678
SHA512338b8e4f328f2246e29823f94b881131bf48259af0efcb7e26d1b0a2d4d5710c74776654eb505e9b8f5bacc388f3e8c22e20b4288c994398578874acc07475e6
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03