Analysis
-
max time kernel
303s -
max time network
306s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
09/05/2022, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
Invoice May 2 to 6 2022.exe
Resource
win7-20220414-en
General
-
Target
Invoice May 2 to 6 2022.exe
-
Size
300.0MB
-
MD5
9ee044706961afb5c1b1cc98936786b5
-
SHA1
b583dd8cb884cc786ae6ccb5c007537f42ca20d0
-
SHA256
9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
-
SHA512
255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
Malware Config
Extracted
bitrat
1.38
houseofc.duckdns.org:24993
-
communication_password
d6723e7cd6735df68d1ce4c704c29a04
-
tor_process
tor
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 4072 laoqp.exe 4800 laoqp.exe 2652 laoqp.exe 2700 laoqp.exe 1504 laoqp.exe -
resource yara_rule behavioral2/memory/1136-137-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1136-138-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1136-139-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1136-140-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1136-141-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1616-152-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/3636-163-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1464-173-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4248-183-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation laoqp.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation laoqp.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation Invoice May 2 to 6 2022.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation laoqp.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation laoqp.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 1136 RegAsm.exe 1136 RegAsm.exe 1136 RegAsm.exe 1136 RegAsm.exe 1616 RegAsm.exe 3636 RegAsm.exe 1464 RegAsm.exe 4248 RegAsm.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4876 set thread context of 1136 4876 Invoice May 2 to 6 2022.exe 101 PID 4072 set thread context of 1616 4072 laoqp.exe 107 PID 4800 set thread context of 3636 4800 laoqp.exe 115 PID 2652 set thread context of 1464 2652 laoqp.exe 122 PID 2700 set thread context of 4248 2700 laoqp.exe 129 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3476 schtasks.exe 4388 schtasks.exe 3792 schtasks.exe 2260 schtasks.exe 4908 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeShutdownPrivilege 1136 RegAsm.exe Token: SeShutdownPrivilege 1616 RegAsm.exe Token: SeShutdownPrivilege 3636 RegAsm.exe Token: SeShutdownPrivilege 1464 RegAsm.exe Token: SeShutdownPrivilege 4248 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1136 RegAsm.exe 1136 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4876 wrote to memory of 2580 4876 Invoice May 2 to 6 2022.exe 96 PID 4876 wrote to memory of 2580 4876 Invoice May 2 to 6 2022.exe 96 PID 4876 wrote to memory of 2580 4876 Invoice May 2 to 6 2022.exe 96 PID 4876 wrote to memory of 1760 4876 Invoice May 2 to 6 2022.exe 98 PID 4876 wrote to memory of 1760 4876 Invoice May 2 to 6 2022.exe 98 PID 4876 wrote to memory of 1760 4876 Invoice May 2 to 6 2022.exe 98 PID 2580 wrote to memory of 3476 2580 cmd.exe 100 PID 2580 wrote to memory of 3476 2580 cmd.exe 100 PID 2580 wrote to memory of 3476 2580 cmd.exe 100 PID 4876 wrote to memory of 1136 4876 Invoice May 2 to 6 2022.exe 101 PID 4876 wrote to memory of 1136 4876 Invoice May 2 to 6 2022.exe 101 PID 4876 wrote to memory of 1136 4876 Invoice May 2 to 6 2022.exe 101 PID 4876 wrote to memory of 1136 4876 Invoice May 2 to 6 2022.exe 101 PID 4876 wrote to memory of 1136 4876 Invoice May 2 to 6 2022.exe 101 PID 4876 wrote to memory of 1136 4876 Invoice May 2 to 6 2022.exe 101 PID 4876 wrote to memory of 1136 4876 Invoice May 2 to 6 2022.exe 101 PID 4072 wrote to memory of 308 4072 laoqp.exe 103 PID 4072 wrote to memory of 308 4072 laoqp.exe 103 PID 4072 wrote to memory of 308 4072 laoqp.exe 103 PID 4072 wrote to memory of 1564 4072 laoqp.exe 105 PID 4072 wrote to memory of 1564 4072 laoqp.exe 105 PID 4072 wrote to memory of 1564 4072 laoqp.exe 105 PID 4072 wrote to memory of 1616 4072 laoqp.exe 107 PID 4072 wrote to memory of 1616 4072 laoqp.exe 107 PID 4072 wrote to memory of 1616 4072 laoqp.exe 107 PID 4072 wrote to memory of 1616 4072 laoqp.exe 107 PID 4072 wrote to memory of 1616 4072 laoqp.exe 107 PID 4072 wrote to memory of 1616 4072 laoqp.exe 107 PID 4072 wrote to memory of 1616 4072 laoqp.exe 107 PID 308 wrote to memory of 4388 308 cmd.exe 108 PID 308 wrote to memory of 4388 308 cmd.exe 108 PID 308 wrote to memory of 4388 308 cmd.exe 108 PID 4800 wrote to memory of 476 4800 laoqp.exe 111 PID 4800 wrote to memory of 476 4800 laoqp.exe 111 PID 4800 wrote to memory of 476 4800 laoqp.exe 111 PID 4800 wrote to memory of 3140 4800 laoqp.exe 113 PID 4800 wrote to memory of 3140 4800 laoqp.exe 113 PID 4800 wrote to memory of 3140 4800 laoqp.exe 113 PID 4800 wrote to memory of 3636 4800 laoqp.exe 115 PID 4800 wrote to memory of 3636 4800 laoqp.exe 115 PID 4800 wrote to memory of 3636 4800 laoqp.exe 115 PID 4800 wrote to memory of 3636 4800 laoqp.exe 115 PID 4800 wrote to memory of 3636 4800 laoqp.exe 115 PID 4800 wrote to memory of 3636 4800 laoqp.exe 115 PID 4800 wrote to memory of 3636 4800 laoqp.exe 115 PID 476 wrote to memory of 3792 476 cmd.exe 116 PID 476 wrote to memory of 3792 476 cmd.exe 116 PID 476 wrote to memory of 3792 476 cmd.exe 116 PID 2652 wrote to memory of 1948 2652 laoqp.exe 118 PID 2652 wrote to memory of 1948 2652 laoqp.exe 118 PID 2652 wrote to memory of 1948 2652 laoqp.exe 118 PID 2652 wrote to memory of 4244 2652 laoqp.exe 120 PID 2652 wrote to memory of 4244 2652 laoqp.exe 120 PID 2652 wrote to memory of 4244 2652 laoqp.exe 120 PID 2652 wrote to memory of 1464 2652 laoqp.exe 122 PID 2652 wrote to memory of 1464 2652 laoqp.exe 122 PID 2652 wrote to memory of 1464 2652 laoqp.exe 122 PID 2652 wrote to memory of 1464 2652 laoqp.exe 122 PID 2652 wrote to memory of 1464 2652 laoqp.exe 122 PID 2652 wrote to memory of 1464 2652 laoqp.exe 122 PID 2652 wrote to memory of 1464 2652 laoqp.exe 122 PID 1948 wrote to memory of 2260 1948 cmd.exe 123 PID 1948 wrote to memory of 2260 1948 cmd.exe 123 PID 1948 wrote to memory of 2260 1948 cmd.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f3⤵
- Creates scheduled task(s)
PID:3476
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"2⤵PID:1760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1136
-
-
C:\Users\Admin\AppData\Roaming\laoqp.exeC:\Users\Admin\AppData\Roaming\laoqp.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f3⤵
- Creates scheduled task(s)
PID:4388
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"2⤵PID:1564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Users\Admin\AppData\Roaming\laoqp.exeC:\Users\Admin\AppData\Roaming\laoqp.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f3⤵
- Creates scheduled task(s)
PID:3792
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"2⤵PID:3140
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
C:\Users\Admin\AppData\Roaming\laoqp.exeC:\Users\Admin\AppData\Roaming\laoqp.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f3⤵
- Creates scheduled task(s)
PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"2⤵PID:4244
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Users\Admin\AppData\Roaming\laoqp.exeC:\Users\Admin\AppData\Roaming\laoqp.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f2⤵PID:4860
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f3⤵
- Creates scheduled task(s)
PID:4908
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"2⤵PID:4416
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
-
C:\Users\Admin\AppData\Roaming\laoqp.exeC:\Users\Admin\AppData\Roaming\laoqp.exe1⤵
- Executes dropped EXE
PID:1504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
805B
MD54b74e933d78bd5e8fb1cc4653fb2133c
SHA1f6e931eec700fa325bd40c3adc6f1c0eba806066
SHA256fd99bed17853f5ad196ca6d4a62f5e2405fbdf5b98cbf45af8b7cef83e4bcec3
SHA512b56ff89eff1a757a87dcb875206ae92d39ffdb5adf638600c21bc7c76ff4cc25502ae1060716488c7ed1641f8cdfad2a320443b7b4d9f09808eb86eb87f351ec
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
-
Filesize
229.8MB
MD507bc8e0b433be8b1311525d476634ca7
SHA1c171b45dae9cc9719969eb2ce75244fbb37235cb
SHA256fc5a4d868f6932e104c385ef5d9d7a094bf3526a0e3e54265d37d0a1f8084323
SHA512b3ad1d10a4956ac85fca9792b9d765a7f0308b86f8c7f021e4d255b687a4c16a1e4b02cc0a679f790e40ab121609851b30a11b3a755a8b8920f8383ae6c65de4