Analysis
-
max time kernel
160s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
10/05/2022, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
Invoice May 2 to 6 2022.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Invoice May 2 to 6 2022.exe
Resource
win10v2004-20220414-en
General
-
Target
Invoice May 2 to 6 2022.exe
-
Size
300.0MB
-
MD5
9ee044706961afb5c1b1cc98936786b5
-
SHA1
b583dd8cb884cc786ae6ccb5c007537f42ca20d0
-
SHA256
9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
-
SHA512
255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
Malware Config
Extracted
bitrat
1.38
houseofc.duckdns.org:24993
-
communication_password
d6723e7cd6735df68d1ce4c704c29a04
-
tor_process
tor
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1756 laoqp.exe 676 laoqp.exe -
resource yara_rule behavioral1/memory/940-63-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/940-65-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/940-66-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/940-68-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/940-69-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/940-72-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/940-73-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/940-74-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1620-101-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Loads dropped DLL 6 IoCs
pid Process 1756 laoqp.exe 1756 laoqp.exe 1756 laoqp.exe 676 laoqp.exe 676 laoqp.exe 676 laoqp.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 1620 RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1928 set thread context of 940 1928 Invoice May 2 to 6 2022.exe 32 PID 1756 set thread context of 1620 1756 laoqp.exe 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1732 schtasks.exe 1528 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 940 RegAsm.exe Token: SeShutdownPrivilege 940 RegAsm.exe Token: SeDebugPrivilege 1620 RegAsm.exe Token: SeShutdownPrivilege 1620 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 940 RegAsm.exe 940 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1928 wrote to memory of 1496 1928 Invoice May 2 to 6 2022.exe 27 PID 1928 wrote to memory of 1496 1928 Invoice May 2 to 6 2022.exe 27 PID 1928 wrote to memory of 1496 1928 Invoice May 2 to 6 2022.exe 27 PID 1928 wrote to memory of 1496 1928 Invoice May 2 to 6 2022.exe 27 PID 1928 wrote to memory of 1496 1928 Invoice May 2 to 6 2022.exe 27 PID 1928 wrote to memory of 1496 1928 Invoice May 2 to 6 2022.exe 27 PID 1928 wrote to memory of 1496 1928 Invoice May 2 to 6 2022.exe 27 PID 1928 wrote to memory of 1132 1928 Invoice May 2 to 6 2022.exe 29 PID 1928 wrote to memory of 1132 1928 Invoice May 2 to 6 2022.exe 29 PID 1928 wrote to memory of 1132 1928 Invoice May 2 to 6 2022.exe 29 PID 1928 wrote to memory of 1132 1928 Invoice May 2 to 6 2022.exe 29 PID 1928 wrote to memory of 1132 1928 Invoice May 2 to 6 2022.exe 29 PID 1928 wrote to memory of 1132 1928 Invoice May 2 to 6 2022.exe 29 PID 1928 wrote to memory of 1132 1928 Invoice May 2 to 6 2022.exe 29 PID 1496 wrote to memory of 1732 1496 cmd.exe 31 PID 1496 wrote to memory of 1732 1496 cmd.exe 31 PID 1496 wrote to memory of 1732 1496 cmd.exe 31 PID 1496 wrote to memory of 1732 1496 cmd.exe 31 PID 1496 wrote to memory of 1732 1496 cmd.exe 31 PID 1496 wrote to memory of 1732 1496 cmd.exe 31 PID 1496 wrote to memory of 1732 1496 cmd.exe 31 PID 1928 wrote to memory of 940 1928 Invoice May 2 to 6 2022.exe 32 PID 1928 wrote to memory of 940 1928 Invoice May 2 to 6 2022.exe 32 PID 1928 wrote to memory of 940 1928 Invoice May 2 to 6 2022.exe 32 PID 1928 wrote to memory of 940 1928 Invoice May 2 to 6 2022.exe 32 PID 1928 wrote to memory of 940 1928 Invoice May 2 to 6 2022.exe 32 PID 1928 wrote to memory of 940 1928 Invoice May 2 to 6 2022.exe 32 PID 1928 wrote to memory of 940 1928 Invoice May 2 to 6 2022.exe 32 PID 1928 wrote to memory of 940 1928 Invoice May 2 to 6 2022.exe 32 PID 1928 wrote to memory of 940 1928 Invoice May 2 to 6 2022.exe 32 PID 1928 wrote to memory of 940 1928 Invoice May 2 to 6 2022.exe 32 PID 1928 wrote to memory of 940 1928 Invoice May 2 to 6 2022.exe 32 PID 336 wrote to memory of 1756 336 taskeng.exe 34 PID 336 wrote to memory of 1756 336 taskeng.exe 34 PID 336 wrote to memory of 1756 336 taskeng.exe 34 PID 336 wrote to memory of 1756 336 taskeng.exe 34 PID 336 wrote to memory of 1756 336 taskeng.exe 34 PID 336 wrote to memory of 1756 336 taskeng.exe 34 PID 336 wrote to memory of 1756 336 taskeng.exe 34 PID 1756 wrote to memory of 1468 1756 laoqp.exe 35 PID 1756 wrote to memory of 1468 1756 laoqp.exe 35 PID 1756 wrote to memory of 1468 1756 laoqp.exe 35 PID 1756 wrote to memory of 1468 1756 laoqp.exe 35 PID 1756 wrote to memory of 1468 1756 laoqp.exe 35 PID 1756 wrote to memory of 1468 1756 laoqp.exe 35 PID 1756 wrote to memory of 1468 1756 laoqp.exe 35 PID 1756 wrote to memory of 1556 1756 laoqp.exe 37 PID 1756 wrote to memory of 1556 1756 laoqp.exe 37 PID 1756 wrote to memory of 1556 1756 laoqp.exe 37 PID 1756 wrote to memory of 1556 1756 laoqp.exe 37 PID 1756 wrote to memory of 1556 1756 laoqp.exe 37 PID 1756 wrote to memory of 1556 1756 laoqp.exe 37 PID 1756 wrote to memory of 1556 1756 laoqp.exe 37 PID 1468 wrote to memory of 1528 1468 cmd.exe 39 PID 1468 wrote to memory of 1528 1468 cmd.exe 39 PID 1468 wrote to memory of 1528 1468 cmd.exe 39 PID 1468 wrote to memory of 1528 1468 cmd.exe 39 PID 1468 wrote to memory of 1528 1468 cmd.exe 39 PID 1468 wrote to memory of 1528 1468 cmd.exe 39 PID 1468 wrote to memory of 1528 1468 cmd.exe 39 PID 1756 wrote to memory of 1620 1756 laoqp.exe 40 PID 1756 wrote to memory of 1620 1756 laoqp.exe 40 PID 1756 wrote to memory of 1620 1756 laoqp.exe 40 PID 1756 wrote to memory of 1620 1756 laoqp.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f3⤵
- Creates scheduled task(s)
PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"2⤵PID:1132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:940
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {373D1864-ADA7-4F1E-99D8-2EFC04C06788} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Users\Admin\AppData\Roaming\laoqp.exeC:\Users\Admin\AppData\Roaming\laoqp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f4⤵
- Creates scheduled task(s)
PID:1528
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"3⤵PID:1556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
-
C:\Users\Admin\AppData\Roaming\laoqp.exeC:\Users\Admin\AppData\Roaming\laoqp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f3⤵PID:1876
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"3⤵PID:1132
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119.9MB
MD5bc45f1e32934b0f55184598b6d72876e
SHA115cc5c507d5bc2a8c033e3abe9ac9e79abce12fa
SHA256d586340535ef6dc92abbd0bf36cc5c98617408b17270f77757a4834a3429ed5d
SHA51246d5b893ed80deba400ff773e3567bc07c7c270c0fa2281613d9ad804b016fd7552a75b66c077e7b9e3b6d9cb51177ca780842a2dd3e51324fe62e104e015f27
-
Filesize
212.9MB
MD573600dca4b4b6e13b7dd4b11585b8f2b
SHA1a22b9d207aaac2f1fbee2073c9572784fd4f2a76
SHA2563e1c367708e0a8a3a3bc965eb0b071b32c205a62e0e6cad73eacb0fae0b62aee
SHA512e853e92b22e3f9bba064f12e0a8b2dc5a4a8a1c3fb800c4c6a68ce0e6b5a8fe6e5bafd42528026e91dd80efdb86432a120223535b916c67fadfeb23a70d0b67e
-
Filesize
195.4MB
MD5b794720fe2b03d4e6db634ce73b241c2
SHA1c47c0adb163059a09d1963e9850c118ef0d2ad84
SHA256bfbb251f4add7c763e4d24d85bbf7ab01a024acd96dc9f3948cb0f3249550d5b
SHA512c6ba84879db14e9df3bfbc2df811056ea2867abeb616868fa0128f096c85c1478968e79792963ab1aea9e5bb5c4ff7f8531da734aff639e985245d47b9c99bd1
-
Filesize
62.0MB
MD5b865da217191971a172a53a74297bb82
SHA1f1bf7016ab178914bc140d0ecb374f19fbdca2e0
SHA2560e9087e98ea160d358c4ff1744d6422700736e4f6da6275114450d502fe7836a
SHA5124c34df096c56903655ee0495c1e0d9a336dc3bd9cce59c6c379fc39b9dd6bccdbe69f733bc631d5fd225fd485dd91aa02671e38dace798fa1cf647a54879844e
-
Filesize
116.0MB
MD56e06ff738d5a4782e765317a920fcc2e
SHA1013bd46e087cd10422e96ef991b857572604fce4
SHA25643f2f795dcdbc52d17a61839054dc36b6581f73f6060521ff735cdd3ee3312e4
SHA512f8aebb97f2b8a9ff2965b6bc3f086c1b6d7aa40ee019a0a1a4a630dce2a70a9c12075fb36e17ad4a3543e60bfbe46477a27c2e89e821380d63ced3b253795848
-
Filesize
115.6MB
MD51f87119dca949b452aada9aa6b8ec354
SHA16d45be7d49fe6483603a8b8cf1471d0c6a5d113d
SHA256d684cad79bca493326e15162bae79cb729aea3840841e69c8eee5c22e5e89c79
SHA51296b6f0a4504d4427b89a47be49cc425cfaa5af61f092db58258b5d8275d00e2955049beed35f3d9529227d44dabf1824eb96a532e7c9368078d3d1dcef1b68da
-
Filesize
216.2MB
MD5fbbeb88efbd9bbaa2aecb65e15f4c181
SHA1d71352a4a2071385a3d6709846adff238c8d8064
SHA25643a14734d9991ed5eb2f58608a6dc2d7fbc64bd04a47992bed91c62dbc8c370e
SHA51214a2488959a7a74d16f90e154c02fffce3f0d68e10c4bf77cd80b597e74599e3c8ed4121f7d6eb40d095a55fef4e336ada332f4cbd8010d523225e8f3c33a6ab
-
Filesize
197.4MB
MD5d3b6b7c4950c4b8168633383857094b3
SHA10f5155188d6aab7ba3544915a917efbbf2974df7
SHA256b1362334725ca851bf9264ba2d0ef063e7e2f6550b070b1c44e7a5c11b36341a
SHA5123595cd4d350fe77aac78dc83a2758b705f6eaa974add97a151ed8331a700b29f1e93c9160afcd8fcf323e6a882b4f277402bcee037732ff957f8753e319d5ca2
-
Filesize
205.8MB
MD567ee008b0ddc5948183c0c155415adf5
SHA1782c0a5c17e7b17b12129ce8af3d9681af50ef16
SHA256de7158ca9f9d3bd516c03a42ffa82d5d0d09ca74d7a59ba00ada9b9e19088710
SHA512682fa804031f38df8f9adf1f5c4b30540c64b69aeeff5408bf36b65905242f65ce99172624f8eeabf6d93ec16cdb96b62264cffbecf3e02f2d62a6875423d876