Analysis
-
max time kernel
157s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10/05/2022, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
Invoice May 2 to 6 2022.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Invoice May 2 to 6 2022.exe
Resource
win10v2004-20220414-en
General
-
Target
Invoice May 2 to 6 2022.exe
-
Size
300.0MB
-
MD5
9ee044706961afb5c1b1cc98936786b5
-
SHA1
b583dd8cb884cc786ae6ccb5c007537f42ca20d0
-
SHA256
9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
-
SHA512
255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4904 laoqp.exe -
resource yara_rule behavioral2/memory/4764-138-0x0000000000610000-0x00000000009F4000-memory.dmp upx behavioral2/memory/4764-139-0x0000000000610000-0x00000000009F4000-memory.dmp upx behavioral2/memory/504-147-0x0000000000570000-0x0000000000954000-memory.dmp upx behavioral2/memory/504-148-0x0000000000570000-0x0000000000954000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation Invoice May 2 to 6 2022.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation laoqp.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2568 set thread context of 4764 2568 Invoice May 2 to 6 2022.exe 103 PID 4904 set thread context of 504 4904 laoqp.exe 113 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4920 4764 WerFault.exe 103 4704 504 WerFault.exe 113 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 204 schtasks.exe 460 schtasks.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2568 wrote to memory of 1960 2568 Invoice May 2 to 6 2022.exe 97 PID 2568 wrote to memory of 1960 2568 Invoice May 2 to 6 2022.exe 97 PID 2568 wrote to memory of 1960 2568 Invoice May 2 to 6 2022.exe 97 PID 2568 wrote to memory of 4952 2568 Invoice May 2 to 6 2022.exe 99 PID 2568 wrote to memory of 4952 2568 Invoice May 2 to 6 2022.exe 99 PID 2568 wrote to memory of 4952 2568 Invoice May 2 to 6 2022.exe 99 PID 1960 wrote to memory of 204 1960 cmd.exe 101 PID 1960 wrote to memory of 204 1960 cmd.exe 101 PID 1960 wrote to memory of 204 1960 cmd.exe 101 PID 2568 wrote to memory of 4764 2568 Invoice May 2 to 6 2022.exe 103 PID 2568 wrote to memory of 4764 2568 Invoice May 2 to 6 2022.exe 103 PID 2568 wrote to memory of 4764 2568 Invoice May 2 to 6 2022.exe 103 PID 2568 wrote to memory of 4764 2568 Invoice May 2 to 6 2022.exe 103 PID 2568 wrote to memory of 4764 2568 Invoice May 2 to 6 2022.exe 103 PID 2568 wrote to memory of 4764 2568 Invoice May 2 to 6 2022.exe 103 PID 2568 wrote to memory of 4764 2568 Invoice May 2 to 6 2022.exe 103 PID 4904 wrote to memory of 1524 4904 laoqp.exe 109 PID 4904 wrote to memory of 1524 4904 laoqp.exe 109 PID 4904 wrote to memory of 1524 4904 laoqp.exe 109 PID 4904 wrote to memory of 3272 4904 laoqp.exe 111 PID 4904 wrote to memory of 3272 4904 laoqp.exe 111 PID 4904 wrote to memory of 3272 4904 laoqp.exe 111 PID 4904 wrote to memory of 504 4904 laoqp.exe 113 PID 4904 wrote to memory of 504 4904 laoqp.exe 113 PID 4904 wrote to memory of 504 4904 laoqp.exe 113 PID 4904 wrote to memory of 504 4904 laoqp.exe 113 PID 1524 wrote to memory of 460 1524 cmd.exe 114 PID 1524 wrote to memory of 460 1524 cmd.exe 114 PID 1524 wrote to memory of 460 1524 cmd.exe 114 PID 4904 wrote to memory of 504 4904 laoqp.exe 113 PID 4904 wrote to memory of 504 4904 laoqp.exe 113 PID 4904 wrote to memory of 504 4904 laoqp.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f3⤵
- Creates scheduled task(s)
PID:204
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"2⤵PID:4952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1843⤵
- Program crash
PID:4920
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4764 -ip 47641⤵PID:4080
-
C:\Users\Admin\AppData\Roaming\laoqp.exeC:\Users\Admin\AppData\Roaming\laoqp.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f3⤵
- Creates scheduled task(s)
PID:460
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"2⤵PID:3272
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 5403⤵
- Program crash
PID:4704
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 504 -ip 5041⤵PID:3456
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03
-
Filesize
300.0MB
MD59ee044706961afb5c1b1cc98936786b5
SHA1b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA2569fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03