Malware Analysis Report

2025-06-16 03:22

Sample ID 220510-x31n9sgdd4
Target Invoice May 2 to 6 2022.exe
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
Tags
bitrat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657

Threat Level: Known bad

The file Invoice May 2 to 6 2022.exe was found to be: Known bad.

Malicious Activity Summary

bitrat trojan upx

BitRAT

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-10 19:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-10 19:23

Reported

2022-05-10 19:32

Platform

win7-20220414-en

Max time kernel

160s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"

Signatures

BitRAT

trojan bitrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\laoqp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\laoqp.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1928 set thread context of 940 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1756 set thread context of 1620 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1496 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1496 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1496 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1496 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1496 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1496 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 336 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\laoqp.exe
PID 336 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\laoqp.exe
PID 336 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\laoqp.exe
PID 336 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\laoqp.exe
PID 336 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\laoqp.exe
PID 336 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\laoqp.exe
PID 336 wrote to memory of 1756 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\laoqp.exe
PID 1756 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1468 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1468 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1468 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1468 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1468 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1468 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1756 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1756 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1756 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe

"C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {373D1864-ADA7-4F1E-99D8-2EFC04C06788} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 houseofc.duckdns.org udp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
US 8.8.8.8:53 houseofc.duckdns.org udp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp

Files

memory/1928-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

memory/1928-55-0x0000000001160000-0x0000000001326000-memory.dmp

memory/1496-56-0x0000000000000000-mapping.dmp

memory/1132-57-0x0000000000000000-mapping.dmp

memory/1732-60-0x0000000000000000-mapping.dmp

memory/940-62-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/940-63-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/940-65-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/940-66-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/940-67-0x00000000007E2740-mapping.dmp

memory/940-68-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/940-69-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/940-72-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/940-73-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/940-74-0x0000000000400000-0x00000000007E4000-memory.dmp

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 73600dca4b4b6e13b7dd4b11585b8f2b
SHA1 a22b9d207aaac2f1fbee2073c9572784fd4f2a76
SHA256 3e1c367708e0a8a3a3bc965eb0b071b32c205a62e0e6cad73eacb0fae0b62aee
SHA512 e853e92b22e3f9bba064f12e0a8b2dc5a4a8a1c3fb800c4c6a68ce0e6b5a8fe6e5bafd42528026e91dd80efdb86432a120223535b916c67fadfeb23a70d0b67e

memory/1756-76-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 b794720fe2b03d4e6db634ce73b241c2
SHA1 c47c0adb163059a09d1963e9850c118ef0d2ad84
SHA256 bfbb251f4add7c763e4d24d85bbf7ab01a024acd96dc9f3948cb0f3249550d5b
SHA512 c6ba84879db14e9df3bfbc2df811056ea2867abeb616868fa0128f096c85c1478968e79792963ab1aea9e5bb5c4ff7f8531da734aff639e985245d47b9c99bd1

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 fbbeb88efbd9bbaa2aecb65e15f4c181
SHA1 d71352a4a2071385a3d6709846adff238c8d8064
SHA256 43a14734d9991ed5eb2f58608a6dc2d7fbc64bd04a47992bed91c62dbc8c370e
SHA512 14a2488959a7a74d16f90e154c02fffce3f0d68e10c4bf77cd80b597e74599e3c8ed4121f7d6eb40d095a55fef4e336ada332f4cbd8010d523225e8f3c33a6ab

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 d3b6b7c4950c4b8168633383857094b3
SHA1 0f5155188d6aab7ba3544915a917efbbf2974df7
SHA256 b1362334725ca851bf9264ba2d0ef063e7e2f6550b070b1c44e7a5c11b36341a
SHA512 3595cd4d350fe77aac78dc83a2758b705f6eaa974add97a151ed8331a700b29f1e93c9160afcd8fcf323e6a882b4f277402bcee037732ff957f8753e319d5ca2

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 67ee008b0ddc5948183c0c155415adf5
SHA1 782c0a5c17e7b17b12129ce8af3d9681af50ef16
SHA256 de7158ca9f9d3bd516c03a42ffa82d5d0d09ca74d7a59ba00ada9b9e19088710
SHA512 682fa804031f38df8f9adf1f5c4b30540c64b69aeeff5408bf36b65905242f65ce99172624f8eeabf6d93ec16cdb96b62264cffbecf3e02f2d62a6875423d876

memory/1756-82-0x0000000000AC0000-0x0000000000C86000-memory.dmp

memory/1468-83-0x0000000000000000-mapping.dmp

memory/1556-85-0x0000000000000000-mapping.dmp

memory/1528-87-0x0000000000000000-mapping.dmp

memory/1620-94-0x00000000007E2740-mapping.dmp

memory/1620-101-0x0000000000400000-0x00000000007E4000-memory.dmp

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 bc45f1e32934b0f55184598b6d72876e
SHA1 15cc5c507d5bc2a8c033e3abe9ac9e79abce12fa
SHA256 d586340535ef6dc92abbd0bf36cc5c98617408b17270f77757a4834a3429ed5d
SHA512 46d5b893ed80deba400ff773e3567bc07c7c270c0fa2281613d9ad804b016fd7552a75b66c077e7b9e3b6d9cb51177ca780842a2dd3e51324fe62e104e015f27

memory/676-102-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 b865da217191971a172a53a74297bb82
SHA1 f1bf7016ab178914bc140d0ecb374f19fbdca2e0
SHA256 0e9087e98ea160d358c4ff1744d6422700736e4f6da6275114450d502fe7836a
SHA512 4c34df096c56903655ee0495c1e0d9a336dc3bd9cce59c6c379fc39b9dd6bccdbe69f733bc631d5fd225fd485dd91aa02671e38dace798fa1cf647a54879844e

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 1f87119dca949b452aada9aa6b8ec354
SHA1 6d45be7d49fe6483603a8b8cf1471d0c6a5d113d
SHA256 d684cad79bca493326e15162bae79cb729aea3840841e69c8eee5c22e5e89c79
SHA512 96b6f0a4504d4427b89a47be49cc425cfaa5af61f092db58258b5d8275d00e2955049beed35f3d9529227d44dabf1824eb96a532e7c9368078d3d1dcef1b68da

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 6e06ff738d5a4782e765317a920fcc2e
SHA1 013bd46e087cd10422e96ef991b857572604fce4
SHA256 43f2f795dcdbc52d17a61839054dc36b6581f73f6060521ff735cdd3ee3312e4
SHA512 f8aebb97f2b8a9ff2965b6bc3f086c1b6d7aa40ee019a0a1a4a630dce2a70a9c12075fb36e17ad4a3543e60bfbe46477a27c2e89e821380d63ced3b253795848

memory/676-108-0x0000000000D60000-0x0000000000F26000-memory.dmp

memory/1876-109-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-10 19:23

Reported

2022-05-10 19:32

Platform

win10v2004-20220414-en

Max time kernel

157s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\laoqp.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\laoqp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2568 set thread context of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4904 set thread context of 504 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2568 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2568 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2568 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2568 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2568 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2568 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4904 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 504 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4904 wrote to memory of 504 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4904 wrote to memory of 504 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4904 wrote to memory of 504 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1524 wrote to memory of 460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4904 wrote to memory of 504 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4904 wrote to memory of 504 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4904 wrote to memory of 504 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe

"C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4764 -ip 4764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 184

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 504 -ip 504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 540

Network

Country Destination Domain Proto
NL 20.190.160.67:443 tcp
NL 20.190.160.67:443 tcp
NL 20.190.160.67:443 tcp
NL 20.190.160.8:443 tcp
NL 20.190.160.8:443 tcp
US 20.189.173.2:443 tcp
NL 20.190.160.8:443 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.73:443 tcp
NL 20.190.160.73:443 tcp
NL 20.190.160.73:443 tcp
NL 20.190.160.71:443 tcp
NL 20.190.160.71:443 tcp
NL 20.190.160.71:443 tcp

Files

memory/2568-130-0x0000000000910000-0x0000000000AD6000-memory.dmp

memory/2568-131-0x0000000005AE0000-0x0000000006084000-memory.dmp

memory/2568-132-0x0000000005480000-0x0000000005512000-memory.dmp

memory/1960-133-0x0000000000000000-mapping.dmp

memory/4952-134-0x0000000000000000-mapping.dmp

memory/204-135-0x0000000000000000-mapping.dmp

memory/4764-136-0x0000000000000000-mapping.dmp

memory/4764-138-0x0000000000610000-0x00000000009F4000-memory.dmp

memory/4764-139-0x0000000000610000-0x00000000009F4000-memory.dmp

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

memory/1524-142-0x0000000000000000-mapping.dmp

memory/3272-143-0x0000000000000000-mapping.dmp

memory/504-144-0x0000000000000000-mapping.dmp

memory/460-145-0x0000000000000000-mapping.dmp

memory/504-147-0x0000000000570000-0x0000000000954000-memory.dmp

memory/504-148-0x0000000000570000-0x0000000000954000-memory.dmp