Analysis
-
max time kernel
129s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:38
Static task
static1
Behavioral task
behavioral1
Sample
Payment swift copy.pdf.exe
Resource
win7-20220414-en
General
-
Target
Payment swift copy.pdf.exe
-
Size
1.3MB
-
MD5
db30aa1c0eb9d07f3e7e966acc690898
-
SHA1
4495b0f386ee54919a46aa911ddc1b4931ca2d8a
-
SHA256
5176a48afec98e65c46b54977d76a78f20d8bd4333ca64285495a05862d6749b
-
SHA512
2df235a40d63efb26903e4b494959a7daef059985d3043d34eaa2aa2e3103c0e187bc9def392e3768580ff4ce6aab098a79af105c423bf0bd5b601f8232aa047
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
bin.exepid process 1356 bin.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Payment swift copy.pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Payment swift copy.pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Payment swift copy.pdf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Payment swift copy.pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Payment swift copy.pdf.exe -
Loads dropped DLL 2 IoCs
Processes:
bin.exepid process 1356 bin.exe 1356 bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Payment swift copy.pdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Payment swift copy.pdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Payment swift copy.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment swift copy.pdf.exedescription pid process target process PID 1876 set thread context of 3964 1876 Payment swift copy.pdf.exe Payment swift copy.pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Payment swift copy.pdf.exepid process 1876 Payment swift copy.pdf.exe 1876 Payment swift copy.pdf.exe 1876 Payment swift copy.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment swift copy.pdf.exedescription pid process Token: SeDebugPrivilege 1876 Payment swift copy.pdf.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Payment swift copy.pdf.exePayment swift copy.pdf.execmd.exedescription pid process target process PID 1876 wrote to memory of 3964 1876 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1876 wrote to memory of 3964 1876 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1876 wrote to memory of 3964 1876 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1876 wrote to memory of 3964 1876 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1876 wrote to memory of 3964 1876 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1876 wrote to memory of 3964 1876 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1876 wrote to memory of 3964 1876 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1876 wrote to memory of 3964 1876 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1876 wrote to memory of 3964 1876 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 3964 wrote to memory of 3508 3964 Payment swift copy.pdf.exe cmd.exe PID 3964 wrote to memory of 3508 3964 Payment swift copy.pdf.exe cmd.exe PID 3964 wrote to memory of 3508 3964 Payment swift copy.pdf.exe cmd.exe PID 3508 wrote to memory of 1356 3508 cmd.exe bin.exe PID 3508 wrote to memory of 1356 3508 cmd.exe bin.exe PID 3508 wrote to memory of 1356 3508 cmd.exe bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment swift copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment swift copy.pdf.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment swift copy.pdf.exe"{path}"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bin.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bin.exebin.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment swift copy.pdf.exe.logFilesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
647KB
MD55afda7c7d4f7085e744c2e7599279db3
SHA13a833eb7c6be203f16799d7b7ccd8b8c9d439261
SHA256f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4
SHA5127cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944
-
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
647KB
MD55afda7c7d4f7085e744c2e7599279db3
SHA13a833eb7c6be203f16799d7b7ccd8b8c9d439261
SHA256f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4
SHA5127cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944
-
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
647KB
MD55afda7c7d4f7085e744c2e7599279db3
SHA13a833eb7c6be203f16799d7b7ccd8b8c9d439261
SHA256f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4
SHA5127cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
23KB
MD5345da28112fc97cbad74e45c510fd783
SHA1dc88113783ed200262428c3000c35fdd093c5b64
SHA256b6e61d4a8e0fe205cd03d4fa1d9ffc4ce8c77b9a3efecdb6f9523dccf6bd9864
SHA512e9b294b03ffd005ce6d8380be285baf762d0f135676c1fd4737f43c34e39ad3da77e7c3a07a7197475c1d17b09628b03e9e9c1808698dd89852ad60b9febfa2d
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
23KB
MD5345da28112fc97cbad74e45c510fd783
SHA1dc88113783ed200262428c3000c35fdd093c5b64
SHA256b6e61d4a8e0fe205cd03d4fa1d9ffc4ce8c77b9a3efecdb6f9523dccf6bd9864
SHA512e9b294b03ffd005ce6d8380be285baf762d0f135676c1fd4737f43c34e39ad3da77e7c3a07a7197475c1d17b09628b03e9e9c1808698dd89852ad60b9febfa2d
-
memory/1356-144-0x00000000004F0000-0x00000000004FC000-memory.dmpFilesize
48KB
-
memory/1356-141-0x0000000000000000-mapping.dmp
-
memory/1356-148-0x00000000053A0000-0x0000000005448000-memory.dmpFilesize
672KB
-
memory/1876-134-0x0000000007EF0000-0x0000000007F8C000-memory.dmpFilesize
624KB
-
memory/1876-130-0x0000000000D90000-0x0000000000EEC000-memory.dmpFilesize
1.4MB
-
memory/1876-135-0x000000000DBA0000-0x000000000DC06000-memory.dmpFilesize
408KB
-
memory/1876-133-0x0000000007C40000-0x0000000007C4A000-memory.dmpFilesize
40KB
-
memory/1876-132-0x0000000007C50000-0x0000000007CE2000-memory.dmpFilesize
584KB
-
memory/1876-131-0x0000000008160000-0x0000000008704000-memory.dmpFilesize
5.6MB
-
memory/3508-140-0x0000000000000000-mapping.dmp
-
memory/3964-137-0x0000000000400000-0x00000000005A2000-memory.dmpFilesize
1.6MB
-
memory/3964-139-0x0000000005400000-0x0000000005456000-memory.dmpFilesize
344KB
-
memory/3964-136-0x0000000000000000-mapping.dmp