Overview

overview

9

Static

static

Payment sw...df.exe

windows7_x64

9

Payment sw...df.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    129s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 22:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment swift copy.pdf.exe

  • Size

    1.3MB

  • MD5

    db30aa1c0eb9d07f3e7e966acc690898

  • SHA1

    4495b0f386ee54919a46aa911ddc1b4931ca2d8a

  • SHA256

    5176a48afec98e65c46b54977d76a78f20d8bd4333ca64285495a05862d6749b

  • SHA512

    2df235a40d63efb26903e4b494959a7daef059985d3043d34eaa2aa2e3103c0e187bc9def392e3768580ff4ce6aab098a79af105c423bf0bd5b601f8232aa047

Score
9/10
evasionspywarestealer

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment swift copy.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment swift copy.pdf.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Admin\AppData\Local\Temp\Payment swift copy.pdf.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3964
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bin.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3508
        • C:\Users\Admin\AppData\Local\Temp\bin.exe
          bin.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment swift copy.pdf.exe.log
    Filesize

    1KB

    MD5

    e08f822522c617a40840c62e4b0fb45e

    SHA1

    ae516dca4da5234be6676d3f234c19ec55725be7

    SHA256

    bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

    SHA512

    894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
    Filesize

    647KB

    MD5

    5afda7c7d4f7085e744c2e7599279db3

    SHA1

    3a833eb7c6be203f16799d7b7ccd8b8c9d439261

    SHA256

    f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

    SHA512

    7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
    Filesize

    647KB

    MD5

    5afda7c7d4f7085e744c2e7599279db3

    SHA1

    3a833eb7c6be203f16799d7b7ccd8b8c9d439261

    SHA256

    f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

    SHA512

    7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
    Filesize

    647KB

    MD5

    5afda7c7d4f7085e744c2e7599279db3

    SHA1

    3a833eb7c6be203f16799d7b7ccd8b8c9d439261

    SHA256

    f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

    SHA512

    7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bin.exe
    Filesize

    23KB

    MD5

    345da28112fc97cbad74e45c510fd783

    SHA1

    dc88113783ed200262428c3000c35fdd093c5b64

    SHA256

    b6e61d4a8e0fe205cd03d4fa1d9ffc4ce8c77b9a3efecdb6f9523dccf6bd9864

    SHA512

    e9b294b03ffd005ce6d8380be285baf762d0f135676c1fd4737f43c34e39ad3da77e7c3a07a7197475c1d17b09628b03e9e9c1808698dd89852ad60b9febfa2d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bin.exe
    Filesize

    23KB

    MD5

    345da28112fc97cbad74e45c510fd783

    SHA1

    dc88113783ed200262428c3000c35fdd093c5b64

    SHA256

    b6e61d4a8e0fe205cd03d4fa1d9ffc4ce8c77b9a3efecdb6f9523dccf6bd9864

    SHA512

    e9b294b03ffd005ce6d8380be285baf762d0f135676c1fd4737f43c34e39ad3da77e7c3a07a7197475c1d17b09628b03e9e9c1808698dd89852ad60b9febfa2d

    Download Submit
  • memory/1356-144-0x00000000004F0000-0x00000000004FC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1356-141-0x0000000000000000-mapping.dmp
    Download
  • memory/1356-148-0x00000000053A0000-0x0000000005448000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1876-134-0x0000000007EF0000-0x0000000007F8C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1876-130-0x0000000000D90000-0x0000000000EEC000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1876-135-0x000000000DBA0000-0x000000000DC06000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1876-133-0x0000000007C40000-0x0000000007C4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1876-132-0x0000000007C50000-0x0000000007CE2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1876-131-0x0000000008160000-0x0000000008704000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3508-140-0x0000000000000000-mapping.dmp
    Download
  • memory/3964-137-0x0000000000400000-0x00000000005A2000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3964-139-0x0000000005400000-0x0000000005456000-memory.dmp
    Filesize

    344KB

    Download
  • memory/3964-136-0x0000000000000000-mapping.dmp
    Download