Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:19
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip.exe
Resource
win7-20220414-en
General
-
Target
Payment Slip.exe
-
Size
305KB
-
MD5
959cc1d1577952988bee9d96237dc04f
-
SHA1
11942e192b6f5f4bba6947653fb070385f42998a
-
SHA256
9e5404dae4cf7c22028a3d09e99fa532a1f14e0636aa8112d177933a8b066b6c
-
SHA512
30e5e5f62239042b905a01c7d51f52f7be5668dbe23d4ec63b3a0c8e50f9ccb2f770fce1efbcd3914e842f0762838f8eb0ed9db1eb1fb670c890caaeece8fb70
Malware Config
Extracted
formbook
4.0
i032
threecraftybitchhs.com
vmbitcoin.com
theeverydayrootsbook.com
perksatwrok.com
oilspilladjustersettlement.com
actiilifecoaching.com
kbv627xlp9o.biz
masterfitnessusa.com
bit-coin-b2b.com
crossfitpoway.com
van-life.info
start.supply
wonobi.com
volunteerfife.com
steamlish.com
fortituderunclub.com
10sweetmasageparlour.com
2espiritus.com
free-part-manuals.net
gocier.com
thecoldestirose.com
visionpetlonpolymers.com
broadbandec.info
gaoluxue.com
support360.info
thietkenoithatchungcudep.com
buatweb.click
masterthistoday.com
restoralplus.net
entrepreneurdreamers.com
crohnstracklightstudy.com
philsoft.net
nortf.com
bndzn.com
quadroshopter.com
findyouremptycows.com
getyourlegalhelpnow.com
otodidakscript.com
shocolo.com
hljbsjy.com
pinkiesaloncenter.com
woodenspoonbakehouse.com
acceleratedhealingpodcast.com
zdkrui.com
caca111.com
hjemmesidemester.com
kcsmqd.com
gptxr8.com
ggluav81.com
grantsburgbasketball.com
ziacs.com
changingthescale.com
kfifab.com
hostelagency.com
vitolines.com
zzgst.com
toneonemedia.com
schatzkind.com
wwwyy8181.com
indianchargers.com
prohealth.cloud
hfsycm.com
blueroast.com
viralbobmail.com
regulars6.com
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1504-56-0x0000000000240000-0x0000000000248000-memory.dmp coreentity -
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
Processes:
resource yara_rule behavioral1/memory/1504-54-0x0000000001120000-0x0000000001172000-memory.dmp coreccc -
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2008-63-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/2008-64-0x000000000041E330-mapping.dmp formbook behavioral1/memory/2008-66-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/1724-75-0x0000000000080000-0x00000000000AD000-memory.dmp formbook -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1504-57-0x0000000000CE0000-0x0000000000D1A000-memory.dmp rezer0 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Payment Slip.exePayment Slip.execmd.exedescription pid process target process PID 1504 set thread context of 2008 1504 Payment Slip.exe Payment Slip.exe PID 2008 set thread context of 1344 2008 Payment Slip.exe Explorer.EXE PID 2008 set thread context of 1344 2008 Payment Slip.exe Explorer.EXE PID 1724 set thread context of 1344 1724 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
Payment Slip.exePayment Slip.execmd.exepid process 1504 Payment Slip.exe 2008 Payment Slip.exe 2008 Payment Slip.exe 2008 Payment Slip.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe 1724 cmd.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Payment Slip.execmd.exepid process 2008 Payment Slip.exe 2008 Payment Slip.exe 2008 Payment Slip.exe 2008 Payment Slip.exe 1724 cmd.exe 1724 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Payment Slip.exePayment Slip.execmd.exedescription pid process Token: SeDebugPrivilege 1504 Payment Slip.exe Token: SeDebugPrivilege 2008 Payment Slip.exe Token: SeDebugPrivilege 1724 cmd.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1344 Explorer.EXE 1344 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1344 Explorer.EXE 1344 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Payment Slip.exeExplorer.EXEcmd.exedescription pid process target process PID 1504 wrote to memory of 2040 1504 Payment Slip.exe schtasks.exe PID 1504 wrote to memory of 2040 1504 Payment Slip.exe schtasks.exe PID 1504 wrote to memory of 2040 1504 Payment Slip.exe schtasks.exe PID 1504 wrote to memory of 2040 1504 Payment Slip.exe schtasks.exe PID 1504 wrote to memory of 2008 1504 Payment Slip.exe Payment Slip.exe PID 1504 wrote to memory of 2008 1504 Payment Slip.exe Payment Slip.exe PID 1504 wrote to memory of 2008 1504 Payment Slip.exe Payment Slip.exe PID 1504 wrote to memory of 2008 1504 Payment Slip.exe Payment Slip.exe PID 1504 wrote to memory of 2008 1504 Payment Slip.exe Payment Slip.exe PID 1504 wrote to memory of 2008 1504 Payment Slip.exe Payment Slip.exe PID 1504 wrote to memory of 2008 1504 Payment Slip.exe Payment Slip.exe PID 1344 wrote to memory of 1724 1344 Explorer.EXE cmd.exe PID 1344 wrote to memory of 1724 1344 Explorer.EXE cmd.exe PID 1344 wrote to memory of 1724 1344 Explorer.EXE cmd.exe PID 1344 wrote to memory of 1724 1344 Explorer.EXE cmd.exe PID 1724 wrote to memory of 1988 1724 cmd.exe cmd.exe PID 1724 wrote to memory of 1988 1724 cmd.exe cmd.exe PID 1724 wrote to memory of 1988 1724 cmd.exe cmd.exe PID 1724 wrote to memory of 1988 1724 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UjCdGbhg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1288.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1288.tmpFilesize
1KB
MD506eaf3d704b56a8f918101aef8f11e0f
SHA1092eded4a308fb5704e3b353abcc91ac3d414266
SHA256af06168c6c8ea4569b3db8163207a28bd57580b615c65e9e9cd8efd02aaff991
SHA512633bdd67bde9217b29b6433865031d5213984a1e7372c29746a19475f8640375423c99797a3d0556c3ba085b0f845a03780a063f54ff8f268dc658149a9b8f44
-
memory/1344-72-0x0000000007140000-0x0000000007275000-memory.dmpFilesize
1.2MB
-
memory/1344-69-0x0000000007000000-0x000000000713E000-memory.dmpFilesize
1.2MB
-
memory/1344-79-0x0000000004250000-0x0000000004345000-memory.dmpFilesize
980KB
-
memory/1504-56-0x0000000000240000-0x0000000000248000-memory.dmpFilesize
32KB
-
memory/1504-54-0x0000000001120000-0x0000000001172000-memory.dmpFilesize
328KB
-
memory/1504-55-0x0000000076561000-0x0000000076563000-memory.dmpFilesize
8KB
-
memory/1504-57-0x0000000000CE0000-0x0000000000D1A000-memory.dmpFilesize
232KB
-
memory/1724-74-0x000000004A150000-0x000000004A19C000-memory.dmpFilesize
304KB
-
memory/1724-73-0x0000000000000000-mapping.dmp
-
memory/1724-78-0x00000000003E0000-0x0000000000473000-memory.dmpFilesize
588KB
-
memory/1724-77-0x0000000001FC0000-0x00000000022C3000-memory.dmpFilesize
3.0MB
-
memory/1724-75-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1988-76-0x0000000000000000-mapping.dmp
-
memory/2008-60-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2008-71-0x0000000000270000-0x0000000000284000-memory.dmpFilesize
80KB
-
memory/2008-68-0x00000000001E0000-0x00000000001F4000-memory.dmpFilesize
80KB
-
memory/2008-64-0x000000000041E330-mapping.dmp
-
memory/2008-63-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2008-61-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2008-66-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2008-67-0x0000000000880000-0x0000000000B83000-memory.dmpFilesize
3.0MB
-
memory/2040-58-0x0000000000000000-mapping.dmp