9f377c8709ba71efaa74d270b7a4c98f44ea62847c66d2e54a1d1044bb8a2577

General

Target

Invoice.exe
Size

818KB
MD5

922902037e92ce7c5297054a629f1ef5
SHA1

59ca48a0edf12bd54e7a7e956e3ded80f75cada5
SHA256

37eb096457c5f3b81945f57de1b46674cdd7ccf83714f0bc4c0d982ade2405bd
SHA512

ec101fb291b663b9916b9d056e0f10564e12d44c747cd3b5e2f1b93bce07073a0deb1b9e1c041c549d4381a254c2db9c72ce50258fec82e4dfd23faa159ab80e

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3304 set thread context of 4092	3304	Invoice.exe	81

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3304	Invoice.exe
3304	Invoice.exe
3304	Invoice.exe
4912	powershell.exe
4912	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3304	Invoice.exe
Token: SeDebugPrivilege	4912	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 4092	3304	Invoice.exe	81
PID 3304 wrote to memory of 4092	3304	Invoice.exe	81
PID 3304 wrote to memory of 4092	3304	Invoice.exe	81
PID 3304 wrote to memory of 4092	3304	Invoice.exe	81
PID 3304 wrote to memory of 4092	3304	Invoice.exe	81
PID 3304 wrote to memory of 4092	3304	Invoice.exe	81
PID 3304 wrote to memory of 4092	3304	Invoice.exe	81
PID 3304 wrote to memory of 4092	3304	Invoice.exe	81
PID 4092 wrote to memory of 5084	4092	Invoice.exe	88
PID 4092 wrote to memory of 5084	4092	Invoice.exe	88
PID 4092 wrote to memory of 5084	4092	Invoice.exe	88
PID 5084 wrote to memory of 4912	5084	cmd.exe	90
PID 5084 wrote to memory of 4912	5084	cmd.exe	90
PID 5084 wrote to memory of 4912	5084	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Local\Temp\Invoice.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Invoice.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Invoice.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/3304-130-0x0000000000C30000-0x0000000000D02000-memory.dmp

Filesize
840KB

Download
memory/3304-131-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/3304-132-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/3304-133-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/3304-134-0x000000000DBA0000-0x000000000DC3C000-memory.dmp

Filesize
624KB

Download
memory/4092-136-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4092-138-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/4912-141-0x0000000002E80000-0x0000000002EB6000-memory.dmp

Filesize
216KB

Download
memory/4912-142-0x00000000058C0000-0x0000000005EE8000-memory.dmp

Filesize
6.2MB

Download
memory/4912-143-0x0000000005F20000-0x0000000005F42000-memory.dmp

Filesize
136KB

Download
memory/4912-144-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/4912-145-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/4912-146-0x0000000007FF0000-0x000000000866A000-memory.dmp

Filesize
6.5MB

Download
memory/4912-147-0x0000000006CA0000-0x0000000006CBA000-memory.dmp

Filesize
104KB

Download
memory/4912-148-0x0000000007A10000-0x0000000007AA6000-memory.dmp

Filesize
600KB

Download
memory/4912-149-0x0000000006D90000-0x0000000006DB2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing