Analysis
-
max time kernel
166s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:13
Static task
static1
Behavioral task
behavioral1
Sample
PO_INV90.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
PO_INV90.exe
-
Size
366KB
-
MD5
0918ec31c64c03a628951b52d6f8fb10
-
SHA1
21c87c032464ffeb5c73dfc7899da4a16a8a4ff0
-
SHA256
adb1948d6b4d965ee35ea8107b1128a9075d3548b61a72cfb35d0893d1f4ffaf
-
SHA512
7a049054b8ec57c90ea749c96c4a9f0bc5ac69fbac8516453df58cebdc95261e9bd80f4b00c66f13c87fbc6a8397870a83d4063bdf47b07465744152df38feb3
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PO_INV90.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SvUSL = "C:\\TLWHJTYB\\SvUSLK\\SvUSLKHCG.vbs" PO_INV90.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PO_INV90.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PO_INV90.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PO_INV90.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO_INV90.exedescription pid process target process PID 4748 set thread context of 1280 4748 PO_INV90.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegSvcs.exepid process 1280 RegSvcs.exe 1280 RegSvcs.exe 1280 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1280 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
PO_INV90.exepid process 4748 PO_INV90.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1280 RegSvcs.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
PO_INV90.exedescription pid process target process PID 4748 wrote to memory of 1280 4748 PO_INV90.exe RegSvcs.exe PID 4748 wrote to memory of 1280 4748 PO_INV90.exe RegSvcs.exe PID 4748 wrote to memory of 1280 4748 PO_INV90.exe RegSvcs.exe PID 4748 wrote to memory of 1280 4748 PO_INV90.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO_INV90.exe"C:\Users\Admin\AppData\Local\Temp\PO_INV90.exe"1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1280-132-0x0000000000000000-mapping.dmp
-
memory/1280-134-0x0000000072B80000-0x0000000073131000-memory.dmpFilesize
5.7MB
-
memory/4748-130-0x00000000005C0000-0x0000000000622000-memory.dmpFilesize
392KB
-
memory/4748-131-0x0000000005620000-0x0000000005BC4000-memory.dmpFilesize
5.6MB
-
memory/4748-133-0x0000000004EC0000-0x0000000004EC3000-memory.dmpFilesize
12KB