Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:42
Static task
static1
Behavioral task
behavioral1
Sample
Hóa đơn thanh toán202005074736282989377444.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
Hóa đơn thanh toán202005074736282989377444.exe
-
Size
1.6MB
-
MD5
3620bf04976d426757cbda5e50e78cca
-
SHA1
322152f1ce9857ff4257631fe96879daf87d737f
-
SHA256
c1dd3e913417e736fe1251f0d1b890756dfbc7ce89efa4f5ceee6e895d2ec79a
-
SHA512
7fc245118a8e8f5a69c2491fafc8d48cf3867898a02c7cc66514e7da5a17a79ec26cee18a26c76de7a760c8eb3d3725bfdbcd73323af5ba77a7a8ea7e7794c4b
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
Hóa đơn thanh toán202005074736282989377444.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winver.url Hóa đơn thanh toán202005074736282989377444.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Hóa đơn thanh toán202005074736282989377444.exedescription pid process target process PID 1100 set thread context of 1052 1100 Hóa đơn thanh toán202005074736282989377444.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
MSBuild.exeHóa đơn thanh toán202005074736282989377444.exepid process 1052 MSBuild.exe 1052 MSBuild.exe 1100 Hóa đơn thanh toán202005074736282989377444.exe 1100 Hóa đơn thanh toán202005074736282989377444.exe 1100 Hóa đơn thanh toán202005074736282989377444.exe 1100 Hóa đơn thanh toán202005074736282989377444.exe 1100 Hóa đơn thanh toán202005074736282989377444.exe 1100 Hóa đơn thanh toán202005074736282989377444.exe 1100 Hóa đơn thanh toán202005074736282989377444.exe 1100 Hóa đơn thanh toán202005074736282989377444.exe 1100 Hóa đơn thanh toán202005074736282989377444.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 1052 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Hóa đơn thanh toán202005074736282989377444.exepid process 1100 Hóa đơn thanh toán202005074736282989377444.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1052 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Hóa đơn thanh toán202005074736282989377444.exepid process 1100 Hóa đơn thanh toán202005074736282989377444.exe 1100 Hóa đơn thanh toán202005074736282989377444.exe 1100 Hóa đơn thanh toán202005074736282989377444.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Hóa đơn thanh toán202005074736282989377444.exepid process 1100 Hóa đơn thanh toán202005074736282989377444.exe 1100 Hóa đơn thanh toán202005074736282989377444.exe 1100 Hóa đơn thanh toán202005074736282989377444.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Hóa đơn thanh toán202005074736282989377444.exedescription pid process target process PID 1100 wrote to memory of 1052 1100 Hóa đơn thanh toán202005074736282989377444.exe MSBuild.exe PID 1100 wrote to memory of 1052 1100 Hóa đơn thanh toán202005074736282989377444.exe MSBuild.exe PID 1100 wrote to memory of 1052 1100 Hóa đơn thanh toán202005074736282989377444.exe MSBuild.exe PID 1100 wrote to memory of 1052 1100 Hóa đơn thanh toán202005074736282989377444.exe MSBuild.exe PID 1100 wrote to memory of 1052 1100 Hóa đơn thanh toán202005074736282989377444.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hóa đơn thanh toán202005074736282989377444.exe"C:\Users\Admin\AppData\Local\Temp\Hóa đơn thanh toán202005074736282989377444.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1052-56-0x000000000041E792-mapping.dmp
-
memory/1052-59-0x0000000073DA0000-0x000000007434B000-memory.dmpFilesize
5.7MB
-
memory/1052-60-0x0000000000236000-0x0000000000247000-memory.dmpFilesize
68KB
-
memory/1100-54-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB
-
memory/1100-55-0x0000000003D50000-0x0000000003DB6000-memory.dmpFilesize
408KB
-
memory/1100-58-0x00000000029C0000-0x0000000002A26000-memory.dmpFilesize
408KB