Overview

overview

10

Static

static

INVOICE USA LIST.exe

windows7_x64

10

INVOICE USA LIST.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    93s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 21:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INVOICE USA LIST.exe

  • Size

    745KB

  • MD5

    d661c9e364745c8487438ee2dc1bdb6c

  • SHA1

    ac7ec5bc8c699ab69d4677ab7b645d8a9111ebda

  • SHA256

    1e82507cd7b999f2ffa46f4591486b0ff45fb3fc664419279c15677f4a5a20d9

  • SHA512

    33d2b676e0f4afb5cb8bbb198fcc64fc9972d684972ab675c00f81c3247590b1eaa781ece5f00e4452910279b74aa890a67ace7f867be1d3dfa008d2c0370821

Score
9/10
evasion

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INVOICE USA LIST.exe
    "C:\Users\Admin\AppData\Local\Temp\INVOICE USA LIST.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YpbouUnhoFq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9431.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2244
    • C:\Users\Admin\AppData\Local\Temp\INVOICE USA LIST.exe
      "{path}"
      2⤵
        PID:372
      • C:\Users\Admin\AppData\Local\Temp\INVOICE USA LIST.exe
        "{path}"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:208
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\INVOICE USA LIST.exe' & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4356
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\INVOICE USA LIST.exe'
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1688

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Query Registry

    5
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE USA LIST.exe.log
      Filesize

      2KB

      MD5

      635011f0f90153daff2c545c1c3ed201

      SHA1

      ae0546a7d8242b58965afc1030342d10970fa460

      SHA256

      5716f598535571b47f5f62f0baf08f019f1dfa921d1ab45f53a8f20584b92c80

      SHA512

      07386f52356558882a1a20498760673afc567d5ed55763543757ffa0788f65b3ae612a7ab8e825fabb31e39db820b27dd9a67fb0801fc00aa2f8bb1b9dd7d10a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp9431.tmp
      Filesize

      1KB

      MD5

      e395f13590e449587f05233cd1c7a321

      SHA1

      bd1942ef6c418f70bb6bf4e027cd0c5cd69e5ba5

      SHA256

      168e6fadd6d9a0b9cb2ba2260c82b8a84b6afd79e3c2f5a76fa9dffdae2633d0

      SHA512

      caeb4c86515dfa4be95a1101b5fed7f3e472c0157aa4a24181be468ccae1bc114a8629e82a07b3453f50a3b5664c247c0d5b7bbc5daffa95be164f1bd8dee76d

      Download Submit
    • memory/208-183-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-147-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-187-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-141-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-143-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-145-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-185-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-149-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-151-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-153-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-155-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-157-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-159-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-161-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-163-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-165-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-167-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-169-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-139-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-173-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-175-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-177-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-179-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-181-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-171-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-138-0x0000000000000000-mapping.dmp
      Download
    • memory/208-201-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-189-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-191-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-193-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-195-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-197-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/208-199-0x0000000000400000-0x00000000004B0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/372-137-0x0000000000000000-mapping.dmp
      Download
    • memory/1688-661-0x0000000006F70000-0x0000000006F92000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1688-654-0x0000000005C00000-0x0000000006228000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1688-659-0x0000000006EA0000-0x0000000006EBA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1688-653-0x00000000053D0000-0x0000000005406000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1688-658-0x0000000008010000-0x000000000868A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1688-655-0x00000000058D0000-0x00000000058F2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1688-656-0x0000000005B70000-0x0000000005BD6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1688-660-0x0000000007C30000-0x0000000007CC6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/1688-652-0x0000000000000000-mapping.dmp
      Download
    • memory/1688-657-0x00000000069B0000-0x00000000069CE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2244-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4356-650-0x0000000000000000-mapping.dmp
      Download
    • memory/4976-134-0x00000000061A0000-0x0000000006206000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4976-133-0x0000000006C40000-0x00000000071E4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4976-130-0x0000000000FB0000-0x0000000001070000-memory.dmp
      Filesize

      768KB

      Download
    • memory/4976-131-0x0000000005BB0000-0x0000000005C42000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4976-132-0x00000000063F0000-0x000000000648C000-memory.dmp
      Filesize

      624KB

      Download