054a87f22039dface4936d5516820b990e3b75bd82df162b3d8c299c4b9cca79

Analysis

Target

Debit_Invoice.exe
Size

1.5MB
MD5

8a045b880ead4d0ac9b9709fad3547b6
SHA1

2a1fd9cdf9c35a40aa73af46b6dd345a2903dfac
SHA256

0d3bfc388f1c5a6e131c708b80ad8cd43ed45c96bb0893f95f986ad4f7a29bb7
SHA512

78593283f031102b59160170c0ae2500e3201824e3731b977e8400e1c4d1ddfa771b8bc64dc8a37fd5c3225132091de6a87d30d217428244944520d3f10d9082

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2424	2480	Debit_Invoice.exe	80
PID 2480 wrote to memory of 2424	2480	Debit_Invoice.exe	80
PID 2480 wrote to memory of 2424	2480	Debit_Invoice.exe	80

C:\Users\Admin\AppData\Local\Temp\Debit_Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Debit_Invoice.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2424

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact