24093405b5488debd355b39f704bfc4beddc4c60ebec6d56e0c7b25e29a7758a

General

Target

Invoice #08 1232.exe
Size

1.0MB
MD5

1ff3931b973f49044b0721f73ac067f1
SHA1

97bfeed429c997b3a254fae324e68cfed9cd8d22
SHA256

24093405b5488debd355b39f704bfc4beddc4c60ebec6d56e0c7b25e29a7758a
SHA512

9f9896ba6834d8b3c563df160105864c5e2c7b23958bf7d1395628b8e95edc68606920b66e68e6bf47c2f399ed55419b37a3a3aefc792ba6d8aba2dbc72207a4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2024 schtasks.exe

pid	process
2024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

Invoice #08 1232.exepowershell.exepowershell.exe

pid	process
684	Invoice #08 1232.exe
684	Invoice #08 1232.exe
684	Invoice #08 1232.exe
684	Invoice #08 1232.exe
684	Invoice #08 1232.exe
684	Invoice #08 1232.exe
684	Invoice #08 1232.exe
684	Invoice #08 1232.exe
684	Invoice #08 1232.exe
684	Invoice #08 1232.exe
684	Invoice #08 1232.exe
1972	powershell.exe
1812	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Invoice #08 1232.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	684	Invoice #08 1232.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Invoice #08 1232.exe

description	pid	process	target process
PID 684 wrote to memory of 1812	684	Invoice #08 1232.exe	powershell.exe
PID 684 wrote to memory of 1812	684	Invoice #08 1232.exe	powershell.exe
PID 684 wrote to memory of 1812	684	Invoice #08 1232.exe	powershell.exe
PID 684 wrote to memory of 1812	684	Invoice #08 1232.exe	powershell.exe
PID 684 wrote to memory of 1972	684	Invoice #08 1232.exe	powershell.exe
PID 684 wrote to memory of 1972	684	Invoice #08 1232.exe	powershell.exe
PID 684 wrote to memory of 1972	684	Invoice #08 1232.exe	powershell.exe
PID 684 wrote to memory of 1972	684	Invoice #08 1232.exe	powershell.exe
PID 684 wrote to memory of 2024	684	Invoice #08 1232.exe	schtasks.exe
PID 684 wrote to memory of 2024	684	Invoice #08 1232.exe	schtasks.exe
PID 684 wrote to memory of 2024	684	Invoice #08 1232.exe	schtasks.exe
PID 684 wrote to memory of 2024	684	Invoice #08 1232.exe	schtasks.exe
PID 684 wrote to memory of 112	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 112	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 112	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 112	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1640	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1640	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1640	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1640	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1600	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1600	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1600	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1600	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1776	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1776	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1776	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1776	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1704	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1704	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1704	684	Invoice #08 1232.exe	Invoice #08 1232.exe
PID 684 wrote to memory of 1704	684	Invoice #08 1232.exe	Invoice #08 1232.exe

C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CVwLzxmhtirbHE.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CVwLzxmhtirbHE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC16.tmp"
2⤵
- Creates scheduled task(s)
PID:2024

C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe"
2⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe"
2⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe"
2⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe"
2⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe"
2⤵
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCC16.tmp

Filesize
1KB

MD5
4ddadae08bbae3b5867569eefc654fce

SHA1
19e7600221b1af6f66c263e7ee0508415046ce48

SHA256
491a7304efea2514ca3d3e135714d7bf5e8c43527fe5795a0939e51113610e8d

SHA512
c6252bd369b895096b753a2480040a9def2c18f1311878e12a9340f125d06b2a10989008790b42aeba4a051b0dd72f286914a74546e79a2c97f9b9117600a531

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e6be703e2ea802572d1a8383e9b9d1e2

SHA1
808a91d8f7d8d3245d148484aa0f575623c4f49b

SHA256
07569598cecaceab124fec820c59268d65374564fb1c3078294866910d8ea616

SHA512
43abd08ffb0ec829ab032bcea4a8e7ea8c7c8b5972ed42dd8d6ba06f2c7a8b9b6d88f5a43d13c10aaabbc03cdb8d931e76a06a306b5a5b3d56d064a1bc92ea82

Download Submit
memory/684-57-0x0000000000500000-0x0000000000514000-memory.dmp

Filesize
80KB

Download
memory/684-54-0x0000000000300000-0x0000000000408000-memory.dmp

Filesize
1.0MB

Download
memory/684-58-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/684-59-0x0000000005170000-0x00000000051F6000-memory.dmp

Filesize
536KB

Download
memory/684-56-0x00000000004E0000-0x00000000004F4000-memory.dmp

Filesize
80KB

Download
memory/684-55-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/684-67-0x0000000004FF0000-0x0000000005030000-memory.dmp

Filesize
256KB

Download
memory/1812-60-0x0000000000000000-mapping.dmp

Download
memory/1812-68-0x000000006E310000-0x000000006E8BB000-memory.dmp

Filesize
5.7MB

Download
memory/1812-70-0x000000006E310000-0x000000006E8BB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-62-0x0000000000000000-mapping.dmp

Download
memory/1972-69-0x000000006E310000-0x000000006E8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads