df9752355297575b5c2175a1bdc6cd63fe26b6c6041282725fbb86db331411ed

Analysis

max time kernel
151s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2022 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Interac-e-Transfer-Receipt.exe
Size

300.0MB
MD5

8dac8b61bf8c23264873a3f3bee260f5
SHA1

ba581c38574794324ea714a48671fad7f2384dbe
SHA256

7e4a1f93d53d3962a913e000524344bdcccd6d36d0856b3df38df57d4a8e1df3
SHA512

65ef0b281583e1f8303ff470dc134d8d35ccc394521fd93294cd251220af501137b17d39af91829efe0191e395c2494e1652565895647bf04a46b56fe0eae163

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

olkij.exe

pid process

2860 olkij.exe

pid	process
2860	olkij.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1192-139-0x0000000000B00000-0x0000000000EE4000-memory.dmp	upx
behavioral2/memory/1192-140-0x0000000000B00000-0x0000000000EE4000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

Interac-e-Transfer-Receipt.exe

description pid process target process

PID 868 set thread context of 1192 868 Interac-e-Transfer-Receipt.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1736 1192 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4660 schtasks.exe

description	pid	process	target process
PID 868 set thread context of 1192	868	Interac-e-Transfer-Receipt.exe	RegAsm.exe

pid	pid_target	process	target process
1736	1192	WerFault.exe	RegAsm.exe

pid	process
4660	schtasks.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Interac-e-Transfer-Receipt.execmd.exe

description	pid	process	target process
PID 868 wrote to memory of 2300	868	Interac-e-Transfer-Receipt.exe	cmd.exe
PID 868 wrote to memory of 2300	868	Interac-e-Transfer-Receipt.exe	cmd.exe
PID 868 wrote to memory of 2300	868	Interac-e-Transfer-Receipt.exe	cmd.exe
PID 2300 wrote to memory of 4660	2300	cmd.exe	schtasks.exe
PID 2300 wrote to memory of 4660	2300	cmd.exe	schtasks.exe
PID 2300 wrote to memory of 4660	2300	cmd.exe	schtasks.exe
PID 868 wrote to memory of 3460	868	Interac-e-Transfer-Receipt.exe	cmd.exe
PID 868 wrote to memory of 3460	868	Interac-e-Transfer-Receipt.exe	cmd.exe
PID 868 wrote to memory of 3460	868	Interac-e-Transfer-Receipt.exe	cmd.exe
PID 868 wrote to memory of 1192	868	Interac-e-Transfer-Receipt.exe	RegAsm.exe
PID 868 wrote to memory of 1192	868	Interac-e-Transfer-Receipt.exe	RegAsm.exe
PID 868 wrote to memory of 1192	868	Interac-e-Transfer-Receipt.exe	RegAsm.exe
PID 868 wrote to memory of 1192	868	Interac-e-Transfer-Receipt.exe	RegAsm.exe
PID 868 wrote to memory of 1192	868	Interac-e-Transfer-Receipt.exe	RegAsm.exe
PID 868 wrote to memory of 1192	868	Interac-e-Transfer-Receipt.exe	RegAsm.exe
PID 868 wrote to memory of 1192	868	Interac-e-Transfer-Receipt.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Interac-e-Transfer-Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Interac-e-Transfer-Receipt.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Local\Temp\olkij.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Local\Temp\olkij.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4660

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Interac-e-Transfer-Receipt.exe" "C:\Users\Admin\AppData\Local\Temp\olkij.exe"
2⤵
PID:3460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 540
3⤵
- Program crash
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1192 -ip 1192
1⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\olkij.exe
C:\Users\Admin\AppData\Local\Temp\olkij.exe
1⤵
- Executes dropped EXE
PID:2860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\olkij.exe
Filesize
300.0MB

MD5
8dac8b61bf8c23264873a3f3bee260f5

SHA1
ba581c38574794324ea714a48671fad7f2384dbe

SHA256
7e4a1f93d53d3962a913e000524344bdcccd6d36d0856b3df38df57d4a8e1df3

SHA512
65ef0b281583e1f8303ff470dc134d8d35ccc394521fd93294cd251220af501137b17d39af91829efe0191e395c2494e1652565895647bf04a46b56fe0eae163

Download Submit
C:\Users\Admin\AppData\Local\Temp\olkij.exe
Filesize
300.0MB

MD5
8dac8b61bf8c23264873a3f3bee260f5

SHA1
ba581c38574794324ea714a48671fad7f2384dbe

SHA256
7e4a1f93d53d3962a913e000524344bdcccd6d36d0856b3df38df57d4a8e1df3

SHA512
65ef0b281583e1f8303ff470dc134d8d35ccc394521fd93294cd251220af501137b17d39af91829efe0191e395c2494e1652565895647bf04a46b56fe0eae163

Download Submit
memory/868-132-0x0000000000800000-0x000000000098A000-memory.dmp

Filesize
1.5MB

Download
memory/868-133-0x0000000005A50000-0x0000000005FF4000-memory.dmp

Filesize
5.6MB

Download
memory/1192-137-0x0000000000000000-mapping.dmp

Download
memory/1192-139-0x0000000000B00000-0x0000000000EE4000-memory.dmp

Filesize
3.9MB

Download
memory/1192-140-0x0000000000B00000-0x0000000000EE4000-memory.dmp

Filesize
3.9MB

Download
memory/2300-134-0x0000000000000000-mapping.dmp

Download
memory/3460-136-0x0000000000000000-mapping.dmp

Download
memory/4660-135-0x0000000000000000-mapping.dmp

Download