86daf1fa99266c6c93338a27544826818d36f983547fb54b5b0c18a95a3671b7

General

Target

TNT Original Invoice.exe
Size

599KB
MD5

46321b1bc573a076cf8ea7cb465265c9
SHA1

0f63beac6211f02def56730e3c92e66577abce93
SHA256

86daf1fa99266c6c93338a27544826818d36f983547fb54b5b0c18a95a3671b7
SHA512

76e563ac759ff6677dddffd4a5e2a74a56694086c71526a407ff537b3cbd5ca6c2d0ee9cadc272e1ae7bea3a615faff43d7881600b1f18b728a14c9ad84a36c7
SSDEEP

12288:44xxyhCTPS9TRZBdqxuR6mCJhdNWM6owSaBiUrIlZIBl98bddZBnaD5jWcy:Lz8TLBdLRsjX6owS9IlibNBnaVK

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1948	powershell.exe
896	powershell.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe
1572	TNT Original Invoice.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	TNT Original Invoice.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1948	1572	TNT Original Invoice.exe	27
PID 1572 wrote to memory of 1948	1572	TNT Original Invoice.exe	27
PID 1572 wrote to memory of 1948	1572	TNT Original Invoice.exe	27
PID 1572 wrote to memory of 1948	1572	TNT Original Invoice.exe	27
PID 1572 wrote to memory of 896	1572	TNT Original Invoice.exe	29
PID 1572 wrote to memory of 896	1572	TNT Original Invoice.exe	29
PID 1572 wrote to memory of 896	1572	TNT Original Invoice.exe	29
PID 1572 wrote to memory of 896	1572	TNT Original Invoice.exe	29
PID 1572 wrote to memory of 1716	1572	TNT Original Invoice.exe	31
PID 1572 wrote to memory of 1716	1572	TNT Original Invoice.exe	31
PID 1572 wrote to memory of 1716	1572	TNT Original Invoice.exe	31
PID 1572 wrote to memory of 1716	1572	TNT Original Invoice.exe	31
PID 1572 wrote to memory of 1144	1572	TNT Original Invoice.exe	33
PID 1572 wrote to memory of 1144	1572	TNT Original Invoice.exe	33
PID 1572 wrote to memory of 1144	1572	TNT Original Invoice.exe	33
PID 1572 wrote to memory of 1144	1572	TNT Original Invoice.exe	33
PID 1572 wrote to memory of 1144	1572	TNT Original Invoice.exe	33
PID 1572 wrote to memory of 1144	1572	TNT Original Invoice.exe	33

C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kuoCxdHtR.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kuoCxdHtR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF558.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe
  "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"
  2⤵
  PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF558.tmp

Filesize
1KB

MD5
ee2adea01d68922eb52caa7b20d68b95

SHA1
28baff44c43a0eea23e07f8d10f7bf8202123554

SHA256
5b40622cf25665d3d0765eefa1bd27a8a71fe05cd45ca77bb4372126aff5f74c

SHA512
908df4dfc707adfbc1a54f8b1d1a8e5ac14281d33da75d777bddcc33ae78d81a0df857284480df53fb71a071284ef0e34a27b315daed2024aeadcc9a10391631

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a685300535d9318124216b28eb34d3c6

SHA1
6e18f540e569a03596f1a464d1c2e8b910321897

SHA256
5aa849e9317ff3fa8164b5547de0162227c587aed03703f2f0b4d0dcf3524cce

SHA512
8ac005d9b00a78bcca2ef7d45c04af9cc490b7a43903fcc4e8e6606875cf578a47a4ad645dfa33350a919f6de43616dfe90533b2bab830b8a8aa87f2ccd19f56

Download Submit
memory/896-76-0x000000006E9D0000-0x000000006EF7B000-memory.dmp

Filesize
5.7MB

Download
memory/896-74-0x000000006E9D0000-0x000000006EF7B000-memory.dmp

Filesize
5.7MB

Download
memory/1144-71-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1144-69-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1144-68-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1572-58-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/1572-67-0x00000000050B0000-0x00000000050D2000-memory.dmp

Filesize
136KB

Download
memory/1572-59-0x0000000007E80000-0x0000000007EFC000-memory.dmp

Filesize
496KB

Download
memory/1572-54-0x0000000000D90000-0x0000000000E2C000-memory.dmp

Filesize
624KB

Download
memory/1572-57-0x00000000005D0000-0x00000000005EA000-memory.dmp

Filesize
104KB

Download
memory/1572-56-0x0000000004230000-0x00000000042F0000-memory.dmp

Filesize
768KB

Download
memory/1572-55-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1948-73-0x000000006E9D0000-0x000000006EF7B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-75-0x000000006E9D0000-0x000000006EF7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads