167d71a6a442391712d666ed3b072bf45e6208333d460c0a34d059321d06ef9f

Analysis

max time kernel
25s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Receipt Order No. 20803415.pif.exe
Size

690KB
MD5

eaa51d8b99a1aa9d11ec05876ea2201f
SHA1

f6d1ad0d23ea2a27181c7ad4f71a6155592ecd79
SHA256

167d71a6a442391712d666ed3b072bf45e6208333d460c0a34d059321d06ef9f
SHA512

ffb2f67d2f3bc922663bc65cbe83d59d428c0c328cb5313d53fb8edbd6f3f33c7b59b4808b80d61facde79ab5bf1c1343c0805bb1f8563797f66cf82c232aa3a
SSDEEP

12288:xGmMZUFunCTZlpRvhKHf2mDoH63Av0ot4QUN24OG5:byU7fpOHn3Ak/g4O

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

Receipt Order No. 20803415.pif.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Receipt Order No. 20803415.pif.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Receipt Order No. 20803415.pif.exe

pid	process
688	Receipt Order No. 20803415.pif.exe
688	Receipt Order No. 20803415.pif.exe
688	Receipt Order No. 20803415.pif.exe
688	Receipt Order No. 20803415.pif.exe
688	Receipt Order No. 20803415.pif.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Receipt Order No. 20803415.pif.exe

description pid process

Token: SeDebugPrivilege 688 Receipt Order No. 20803415.pif.exe

description	pid	process
Token: SeDebugPrivilege	688	Receipt Order No. 20803415.pif.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Receipt Order No. 20803415.pif.exe

C:\Users\Admin\AppData\Local\Temp\Receipt Order No. 20803415.pif.exe
"C:\Users\Admin\AppData\Local\Temp\Receipt Order No. 20803415.pif.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688
- C:\Users\Admin\AppData\Local\Temp\Receipt Order No. 20803415.pif.exe
  "C:\Users\Admin\AppData\Local\Temp\Receipt Order No. 20803415.pif.exe"
  2⤵
  PID:1032
- C:\Users\Admin\AppData\Local\Temp\Receipt Order No. 20803415.pif.exe
  "C:\Users\Admin\AppData\Local\Temp\Receipt Order No. 20803415.pif.exe"
  2⤵
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\Receipt Order No. 20803415.pif.exe
  "C:\Users\Admin\AppData\Local\Temp\Receipt Order No. 20803415.pif.exe"
  2⤵
  PID:1076
- C:\Users\Admin\AppData\Local\Temp\Receipt Order No. 20803415.pif.exe
  "C:\Users\Admin\AppData\Local\Temp\Receipt Order No. 20803415.pif.exe"
  2⤵
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\Receipt Order No. 20803415.pif.exe
  "C:\Users\Admin\AppData\Local\Temp\Receipt Order No. 20803415.pif.exe"
  2⤵
  PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/688-54-0x0000000000350000-0x0000000000402000-memory.dmp

Filesize
712KB

Download
memory/688-55-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/688-56-0x0000000000870000-0x00000000008BC000-memory.dmp

Filesize
304KB

Download

description	pid	process	target process
PID 688 wrote to memory of 1032	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1032	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1032	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1032	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1076	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1076	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1076	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1076	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1724	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1724	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1724	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1724	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1996	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1996	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1996	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 1996	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 2016	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 2016	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 2016	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe
PID 688 wrote to memory of 2016	688	Receipt Order No. 20803415.pif.exe	Receipt Order No. 20803415.pif.exe