Analysis
-
max time kernel
154s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 13:32
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7-20220901-en
General
-
Target
Invoice.exe
-
Size
602KB
-
MD5
75bab4e3e275410ee46f56c96d2ca719
-
SHA1
ff9f741609c0009d066c33d8fd8d668c66f6c829
-
SHA256
1cb82faf9f59ad0c5a831297d038b885c4bf15c933a9730abbcbfab86e6eb1cc
-
SHA512
deb1b0dce46a9bd2b2ee90f61fbe9f41db562b35782c1b83c6ac41ff0c384ea27b828e5ef03e644b9fbd40a1dd0e24a1fa57c4eb625a24752c18b9ac2563ce57
-
SSDEEP
12288:gOVGmi1JQ52I8sDQJRZ+z+8xmduDYHkUVszxOAzZ21vMiNSpS:gcJAJtESRY+8xiHxefoNSo
Malware Config
Extracted
formbook
scse
SKpYFyVNT2zunKf0uuM=
FlEHUseI7I5XbrO8fR/XBcS9ZA==
FPuxoUOxkLiATugw
VKdxsDSk0jdT5Kw=
FpqHf9iI/1tl97E=
YGI6sIl3UIxfZvlD+JiUuuLR
oBAEO0suBEAD5aK00A==
RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==
VFg9s3W0/Ype8A3cZb+D7g==
hwD+VNd6014nrsaTWm4FBcS9ZA==
zkAdUq1soKYUfZaTqLmL
XVQ9WbRivUIQ477a/hKv+g==
QireF2geizAwmp674AGc5g==
PSTUQxs6j8OATugw
LHJhyy2VbX8NEqf0uuM=
MiY1vg6T3HqATugw
wqkUjaVXnGgBqA==
jUr/eUtSIT01Wegt
PjQidcqKzAbSZICUZb+D7g==
OkAmcv12sUEAIHwFHakzdIo2FPHw
zyDLsw+3I3H6gnaGZb+D7g==
ll0HRs5IJGxCZMJPahHgOt2RqjU=
YqaIEokHuw6V
jGJG11YCObJ+IQIXCW8KU+ZcbA==
jv4ITr8zITdT5Kw=
nXYro3yHe5YV5aK00A==
rJt1IPkxeQDUayhVCJyUuuLR
oFwz1DUU/RdD5aK00A==
FHlVTKEVIRFE5aK00A==
8GhjL2lJOWD+5aK00A==
k3BLouunGsagwhAi6oeUuuLR
p45GiQN5bZMjR9karDwDa442FPHw
Zdd7rVCKu/b3TIVU6t/lP92RqjU=
wyjxGjYHuw6V
nW5RrwV6yTdT5Kw=
itzGDGclWW4SqnLBSWH5Pt2RqjU=
8zwgceJYRWn+DKf0uuM=
EmojFmj027tsHrs=
ExQEPY5UyyS00HPvNNCH8w==
laiGCZRTkbg/XAl/Zb+D7g==
wYQysWBl+DdT5Kw=
MWo3rYV3XoAJ5aK00A==
hnht0SrcDR+XpjV6H6WUuuLR
rxqw6S7qG8A=
aEcfph/RAUAcfZYnXOw=
EXdVkuuzJ8eEjkTROs2D
MDYsc8l6w0wM7ZOiyQ==
Rw3XPwT+8UID5aK00A==
zDPp+Pskft/5iqS+0Q==
Z8h8hYCm/ULHXQ+YY2kJBcS9ZA==
vTDkm31vabx5EfoFMjLsVpBlz+fQfg==
+EcrRpZyp7tFba65dhvXBcS9ZA==
rHVJpwl6dLSATugw
gUoTghFSoTMpiXyQe9N3uOjQ
47Zwn/CkFQCty07ROs2D
NYkP+jcHuw6V
nfvdFnkHuw6V
L4piRRhAmfwGKITjemhRkmQ=
s6Jdx36Q+t5U7LE=
58iYH6dVmzYCnHZ/Zb+D7g==
IQ/WHZJWuVUD5aK00A==
Cf6t72PUxhnicjvBiFxqP0o2FPHw
DQr7l4R4rlEJ5aK00A==
62gezKeQv8mIIBbcZb+D7g==
kmuregister.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
duvgcae.exeduvgcae.exepid process 4592 duvgcae.exe 3632 duvgcae.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
duvgcae.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation duvgcae.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
duvgcae.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkloxkgy = "C:\\Users\\Admin\\AppData\\Roaming\\mwrmsxfkdml\\gmubcju.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\duvgcae.exe\" \"C:\\Users\\Admin\\AppData\\Loc" duvgcae.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
duvgcae.exeduvgcae.exeraserver.exedescription pid process target process PID 4592 set thread context of 3632 4592 duvgcae.exe duvgcae.exe PID 3632 set thread context of 2700 3632 duvgcae.exe Explorer.EXE PID 1928 set thread context of 2700 1928 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
duvgcae.exeraserver.exepid process 3632 duvgcae.exe 3632 duvgcae.exe 3632 duvgcae.exe 3632 duvgcae.exe 3632 duvgcae.exe 3632 duvgcae.exe 3632 duvgcae.exe 3632 duvgcae.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe 1928 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2700 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
duvgcae.exeduvgcae.exeraserver.exepid process 4592 duvgcae.exe 4592 duvgcae.exe 3632 duvgcae.exe 3632 duvgcae.exe 3632 duvgcae.exe 1928 raserver.exe 1928 raserver.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
duvgcae.exeraserver.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3632 duvgcae.exe Token: SeDebugPrivilege 1928 raserver.exe Token: SeShutdownPrivilege 2700 Explorer.EXE Token: SeCreatePagefilePrivilege 2700 Explorer.EXE Token: SeShutdownPrivilege 2700 Explorer.EXE Token: SeCreatePagefilePrivilege 2700 Explorer.EXE Token: SeShutdownPrivilege 2700 Explorer.EXE Token: SeCreatePagefilePrivilege 2700 Explorer.EXE Token: SeShutdownPrivilege 2700 Explorer.EXE Token: SeCreatePagefilePrivilege 2700 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
duvgcae.exepid process 4592 duvgcae.exe 4592 duvgcae.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
duvgcae.exepid process 4592 duvgcae.exe 4592 duvgcae.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Invoice.exeduvgcae.exeExplorer.EXEdescription pid process target process PID 1728 wrote to memory of 4592 1728 Invoice.exe duvgcae.exe PID 1728 wrote to memory of 4592 1728 Invoice.exe duvgcae.exe PID 1728 wrote to memory of 4592 1728 Invoice.exe duvgcae.exe PID 4592 wrote to memory of 3632 4592 duvgcae.exe duvgcae.exe PID 4592 wrote to memory of 3632 4592 duvgcae.exe duvgcae.exe PID 4592 wrote to memory of 3632 4592 duvgcae.exe duvgcae.exe PID 4592 wrote to memory of 3632 4592 duvgcae.exe duvgcae.exe PID 2700 wrote to memory of 1928 2700 Explorer.EXE raserver.exe PID 2700 wrote to memory of 1928 2700 Explorer.EXE raserver.exe PID 2700 wrote to memory of 1928 2700 Explorer.EXE raserver.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\duvgcae.exe"C:\Users\Admin\AppData\Local\Temp\duvgcae.exe" "C:\Users\Admin\AppData\Local\Temp\jptavihvrk.au3"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\duvgcae.exe"C:\Users\Admin\AppData\Local\Temp\duvgcae.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\duvgcae.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\duvgcae.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\duvgcae.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\jptavihvrk.au3Filesize
5KB
MD57e6ba6f36513a2cda69a15eda45b2de9
SHA15f528c1bed029bfb1ecc6b0bfaa83fd25ef9bc09
SHA256b9e3ad91039c82865ffe7e7be634f2168b3a7053b31e8e36e4345430d3c0fa4a
SHA51244fc44089a9c8d0b9bca7ab29e8e6a868d5041bd7002a255bdfdeb344580d6c696a52aa3176c74a8a25a6179cbbc9bd488fd87a743df1cc5efbe98f18aea7b6f
-
C:\Users\Admin\AppData\Local\Temp\lseflylbcc.tFilesize
184KB
MD544241ea99f4c61f04185fa146d8738c4
SHA13df2d7145ee69521dc5a0102381777309574d0b0
SHA256dc0a3b837655f9c3d21c5933e0f92f1f341d2e7a569f123857db046daaac9a84
SHA512c8dd7e2026b500c4af88876c981a630b26e3b72ff42026539bebf5d9547ebbdd61d427232a9cb123ac2fb5859705e495addb77f9860549dc49661243f5c8b715
-
C:\Users\Admin\AppData\Local\Temp\ygxmywv.kFilesize
86KB
MD5632e8107bcf473c922f1dc510a60d620
SHA17f2cf9095a6a09d14a01cc7cf38b704252942eb9
SHA256edaee34a2d9d5ae9b2bb18be65616404f4b879ee2022f648bc90ce8260949629
SHA512402e55f52a39f44f5116de38e5c5e267b452ac7f4bb5394a7d9f5ead8081938185a9d16cc0cd071f6c8985df1565d38adc6a1d7490e471a204c4ed5dc121bde7
-
memory/1928-145-0x0000000000000000-mapping.dmp
-
memory/1928-152-0x00000000012B0000-0x00000000012DD000-memory.dmpFilesize
180KB
-
memory/1928-150-0x0000000003110000-0x000000000319F000-memory.dmpFilesize
572KB
-
memory/1928-148-0x0000000003310000-0x000000000365A000-memory.dmpFilesize
3.3MB
-
memory/1928-146-0x00000000005C0000-0x00000000005DF000-memory.dmpFilesize
124KB
-
memory/1928-147-0x00000000012B0000-0x00000000012DD000-memory.dmpFilesize
180KB
-
memory/2700-156-0x0000000001510000-0x0000000001520000-memory.dmpFilesize
64KB
-
memory/2700-153-0x0000000009150000-0x0000000009209000-memory.dmpFilesize
740KB
-
memory/2700-163-0x0000000001520000-0x0000000001530000-memory.dmpFilesize
64KB
-
memory/2700-162-0x0000000001510000-0x0000000001520000-memory.dmpFilesize
64KB
-
memory/2700-161-0x0000000001480000-0x0000000001490000-memory.dmpFilesize
64KB
-
memory/2700-149-0x0000000008EC0000-0x0000000008FAC000-memory.dmpFilesize
944KB
-
memory/2700-160-0x0000000001510000-0x0000000001520000-memory.dmpFilesize
64KB
-
memory/2700-151-0x0000000009150000-0x0000000009209000-memory.dmpFilesize
740KB
-
memory/2700-159-0x0000000001510000-0x0000000001520000-memory.dmpFilesize
64KB
-
memory/2700-144-0x0000000008EC0000-0x0000000008FAC000-memory.dmpFilesize
944KB
-
memory/2700-154-0x0000000001480000-0x0000000001490000-memory.dmpFilesize
64KB
-
memory/2700-155-0x0000000001510000-0x0000000001520000-memory.dmpFilesize
64KB
-
memory/2700-158-0x0000000001510000-0x0000000001520000-memory.dmpFilesize
64KB
-
memory/2700-157-0x0000000001510000-0x0000000001520000-memory.dmpFilesize
64KB
-
memory/3632-138-0x0000000000000000-mapping.dmp
-
memory/3632-140-0x0000000000840000-0x000000000086E000-memory.dmpFilesize
184KB
-
memory/3632-141-0x0000000001160000-0x00000000014AA000-memory.dmpFilesize
3.3MB
-
memory/3632-143-0x0000000000D00000-0x0000000000D10000-memory.dmpFilesize
64KB
-
memory/3632-142-0x0000000000862000-0x0000000000864000-memory.dmpFilesize
8KB
-
memory/4592-132-0x0000000000000000-mapping.dmp