Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
08-12-2022 16:17
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe
Resource
win7-20220901-en
General
-
Target
Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe
-
Size
1.0MB
-
MD5
af4c90f16183a6ad67d309954e852c8a
-
SHA1
4b8612090c079bf462c55e774c7199d4f182e937
-
SHA256
e42dddf5106613702329f2fa39feac15baee21cd5b543d288dc82ed621eb7037
-
SHA512
c335c1ab1b2708530424dc094a9b864155275e4d462bf726b38338b9c33f6942c355b9092fa786bf1a20f99c7ac52b4c03e399ff5ab157fff556480db15fc823
-
SSDEEP
12288:0oQgKZ/nXt7virmWhlGLaQYIyzYEmgX/Lifi1SXAe73hdw7YVCiJM2dycvQ0piws:fPNNwAe7x78OQ0Hx4xUhlWp
Malware Config
Extracted
formbook
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
spirituallyzen.com
Extracted
xloader
3.Æ…
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
spirituallyzen.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 5 1864 cscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe -
Loads dropped DLL 1 IoCs
Processes:
cscript.exepid process 1864 cscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exePayment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.execscript.exedescription pid process target process PID 852 set thread context of 1492 852 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe PID 1492 set thread context of 1280 1492 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe Explorer.EXE PID 1864 set thread context of 1280 1864 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cscript.exedescription ioc process Key created \Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.execscript.exepid process 1492 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe 1492 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe 1492 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe 1492 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe 1864 cscript.exe 1864 cscript.exe 1864 cscript.exe 1864 cscript.exe 1864 cscript.exe 1864 cscript.exe 1864 cscript.exe 1864 cscript.exe 1864 cscript.exe 1864 cscript.exe 1864 cscript.exe 1864 cscript.exe 1864 cscript.exe 1864 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.execscript.exepid process 1492 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe 1492 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe 1492 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe 1864 cscript.exe 1864 cscript.exe 1864 cscript.exe 1864 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.execscript.exedescription pid process Token: SeDebugPrivilege 1492 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe Token: SeDebugPrivilege 1864 cscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE 1280 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE 1280 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exeExplorer.EXEcscript.exedescription pid process target process PID 852 wrote to memory of 1492 852 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe PID 852 wrote to memory of 1492 852 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe PID 852 wrote to memory of 1492 852 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe PID 852 wrote to memory of 1492 852 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe PID 852 wrote to memory of 1492 852 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe PID 852 wrote to memory of 1492 852 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe PID 852 wrote to memory of 1492 852 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe PID 1280 wrote to memory of 1864 1280 Explorer.EXE cscript.exe PID 1280 wrote to memory of 1864 1280 Explorer.EXE cscript.exe PID 1280 wrote to memory of 1864 1280 Explorer.EXE cscript.exe PID 1280 wrote to memory of 1864 1280 Explorer.EXE cscript.exe PID 1864 wrote to memory of 532 1864 cscript.exe Firefox.exe PID 1864 wrote to memory of 532 1864 cscript.exe Firefox.exe PID 1864 wrote to memory of 532 1864 cscript.exe Firefox.exe PID 1864 wrote to memory of 532 1864 cscript.exe Firefox.exe PID 1864 wrote to memory of 532 1864 cscript.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
810KB
MD5c6ec991471d42128268ea10236d9cdb8
SHA1d569350d02db6a118136220da8de40a9973084f1
SHA2561b755cc3093dd45a0df857854aedfeb3c8f3622cff5bc491f2d492ebfa3ef8e0
SHA512a67ed46547b9270c8a5a7a947b375cb6baf3211072f90170aae2bb6ce9c4fe9d7be3e9d782420dcfdbc19a1f232b3be561ca503b80e8dc3e036a62c54cad5b57
-
memory/852-54-0x00000000000D0000-0x00000000001E2000-memory.dmpFilesize
1.1MB
-
memory/852-55-0x0000000074E41000-0x0000000074E43000-memory.dmpFilesize
8KB
-
memory/852-56-0x00000000004D0000-0x00000000004E6000-memory.dmpFilesize
88KB
-
memory/852-57-0x0000000000560000-0x000000000056E000-memory.dmpFilesize
56KB
-
memory/852-58-0x0000000005E30000-0x0000000005EC4000-memory.dmpFilesize
592KB
-
memory/852-59-0x0000000000760000-0x00000000007BC000-memory.dmpFilesize
368KB
-
memory/1280-82-0x0000000003D50000-0x0000000003DFB000-memory.dmpFilesize
684KB
-
memory/1280-78-0x0000000003D50000-0x0000000003DFB000-memory.dmpFilesize
684KB
-
memory/1280-72-0x0000000004940000-0x0000000004A0F000-memory.dmpFilesize
828KB
-
memory/1492-68-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1492-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1492-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1492-69-0x0000000000A80000-0x0000000000D83000-memory.dmpFilesize
3.0MB
-
memory/1492-71-0x0000000000070000-0x0000000000080000-memory.dmpFilesize
64KB
-
memory/1492-70-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/1492-64-0x00000000004012B0-mapping.dmp
-
memory/1492-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1492-61-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1492-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1864-73-0x0000000000000000-mapping.dmp
-
memory/1864-77-0x0000000001E50000-0x0000000001EDF000-memory.dmpFilesize
572KB
-
memory/1864-76-0x0000000001F50000-0x0000000002253000-memory.dmpFilesize
3.0MB
-
memory/1864-80-0x0000000000070000-0x000000000009D000-memory.dmpFilesize
180KB
-
memory/1864-75-0x0000000000070000-0x000000000009D000-memory.dmpFilesize
180KB
-
memory/1864-74-0x0000000000990000-0x00000000009B2000-memory.dmpFilesize
136KB