Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2022 15:55
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7-20220812-en
General
-
Target
Invoice.exe
-
Size
602KB
-
MD5
75bab4e3e275410ee46f56c96d2ca719
-
SHA1
ff9f741609c0009d066c33d8fd8d668c66f6c829
-
SHA256
1cb82faf9f59ad0c5a831297d038b885c4bf15c933a9730abbcbfab86e6eb1cc
-
SHA512
deb1b0dce46a9bd2b2ee90f61fbe9f41db562b35782c1b83c6ac41ff0c384ea27b828e5ef03e644b9fbd40a1dd0e24a1fa57c4eb625a24752c18b9ac2563ce57
-
SSDEEP
12288:gOVGmi1JQ52I8sDQJRZ+z+8xmduDYHkUVszxOAzZ21vMiNSpS:gcJAJtESRY+8xiHxefoNSo
Malware Config
Extracted
formbook
scse
SKpYFyVNT2zunKf0uuM=
FlEHUseI7I5XbrO8fR/XBcS9ZA==
FPuxoUOxkLiATugw
VKdxsDSk0jdT5Kw=
FpqHf9iI/1tl97E=
YGI6sIl3UIxfZvlD+JiUuuLR
oBAEO0suBEAD5aK00A==
RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==
VFg9s3W0/Ype8A3cZb+D7g==
hwD+VNd6014nrsaTWm4FBcS9ZA==
zkAdUq1soKYUfZaTqLmL
XVQ9WbRivUIQ477a/hKv+g==
QireF2geizAwmp674AGc5g==
PSTUQxs6j8OATugw
LHJhyy2VbX8NEqf0uuM=
MiY1vg6T3HqATugw
wqkUjaVXnGgBqA==
jUr/eUtSIT01Wegt
PjQidcqKzAbSZICUZb+D7g==
OkAmcv12sUEAIHwFHakzdIo2FPHw
zyDLsw+3I3H6gnaGZb+D7g==
ll0HRs5IJGxCZMJPahHgOt2RqjU=
YqaIEokHuw6V
jGJG11YCObJ+IQIXCW8KU+ZcbA==
jv4ITr8zITdT5Kw=
nXYro3yHe5YV5aK00A==
rJt1IPkxeQDUayhVCJyUuuLR
oFwz1DUU/RdD5aK00A==
FHlVTKEVIRFE5aK00A==
8GhjL2lJOWD+5aK00A==
k3BLouunGsagwhAi6oeUuuLR
p45GiQN5bZMjR9karDwDa442FPHw
Zdd7rVCKu/b3TIVU6t/lP92RqjU=
wyjxGjYHuw6V
nW5RrwV6yTdT5Kw=
itzGDGclWW4SqnLBSWH5Pt2RqjU=
8zwgceJYRWn+DKf0uuM=
EmojFmj027tsHrs=
ExQEPY5UyyS00HPvNNCH8w==
laiGCZRTkbg/XAl/Zb+D7g==
wYQysWBl+DdT5Kw=
MWo3rYV3XoAJ5aK00A==
hnht0SrcDR+XpjV6H6WUuuLR
rxqw6S7qG8A=
aEcfph/RAUAcfZYnXOw=
EXdVkuuzJ8eEjkTROs2D
MDYsc8l6w0wM7ZOiyQ==
Rw3XPwT+8UID5aK00A==
zDPp+Pskft/5iqS+0Q==
Z8h8hYCm/ULHXQ+YY2kJBcS9ZA==
vTDkm31vabx5EfoFMjLsVpBlz+fQfg==
+EcrRpZyp7tFba65dhvXBcS9ZA==
rHVJpwl6dLSATugw
gUoTghFSoTMpiXyQe9N3uOjQ
47Zwn/CkFQCty07ROs2D
NYkP+jcHuw6V
nfvdFnkHuw6V
L4piRRhAmfwGKITjemhRkmQ=
s6Jdx36Q+t5U7LE=
58iYH6dVmzYCnHZ/Zb+D7g==
IQ/WHZJWuVUD5aK00A==
Cf6t72PUxhnicjvBiFxqP0o2FPHw
DQr7l4R4rlEJ5aK00A==
62gezKeQv8mIIBbcZb+D7g==
kmuregister.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
duvgcae.exeduvgcae.exepid process 4968 duvgcae.exe 3764 duvgcae.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
duvgcae.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation duvgcae.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
duvgcae.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkloxkgy = "C:\\Users\\Admin\\AppData\\Roaming\\mwrmsxfkdml\\gmubcju.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\duvgcae.exe\" \"C:\\Users\\Admin\\AppData\\Loc" duvgcae.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
duvgcae.exeduvgcae.exemstsc.exedescription pid process target process PID 4968 set thread context of 3764 4968 duvgcae.exe duvgcae.exe PID 3764 set thread context of 964 3764 duvgcae.exe Explorer.EXE PID 3764 set thread context of 964 3764 duvgcae.exe Explorer.EXE PID 2028 set thread context of 964 2028 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mstsc.exedescription ioc process Key created \Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 mstsc.exe -
Modifies registry class 3 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
duvgcae.exemstsc.exepid process 3764 duvgcae.exe 3764 duvgcae.exe 3764 duvgcae.exe 3764 duvgcae.exe 3764 duvgcae.exe 3764 duvgcae.exe 3764 duvgcae.exe 3764 duvgcae.exe 3764 duvgcae.exe 3764 duvgcae.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 964 Explorer.EXE -
Suspicious behavior: MapViewOfSection 10 IoCs
Processes:
duvgcae.exeduvgcae.exemstsc.exepid process 4968 duvgcae.exe 4968 duvgcae.exe 3764 duvgcae.exe 3764 duvgcae.exe 3764 duvgcae.exe 3764 duvgcae.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe 2028 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
duvgcae.exemstsc.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3764 duvgcae.exe Token: SeDebugPrivilege 2028 mstsc.exe Token: SeShutdownPrivilege 964 Explorer.EXE Token: SeCreatePagefilePrivilege 964 Explorer.EXE Token: SeShutdownPrivilege 964 Explorer.EXE Token: SeCreatePagefilePrivilege 964 Explorer.EXE Token: SeShutdownPrivilege 964 Explorer.EXE Token: SeCreatePagefilePrivilege 964 Explorer.EXE Token: SeShutdownPrivilege 964 Explorer.EXE Token: SeCreatePagefilePrivilege 964 Explorer.EXE Token: SeShutdownPrivilege 964 Explorer.EXE Token: SeCreatePagefilePrivilege 964 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
duvgcae.exeExplorer.EXEpid process 4968 duvgcae.exe 4968 duvgcae.exe 964 Explorer.EXE 964 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
duvgcae.exepid process 4968 duvgcae.exe 4968 duvgcae.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Invoice.exeduvgcae.exeExplorer.EXEmstsc.exedescription pid process target process PID 1564 wrote to memory of 4968 1564 Invoice.exe duvgcae.exe PID 1564 wrote to memory of 4968 1564 Invoice.exe duvgcae.exe PID 1564 wrote to memory of 4968 1564 Invoice.exe duvgcae.exe PID 4968 wrote to memory of 3764 4968 duvgcae.exe duvgcae.exe PID 4968 wrote to memory of 3764 4968 duvgcae.exe duvgcae.exe PID 4968 wrote to memory of 3764 4968 duvgcae.exe duvgcae.exe PID 4968 wrote to memory of 3764 4968 duvgcae.exe duvgcae.exe PID 964 wrote to memory of 2028 964 Explorer.EXE mstsc.exe PID 964 wrote to memory of 2028 964 Explorer.EXE mstsc.exe PID 964 wrote to memory of 2028 964 Explorer.EXE mstsc.exe PID 2028 wrote to memory of 1372 2028 mstsc.exe Firefox.exe PID 2028 wrote to memory of 1372 2028 mstsc.exe Firefox.exe PID 2028 wrote to memory of 1372 2028 mstsc.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\duvgcae.exe"C:\Users\Admin\AppData\Local\Temp\duvgcae.exe" "C:\Users\Admin\AppData\Local\Temp\jptavihvrk.au3"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\duvgcae.exe"C:\Users\Admin\AppData\Local\Temp\duvgcae.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\duvgcae.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\duvgcae.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\duvgcae.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\jptavihvrk.au3Filesize
5KB
MD57e6ba6f36513a2cda69a15eda45b2de9
SHA15f528c1bed029bfb1ecc6b0bfaa83fd25ef9bc09
SHA256b9e3ad91039c82865ffe7e7be634f2168b3a7053b31e8e36e4345430d3c0fa4a
SHA51244fc44089a9c8d0b9bca7ab29e8e6a868d5041bd7002a255bdfdeb344580d6c696a52aa3176c74a8a25a6179cbbc9bd488fd87a743df1cc5efbe98f18aea7b6f
-
C:\Users\Admin\AppData\Local\Temp\lseflylbcc.tFilesize
184KB
MD544241ea99f4c61f04185fa146d8738c4
SHA13df2d7145ee69521dc5a0102381777309574d0b0
SHA256dc0a3b837655f9c3d21c5933e0f92f1f341d2e7a569f123857db046daaac9a84
SHA512c8dd7e2026b500c4af88876c981a630b26e3b72ff42026539bebf5d9547ebbdd61d427232a9cb123ac2fb5859705e495addb77f9860549dc49661243f5c8b715
-
C:\Users\Admin\AppData\Local\Temp\ygxmywv.kFilesize
86KB
MD5632e8107bcf473c922f1dc510a60d620
SHA17f2cf9095a6a09d14a01cc7cf38b704252942eb9
SHA256edaee34a2d9d5ae9b2bb18be65616404f4b879ee2022f648bc90ce8260949629
SHA512402e55f52a39f44f5116de38e5c5e267b452ac7f4bb5394a7d9f5ead8081938185a9d16cc0cd071f6c8985df1565d38adc6a1d7490e471a204c4ed5dc121bde7
-
memory/964-144-0x0000000003720000-0x0000000003805000-memory.dmpFilesize
916KB
-
memory/964-157-0x0000000008EE0000-0x0000000009062000-memory.dmpFilesize
1.5MB
-
memory/964-155-0x0000000008EE0000-0x0000000009062000-memory.dmpFilesize
1.5MB
-
memory/964-153-0x0000000008DB0000-0x0000000008EDF000-memory.dmpFilesize
1.2MB
-
memory/964-147-0x0000000008DB0000-0x0000000008EDF000-memory.dmpFilesize
1.2MB
-
memory/2028-150-0x0000000000FD0000-0x000000000110A000-memory.dmpFilesize
1.2MB
-
memory/2028-151-0x0000000000490000-0x00000000004BD000-memory.dmpFilesize
180KB
-
memory/2028-156-0x0000000000490000-0x00000000004BD000-memory.dmpFilesize
180KB
-
memory/2028-154-0x0000000002520000-0x00000000025AF000-memory.dmpFilesize
572KB
-
memory/2028-152-0x00000000026D0000-0x0000000002A1A000-memory.dmpFilesize
3.3MB
-
memory/2028-148-0x0000000000000000-mapping.dmp
-
memory/3764-142-0x0000000000502000-0x0000000000504000-memory.dmpFilesize
8KB
-
memory/3764-143-0x0000000000AC0000-0x0000000000AD0000-memory.dmpFilesize
64KB
-
memory/3764-149-0x00000000004E0000-0x000000000050E000-memory.dmpFilesize
184KB
-
memory/3764-145-0x0000000000502000-0x0000000000504000-memory.dmpFilesize
8KB
-
memory/3764-140-0x00000000004E0000-0x000000000050E000-memory.dmpFilesize
184KB
-
memory/3764-146-0x0000000001000000-0x0000000001010000-memory.dmpFilesize
64KB
-
memory/3764-138-0x0000000000000000-mapping.dmp
-
memory/3764-141-0x0000000001360000-0x00000000016AA000-memory.dmpFilesize
3.3MB
-
memory/4968-132-0x0000000000000000-mapping.dmp