Overview

overview

9

Static

static

Payment advice.exe

windows7-x64

9

Payment advice.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2023 10:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment advice.exe

  • Size

    664KB

  • MD5

    c59007226b76f19d81731c274478a91f

  • SHA1

    226308c36c0a4f7b63a46e470f0d79c217c03a07

  • SHA256

    c2d1359274d63fa192cfa5e08e73328b47170d2be743dee89bae0555eef65ace

  • SHA512

    0b15bfbdab99569764d7ed50328c73761cb44c8def6081693abf0ff91aab0d202d80c286b9c7422700dea8844890c2ee76f790b93116b4274353e678eb3ee343

  • SSDEEP

    12288:20Q4KjkKYrubiXG+IF8zIqW5temxhjejvnapEOfr52oj1fpiC0mn/Yic4:oolr6Ue87W5tem2jAlr5lVwic4

Score
9/10
evasion

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\Payment advice.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment advice.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        3⤵
          PID:1908
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1008
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:896
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:892
          • C:\Windows\SysWOW64\msiexec.exe
            "C:\Windows\SysWOW64\msiexec.exe"
            2⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1396
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              3⤵
                PID:1828

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Virtualization/Sandbox Evasion

          2
          T1497

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          4
          T1012

          Virtualization/Sandbox Evasion

          2
          T1497

          System Information Discovery

          2
          T1082

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \Users\Admin\AppData\Local\Temp\sqlite3.dll
            Filesize

            807KB

            MD5

            16a1612789dc9063ebea1cb55433b45b

            SHA1

            438fde2939bbb9b5b437f64f21c316c17ce4a7f6

            SHA256

            6deaec2f96c8a1c20698a93ddd468d5447b55ac426dc381eef5d91b19953bb7b

            SHA512

            d727ce8cd793c09a8688accb7a2eb5d8f84cc198b8e9d51c21e2dfb11d850f3ac64a58d07ff7fe9d1a2fdb613567e4790866c08a423176216ff310bf24a5a7e3

            Download Submit
          • memory/1008-65-0x0000000000400000-0x000000000042F000-memory.dmp
            Filesize

            188KB

            Download
          • memory/1008-59-0x0000000000400000-0x000000000042F000-memory.dmp
            Filesize

            188KB

            Download
          • memory/1008-66-0x0000000000890000-0x0000000000B93000-memory.dmp
            Filesize

            3.0MB

            Download
          • memory/1008-64-0x0000000000400000-0x000000000042F000-memory.dmp
            Filesize

            188KB

            Download
          • memory/1008-67-0x0000000000170000-0x0000000000180000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1008-60-0x0000000000400000-0x000000000042F000-memory.dmp
            Filesize

            188KB

            Download
          • memory/1008-62-0x0000000000400000-0x000000000042F000-memory.dmp
            Filesize

            188KB

            Download
          • memory/1008-63-0x00000000004012E0-mapping.dmp
            Download
          • memory/1212-68-0x0000000004C20000-0x0000000004CE8000-memory.dmp
            Filesize

            800KB

            Download
          • memory/1212-76-0x0000000004F70000-0x0000000005076000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/1212-75-0x0000000004F70000-0x0000000005076000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/1396-72-0x0000000000090000-0x00000000000BD000-memory.dmp
            Filesize

            180KB

            Download
          • memory/1396-69-0x0000000000000000-mapping.dmp
            Download
          • memory/1396-74-0x0000000000980000-0x0000000000A0F000-memory.dmp
            Filesize

            572KB

            Download
          • memory/1396-73-0x0000000002360000-0x0000000002663000-memory.dmp
            Filesize

            3.0MB

            Download
          • memory/1396-71-0x0000000000C70000-0x0000000000C84000-memory.dmp
            Filesize

            80KB

            Download
          • memory/2012-58-0x0000000000AF0000-0x0000000000B24000-memory.dmp
            Filesize

            208KB

            Download
          • memory/2012-56-0x0000000000710000-0x000000000071E000-memory.dmp
            Filesize

            56KB

            Download
          • memory/2012-57-0x00000000052B0000-0x000000000533C000-memory.dmp
            Filesize

            560KB

            Download
          • memory/2012-54-0x0000000000D50000-0x0000000000DFC000-memory.dmp
            Filesize

            688KB

            Download
          • memory/2012-55-0x0000000076931000-0x0000000076933000-memory.dmp
            Filesize

            8KB

            Download