Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-01-2023 10:11
Static task
static1
Behavioral task
behavioral1
Sample
Payment advice.exe
Resource
win7-20221111-en
General
-
Target
Payment advice.exe
-
Size
664KB
-
MD5
c59007226b76f19d81731c274478a91f
-
SHA1
226308c36c0a4f7b63a46e470f0d79c217c03a07
-
SHA256
c2d1359274d63fa192cfa5e08e73328b47170d2be743dee89bae0555eef65ace
-
SHA512
0b15bfbdab99569764d7ed50328c73761cb44c8def6081693abf0ff91aab0d202d80c286b9c7422700dea8844890c2ee76f790b93116b4274353e678eb3ee343
-
SSDEEP
12288:20Q4KjkKYrubiXG+IF8zIqW5temxhjejvnapEOfr52oj1fpiC0mn/Yic4:oolr6Ue87W5tem2jAlr5lVwic4
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
Payment advice.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions Payment advice.exe -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 7 1396 msiexec.exe 8 1396 msiexec.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
Payment advice.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools Payment advice.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Payment advice.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Payment advice.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Payment advice.exe -
Loads dropped DLL 1 IoCs
Processes:
msiexec.exepid process 1396 msiexec.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Payment advice.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Payment advice.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Payment advice.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Payment advice.exeRegSvcs.exemsiexec.exedescription pid process target process PID 2012 set thread context of 1008 2012 Payment advice.exe RegSvcs.exe PID 1008 set thread context of 1212 1008 RegSvcs.exe Explorer.EXE PID 1396 set thread context of 1212 1396 msiexec.exe Explorer.EXE -
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Payment advice.exeRegSvcs.exemsiexec.exepid process 2012 Payment advice.exe 2012 Payment advice.exe 2012 Payment advice.exe 1008 RegSvcs.exe 1008 RegSvcs.exe 1008 RegSvcs.exe 1008 RegSvcs.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegSvcs.exemsiexec.exepid process 1008 RegSvcs.exe 1008 RegSvcs.exe 1008 RegSvcs.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe 1396 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Payment advice.exeRegSvcs.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2012 Payment advice.exe Token: SeDebugPrivilege 1008 RegSvcs.exe Token: SeDebugPrivilege 1396 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
Payment advice.exeExplorer.EXEmsiexec.exedescription pid process target process PID 2012 wrote to memory of 1908 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1908 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1908 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1908 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1908 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1908 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1908 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1008 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1008 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1008 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1008 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1008 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1008 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1008 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1008 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1008 2012 Payment advice.exe RegSvcs.exe PID 2012 wrote to memory of 1008 2012 Payment advice.exe RegSvcs.exe PID 1212 wrote to memory of 1396 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 1396 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 1396 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 1396 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 1396 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 1396 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 1396 1212 Explorer.EXE msiexec.exe PID 1396 wrote to memory of 1828 1396 msiexec.exe Firefox.exe PID 1396 wrote to memory of 1828 1396 msiexec.exe Firefox.exe PID 1396 wrote to memory of 1828 1396 msiexec.exe Firefox.exe PID 1396 wrote to memory of 1828 1396 msiexec.exe Firefox.exe PID 1396 wrote to memory of 1828 1396 msiexec.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment advice.exe"C:\Users\Admin\AppData\Local\Temp\Payment advice.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
807KB
MD516a1612789dc9063ebea1cb55433b45b
SHA1438fde2939bbb9b5b437f64f21c316c17ce4a7f6
SHA2566deaec2f96c8a1c20698a93ddd468d5447b55ac426dc381eef5d91b19953bb7b
SHA512d727ce8cd793c09a8688accb7a2eb5d8f84cc198b8e9d51c21e2dfb11d850f3ac64a58d07ff7fe9d1a2fdb613567e4790866c08a423176216ff310bf24a5a7e3
-
memory/1008-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1008-59-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1008-66-0x0000000000890000-0x0000000000B93000-memory.dmpFilesize
3.0MB
-
memory/1008-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1008-67-0x0000000000170000-0x0000000000180000-memory.dmpFilesize
64KB
-
memory/1008-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1008-62-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1008-63-0x00000000004012E0-mapping.dmp
-
memory/1212-68-0x0000000004C20000-0x0000000004CE8000-memory.dmpFilesize
800KB
-
memory/1212-76-0x0000000004F70000-0x0000000005076000-memory.dmpFilesize
1.0MB
-
memory/1212-75-0x0000000004F70000-0x0000000005076000-memory.dmpFilesize
1.0MB
-
memory/1396-72-0x0000000000090000-0x00000000000BD000-memory.dmpFilesize
180KB
-
memory/1396-69-0x0000000000000000-mapping.dmp
-
memory/1396-74-0x0000000000980000-0x0000000000A0F000-memory.dmpFilesize
572KB
-
memory/1396-73-0x0000000002360000-0x0000000002663000-memory.dmpFilesize
3.0MB
-
memory/1396-71-0x0000000000C70000-0x0000000000C84000-memory.dmpFilesize
80KB
-
memory/2012-58-0x0000000000AF0000-0x0000000000B24000-memory.dmpFilesize
208KB
-
memory/2012-56-0x0000000000710000-0x000000000071E000-memory.dmpFilesize
56KB
-
memory/2012-57-0x00000000052B0000-0x000000000533C000-memory.dmpFilesize
560KB
-
memory/2012-54-0x0000000000D50000-0x0000000000DFC000-memory.dmpFilesize
688KB
-
memory/2012-55-0x0000000076931000-0x0000000076933000-memory.dmpFilesize
8KB