Analysis
-
max time kernel
54s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-01-2023 10:27
Static task
static1
Behavioral task
behavioral1
Sample
invoice and packing list.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
invoice and packing list.exe
Resource
win10v2004-20220812-en
General
-
Target
invoice and packing list.exe
-
Size
863KB
-
MD5
629650941c646616da246f363ac31b64
-
SHA1
61c75662747d73543a4fd4ef522fa4e1d68a2123
-
SHA256
5fd88707644b5c51752f574b44b60add5b279713e5fd1b47fe95f5cf97fa634e
-
SHA512
f762d0d13fdaf114e6e646686e7c425c015d1cec2dc3fa2207ed51cd1c1fc8c6e16dbfd85e52ea832c16ed5aa7cdc2e23a1cf1768e7743cd116290c6d5047c67
-
SSDEEP
24576:rVO8kyGyOMQzlG27ScBABcU9Ny6AAgZy:w8kypOMj27EcUry6Au
Malware Config
Signatures
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zOwta = "C:\\Users\\Admin\\AppData\\Roaming\\zOwta\\zOwta.exe" RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
invoice and packing list.exedescription pid process target process PID 1032 set thread context of 620 1032 invoice and packing list.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
invoice and packing list.exepowershell.exepid process 1032 invoice and packing list.exe 1032 invoice and packing list.exe 1032 invoice and packing list.exe 1032 invoice and packing list.exe 1516 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
invoice and packing list.exeRegSvcs.exepowershell.exedescription pid process Token: SeDebugPrivilege 1032 invoice and packing list.exe Token: SeDebugPrivilege 620 RegSvcs.exe Token: SeDebugPrivilege 1516 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 620 RegSvcs.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
invoice and packing list.exedescription pid process target process PID 1032 wrote to memory of 1516 1032 invoice and packing list.exe powershell.exe PID 1032 wrote to memory of 1516 1032 invoice and packing list.exe powershell.exe PID 1032 wrote to memory of 1516 1032 invoice and packing list.exe powershell.exe PID 1032 wrote to memory of 1516 1032 invoice and packing list.exe powershell.exe PID 1032 wrote to memory of 988 1032 invoice and packing list.exe schtasks.exe PID 1032 wrote to memory of 988 1032 invoice and packing list.exe schtasks.exe PID 1032 wrote to memory of 988 1032 invoice and packing list.exe schtasks.exe PID 1032 wrote to memory of 988 1032 invoice and packing list.exe schtasks.exe PID 1032 wrote to memory of 288 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 288 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 288 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 288 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 288 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 288 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 288 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 620 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 620 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 620 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 620 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 620 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 620 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 620 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 620 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 620 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 620 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 620 1032 invoice and packing list.exe RegSvcs.exe PID 1032 wrote to memory of 620 1032 invoice and packing list.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice and packing list.exe"C:\Users\Admin\AppData\Local\Temp\invoice and packing list.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JZJXVF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JZJXVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8518.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8518.tmpFilesize
1KB
MD5ba5d0e62e38c574d2ce3711d58421e2b
SHA12cd19df15eb3dffc559e264a7067e413218a51e9
SHA2563d3488d248280aa423a6e1744a6f11eee288b7ac942c58bafc41071840c9ce7f
SHA5121387f97e7e88488bff4958430ea9babaa5de5e6af6b6465cd53b4f4a15718345c46b2719d213287583aa5672dbfc2766189174f97367808274b2af8c18f41f28
-
memory/620-67-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/620-72-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/620-74-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/620-70-0x000000000042AB8E-mapping.dmp
-
memory/620-69-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/620-65-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/620-68-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/620-64-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/988-60-0x0000000000000000-mapping.dmp
-
memory/1032-58-0x00000000051C0000-0x000000000522A000-memory.dmpFilesize
424KB
-
memory/1032-63-0x0000000004A90000-0x0000000004AC2000-memory.dmpFilesize
200KB
-
memory/1032-54-0x0000000000990000-0x0000000000A6E000-memory.dmpFilesize
888KB
-
memory/1032-57-0x00000000003B0000-0x00000000003BA000-memory.dmpFilesize
40KB
-
memory/1032-56-0x0000000000330000-0x0000000000340000-memory.dmpFilesize
64KB
-
memory/1032-55-0x0000000075501000-0x0000000075503000-memory.dmpFilesize
8KB
-
memory/1516-59-0x0000000000000000-mapping.dmp
-
memory/1516-76-0x000000006E570000-0x000000006EB1B000-memory.dmpFilesize
5.7MB
-
memory/1516-77-0x000000006E570000-0x000000006EB1B000-memory.dmpFilesize
5.7MB