Behavioral Report

General

Target

invoice and packing list.exe
Size

863KB
MD5

629650941c646616da246f363ac31b64
SHA1

61c75662747d73543a4fd4ef522fa4e1d68a2123
SHA256

5fd88707644b5c51752f574b44b60add5b279713e5fd1b47fe95f5cf97fa634e
SHA512

f762d0d13fdaf114e6e646686e7c425c015d1cec2dc3fa2207ed51cd1c1fc8c6e16dbfd85e52ea832c16ed5aa7cdc2e23a1cf1768e7743cd116290c6d5047c67
SSDEEP

24576:rVO8kyGyOMQzlG27ScBABcU9Ny6AAgZy:w8kypOMj27EcUry6Au

Score

6^/10

collection persistence

Malware Config

Signatures

Accesses Microsoft Outlook profiles ⋅ 1 TTPs 3 IoCs

collection

TTPs:

Email Collection

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application ⋅ 2 TTPs 1 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\zOwta = "C:\\Users\\Admin\\AppData\\Roaming\\zOwta\\zOwta.exe"	RegSvcs.exe

Looks up external IP address via web service ⋅ 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext ⋅ 1 IoCs

Processes:

invoice and packing list.exe

description pid process target process

PID 1116 set thread context of 1700 1116 invoice and packing list.exe RegSvcs.exe
Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery
Creates scheduled task(s) ⋅ 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

TTPs:

Scheduled Task

Processes:

schtasks.exe

pid process

1888 schtasks.exe
Suspicious behavior: EnumeratesProcesses ⋅ 3 IoCs

Processes:

invoice and packing list.exepowershell.exe

pid process

1116 invoice and packing list.exe
1116 invoice and packing list.exe
2008 powershell.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 1116 set thread context of 1700	1116	invoice and packing list.exe	RegSvcs.exe

pid	process
1888	schtasks.exe

pid	process
1116	invoice and packing list.exe
1116	invoice and packing list.exe
2008	powershell.exe

Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs

Processes:

invoice and packing list.exeRegSvcs.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1116	invoice and packing list.exe
Token: SeDebugPrivilege	1700	RegSvcs.exe
Token: SeDebugPrivilege	2008	powershell.exe

Suspicious use of SetWindowsHookEx ⋅ 1 IoCs

Processes:

RegSvcs.exe

pid process

1700 RegSvcs.exe

pid	process
1700	RegSvcs.exe

Suspicious use of WriteProcessMemory ⋅ 20 IoCs

Processes:

invoice and packing list.exe

description	pid	process	target process
PID 1116 wrote to memory of 2008	1116	invoice and packing list.exe	powershell.exe
PID 1116 wrote to memory of 2008	1116	invoice and packing list.exe	powershell.exe
PID 1116 wrote to memory of 2008	1116	invoice and packing list.exe	powershell.exe
PID 1116 wrote to memory of 2008	1116	invoice and packing list.exe	powershell.exe
PID 1116 wrote to memory of 1888	1116	invoice and packing list.exe	schtasks.exe
PID 1116 wrote to memory of 1888	1116	invoice and packing list.exe	schtasks.exe
PID 1116 wrote to memory of 1888	1116	invoice and packing list.exe	schtasks.exe
PID 1116 wrote to memory of 1888	1116	invoice and packing list.exe	schtasks.exe
PID 1116 wrote to memory of 1700	1116	invoice and packing list.exe	RegSvcs.exe
PID 1116 wrote to memory of 1700	1116	invoice and packing list.exe	RegSvcs.exe
PID 1116 wrote to memory of 1700	1116	invoice and packing list.exe	RegSvcs.exe
PID 1116 wrote to memory of 1700	1116	invoice and packing list.exe	RegSvcs.exe
PID 1116 wrote to memory of 1700	1116	invoice and packing list.exe	RegSvcs.exe
PID 1116 wrote to memory of 1700	1116	invoice and packing list.exe	RegSvcs.exe
PID 1116 wrote to memory of 1700	1116	invoice and packing list.exe	RegSvcs.exe
PID 1116 wrote to memory of 1700	1116	invoice and packing list.exe	RegSvcs.exe
PID 1116 wrote to memory of 1700	1116	invoice and packing list.exe	RegSvcs.exe
PID 1116 wrote to memory of 1700	1116	invoice and packing list.exe	RegSvcs.exe
PID 1116 wrote to memory of 1700	1116	invoice and packing list.exe	RegSvcs.exe
PID 1116 wrote to memory of 1700	1116	invoice and packing list.exe	RegSvcs.exe

outlook_office_path ⋅ 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path ⋅ 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\invoice and packing list.exe

"C:\Users\Admin\AppData\Local\Temp\invoice and packing list.exe"

Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JZJXVF.exe"

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:2008

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JZJXVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDECC.tmp"

Creates scheduled task(s)

PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Accesses Microsoft Outlook profiles
Adds Run key to start application
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
outlook_office_path
outlook_win_path

PID:1700

Network

MITRE ATT&CK Matrix

Collection

Email Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDECC.tmp
MD5
e8384c7feb63671bf3adc464e7fe8623

SHA1
48673166dac1d919647e88915c2a3d4b76bdfce1

SHA256
0c885673641f60cfc8488e8b2e9017e1c71961f2c5af592d9628f5e9636aa171

SHA512
f9b924e633108391b63183fbbdbf2cf38b374e4330935a0fff7d6e701772221002d381edb2660ef9178f54848dac8367ab74ebbe841a9a419673441598767d10

Download Submit
memory/1116-63-0x0000000000D40000-0x0000000000D72000-memory.dmp

Download
memory/1116-55-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Download
memory/1116-56-0x0000000000890000-0x00000000008A0000-memory.dmp

Download
memory/1116-58-0x00000000053A0000-0x000000000540A000-memory.dmp

Download
memory/1116-57-0x00000000008D0000-0x00000000008DA000-memory.dmp

Download
memory/1116-54-0x0000000000FD0000-0x00000000010AE000-memory.dmp

Download
memory/1700-70-0x000000000042AB8E-mapping.dmp

Download
memory/1700-67-0x0000000000400000-0x0000000000430000-memory.dmp

Download
memory/1700-68-0x0000000000400000-0x0000000000430000-memory.dmp

Download
memory/1700-69-0x0000000000400000-0x0000000000430000-memory.dmp

Download
memory/1700-65-0x0000000000400000-0x0000000000430000-memory.dmp

Download
memory/1700-72-0x0000000000400000-0x0000000000430000-memory.dmp

Download
memory/1700-74-0x0000000000400000-0x0000000000430000-memory.dmp

Download
memory/1700-64-0x0000000000400000-0x0000000000430000-memory.dmp

Download
memory/1888-60-0x0000000000000000-mapping.dmp

Download
memory/2008-77-0x000000006E9A0000-0x000000006EF4B000-memory.dmp

Download
memory/2008-59-0x0000000000000000-mapping.dmp

Download
memory/2008-76-0x000000006E9A0000-0x000000006EF4B000-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads