Behavioral Report

General

Target

invoice and packing list.exe
Size

863KB
MD5

629650941c646616da246f363ac31b64
SHA1

61c75662747d73543a4fd4ef522fa4e1d68a2123
SHA256

5fd88707644b5c51752f574b44b60add5b279713e5fd1b47fe95f5cf97fa634e
SHA512

f762d0d13fdaf114e6e646686e7c425c015d1cec2dc3fa2207ed51cd1c1fc8c6e16dbfd85e52ea832c16ed5aa7cdc2e23a1cf1768e7743cd116290c6d5047c67
SSDEEP

24576:rVO8kyGyOMQzlG27ScBABcU9Ny6AAgZy:w8kypOMj27EcUry6Au

Score

7^/10

collection persistence

Malware Config

Signatures

Checks computer location settings ⋅ 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

TTPs:

Query Registry System Information Discovery

Processes:

invoice and packing list.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	invoice and packing list.exe

Accesses Microsoft Outlook profiles ⋅ 1 TTPs 3 IoCs

collection

TTPs:

Email Collection

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application ⋅ 2 TTPs 1 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zOwta = "C:\\Users\\Admin\\AppData\\Roaming\\zOwta\\zOwta.exe"	RegSvcs.exe

Looks up external IP address via web service ⋅ 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 api.ipify.org
35 api.ipify.org
Suspicious use of SetThreadContext ⋅ 1 IoCs

Processes:

invoice and packing list.exe

description pid process target process

PID 3736 set thread context of 4180 3736 invoice and packing list.exe RegSvcs.exe
Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery
Creates scheduled task(s) ⋅ 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

TTPs:

Scheduled Task

Processes:

schtasks.exe

pid process

4468 schtasks.exe
Suspicious behavior: EnumeratesProcesses ⋅ 4 IoCs

Processes:

invoice and packing list.exepowershell.exe

pid process

3736 invoice and packing list.exe
812 powershell.exe
3736 invoice and packing list.exe
812 powershell.exe

flow	ioc
34	api.ipify.org
35	api.ipify.org

description	pid	process	target process
PID 3736 set thread context of 4180	3736	invoice and packing list.exe	RegSvcs.exe

pid	process
4468	schtasks.exe

pid	process
3736	invoice and packing list.exe
812	powershell.exe
3736	invoice and packing list.exe
812	powershell.exe

Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs

Processes:

invoice and packing list.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3736	invoice and packing list.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	4180	RegSvcs.exe

Suspicious use of SetWindowsHookEx ⋅ 1 IoCs

Processes:

RegSvcs.exe

pid process

4180 RegSvcs.exe

pid	process
4180	RegSvcs.exe

Suspicious use of WriteProcessMemory ⋅ 14 IoCs

Processes:

invoice and packing list.exe

description	pid	process	target process
PID 3736 wrote to memory of 812	3736	invoice and packing list.exe	powershell.exe
PID 3736 wrote to memory of 812	3736	invoice and packing list.exe	powershell.exe
PID 3736 wrote to memory of 812	3736	invoice and packing list.exe	powershell.exe
PID 3736 wrote to memory of 4468	3736	invoice and packing list.exe	schtasks.exe
PID 3736 wrote to memory of 4468	3736	invoice and packing list.exe	schtasks.exe
PID 3736 wrote to memory of 4468	3736	invoice and packing list.exe	schtasks.exe
PID 3736 wrote to memory of 4180	3736	invoice and packing list.exe	RegSvcs.exe
PID 3736 wrote to memory of 4180	3736	invoice and packing list.exe	RegSvcs.exe
PID 3736 wrote to memory of 4180	3736	invoice and packing list.exe	RegSvcs.exe
PID 3736 wrote to memory of 4180	3736	invoice and packing list.exe	RegSvcs.exe
PID 3736 wrote to memory of 4180	3736	invoice and packing list.exe	RegSvcs.exe
PID 3736 wrote to memory of 4180	3736	invoice and packing list.exe	RegSvcs.exe
PID 3736 wrote to memory of 4180	3736	invoice and packing list.exe	RegSvcs.exe
PID 3736 wrote to memory of 4180	3736	invoice and packing list.exe	RegSvcs.exe

outlook_office_path ⋅ 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path ⋅ 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\invoice and packing list.exe

"C:\Users\Admin\AppData\Local\Temp\invoice and packing list.exe"

Checks computer location settings
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:3736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JZJXVF.exe"

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:812

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JZJXVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9366.tmp"

Creates scheduled task(s)

PID:4468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Accesses Microsoft Outlook profiles
Adds Run key to start application
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
outlook_office_path
outlook_win_path

PID:4180

Network

MITRE ATT&CK Matrix

Collection

Email Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9366.tmp
MD5
5dd262d419b12dbb4d577b3a8a3f5040

SHA1
3fd3d12a5b11d863116ae79b71726298c82faeb3

SHA256
66d94608dbe8dfb55c87006d7012aa0062efe28c4127574d993b464c4fa6eb7e

SHA512
7aeb01c1a87e802e8f8ed4d7ad92f66191a519261890639ecfdbecfa98957358e2086a92e51bec9633c669df45ce4f2e0e293b0665772a3f78ff78247691ff14

Download Submit
memory/812-146-0x0000000005830000-0x0000000005896000-memory.dmp

Download
memory/812-147-0x0000000005D00000-0x0000000005D1E000-memory.dmp

Download
memory/812-145-0x0000000005650000-0x00000000056B6000-memory.dmp

Download
memory/812-158-0x0000000007330000-0x0000000007338000-memory.dmp

Download
memory/812-137-0x0000000000000000-mapping.dmp

Download
memory/812-156-0x0000000007350000-0x000000000736A000-memory.dmp

Download
memory/812-139-0x00000000023E0000-0x0000000002416000-memory.dmp

Download
memory/812-155-0x0000000007240000-0x000000000724E000-memory.dmp

Download
memory/812-141-0x0000000004E80000-0x00000000054A8000-memory.dmp

Download
memory/812-150-0x00000000062A0000-0x00000000062BE000-memory.dmp

Download
memory/812-153-0x0000000007080000-0x000000000708A000-memory.dmp

Download
memory/812-144-0x00000000055B0000-0x00000000055D2000-memory.dmp

Download
memory/812-152-0x0000000006E00000-0x0000000006E1A000-memory.dmp

Download
memory/812-151-0x00000000076D0000-0x0000000007D4A000-memory.dmp

Download
memory/812-154-0x0000000007290000-0x0000000007326000-memory.dmp

Download
memory/812-148-0x0000000006C80000-0x0000000006CB2000-memory.dmp

Download
memory/812-149-0x00000000710C0000-0x000000007110C000-memory.dmp

Download
memory/3736-133-0x0000000005EB0000-0x0000000006454000-memory.dmp

Download
memory/3736-135-0x00000000058D0000-0x00000000058DA000-memory.dmp

Download
memory/3736-134-0x0000000005900000-0x0000000005992000-memory.dmp

Download
memory/3736-136-0x0000000006460000-0x00000000064FC000-memory.dmp

Download
memory/3736-132-0x0000000000E40000-0x0000000000F1E000-memory.dmp

Download
memory/4180-159-0x0000000006570000-0x0000000006732000-memory.dmp

Download
memory/4180-143-0x0000000000400000-0x0000000000430000-memory.dmp

Download
memory/4180-142-0x0000000000000000-mapping.dmp

Download
memory/4180-157-0x0000000006350000-0x00000000063A0000-memory.dmp

Download
memory/4468-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads