30149d9556f178c28e1979f8f10f82800199157674098e9a05be93eccdaa59e3

Analysis

max time kernel
152s
max time network
162s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02/03/2023, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment advise.exe
Size

432KB
MD5

f53e373bcbb159929b316d01bd4bb674
SHA1

c5b593139f511e8fc57fc28a1bf7838d5314dca0
SHA256

30149d9556f178c28e1979f8f10f82800199157674098e9a05be93eccdaa59e3
SHA512

615a8d4ecc34182470141af8860aa03929558a80eb80a07d9d31a3195b4f665ab41d83f4c0b1005a6339f0c4603f2075207b866841cdb98bd8768d678b4b66c1
SSDEEP

6144:yYa6fM/p5HwVquKO8g4ZPpywgSS1G2PTwChxGcCoTYjwiqf9g7CO3Tdi:yYpM8YdOQRA1G2PtruCYjYf9MXM

Score

8^/10

spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	1492	cscript.exe
23	1492	cscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\International\Geo\Nation	etrbpet.exe

Executes dropped EXE 2 IoCs

pid	Process
2004	etrbpet.exe
596	etrbpet.exe

Loads dropped DLL 4 IoCs

pid	Process
1072	Payment advise.exe
1072	Payment advise.exe
2004	etrbpet.exe
1492	cscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 596	2004	etrbpet.exe	30
PID 596 set thread context of 1264	596	etrbpet.exe	16
PID 1492 set thread context of 1264	1492	cscript.exe	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2647223082-2067913677-935928954-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
596	etrbpet.exe
596	etrbpet.exe
596	etrbpet.exe
596	etrbpet.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2004	etrbpet.exe
596	etrbpet.exe
596	etrbpet.exe
596	etrbpet.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe
1492	cscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	596	etrbpet.exe
Token: SeDebugPrivilege	1492	cscript.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2004	1072	Payment advise.exe	28
PID 1072 wrote to memory of 2004	1072	Payment advise.exe	28
PID 1072 wrote to memory of 2004	1072	Payment advise.exe	28
PID 1072 wrote to memory of 2004	1072	Payment advise.exe	28
PID 2004 wrote to memory of 596	2004	etrbpet.exe	30
PID 2004 wrote to memory of 596	2004	etrbpet.exe	30
PID 2004 wrote to memory of 596	2004	etrbpet.exe	30
PID 2004 wrote to memory of 596	2004	etrbpet.exe	30
PID 2004 wrote to memory of 596	2004	etrbpet.exe	30
PID 1264 wrote to memory of 1492	1264	Explorer.EXE	31
PID 1264 wrote to memory of 1492	1264	Explorer.EXE	31
PID 1264 wrote to memory of 1492	1264	Explorer.EXE	31
PID 1264 wrote to memory of 1492	1264	Explorer.EXE	31
PID 1492 wrote to memory of 2012	1492	cscript.exe	34
PID 1492 wrote to memory of 2012	1492	cscript.exe	34
PID 1492 wrote to memory of 2012	1492	cscript.exe	34
PID 1492 wrote to memory of 2012	1492	cscript.exe	34
PID 1492 wrote to memory of 2012	1492	cscript.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\Payment advise.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment advise.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Users\Admin\AppData\Local\Temp\etrbpet.exe
    "C:\Users\Admin\AppData\Local\Temp\etrbpet.exe" C:\Users\Admin\AppData\Local\Temp\nkcrwxo.pay
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\etrbpet.exe
      "C:\Users\Admin\AppData\Local\Temp\etrbpet.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:596
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\apcett.v

Filesize
205KB

MD5
7ce58eb076bf021a751ab7523622a569

SHA1
5580cd8df71bcf1a0d4d1c2823cc87fd9859ae1f

SHA256
21f13e26e05a4fd173b7d9bed2d026656de098ab11e437e67cd7dca0d2890f5c

SHA512
624e5468efa482f1365c14c74d0d204d13bc35eadcc8305735c455ebcfacbe2c4d64bb610ae79e35241bfcdf7dcd4bd25a4b68185e6f71762664f69995643452

Download Submit
C:\Users\Admin\AppData\Local\Temp\etrbpet.exe

Filesize
137KB

MD5
fa9c760d2f1fa51f0c5fc931f60cdda9

SHA1
95e5d1b6f0e8157157ce62f593bab962a0fd6f5d

SHA256
555e76ed54851418c0bd60ab83c6cb8fe2b76edfed0f1383d9da18acf8c1a655

SHA512
22d661704bd3b50948bdbc203a6cd05c14e3c113097dcb350be26c58191c8fdf2ce3338d216dfdf02c135a1c0a64077de6c85c3ade12c9a32c71f356d0ad4b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\etrbpet.exe

Filesize
137KB

MD5
fa9c760d2f1fa51f0c5fc931f60cdda9

SHA1
95e5d1b6f0e8157157ce62f593bab962a0fd6f5d

SHA256
555e76ed54851418c0bd60ab83c6cb8fe2b76edfed0f1383d9da18acf8c1a655

SHA512
22d661704bd3b50948bdbc203a6cd05c14e3c113097dcb350be26c58191c8fdf2ce3338d216dfdf02c135a1c0a64077de6c85c3ade12c9a32c71f356d0ad4b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\etrbpet.exe

Filesize
137KB

MD5
fa9c760d2f1fa51f0c5fc931f60cdda9

SHA1
95e5d1b6f0e8157157ce62f593bab962a0fd6f5d

SHA256
555e76ed54851418c0bd60ab83c6cb8fe2b76edfed0f1383d9da18acf8c1a655

SHA512
22d661704bd3b50948bdbc203a6cd05c14e3c113097dcb350be26c58191c8fdf2ce3338d216dfdf02c135a1c0a64077de6c85c3ade12c9a32c71f356d0ad4b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\etrbpet.exe

Filesize
137KB

MD5
fa9c760d2f1fa51f0c5fc931f60cdda9

SHA1
95e5d1b6f0e8157157ce62f593bab962a0fd6f5d

SHA256
555e76ed54851418c0bd60ab83c6cb8fe2b76edfed0f1383d9da18acf8c1a655

SHA512
22d661704bd3b50948bdbc203a6cd05c14e3c113097dcb350be26c58191c8fdf2ce3338d216dfdf02c135a1c0a64077de6c85c3ade12c9a32c71f356d0ad4b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkcrwxo.pay

Filesize
5KB

MD5
d5d066735ac5be0b041b435f67307a76

SHA1
57a05102d17ac754192e6a178b50ad6e2e7221a1

SHA256
d73621a04bba9fb070571aad3bea90b2e4f6f2d231fec263954eedca9c66327b

SHA512
7b84179b5be6a880ca4c831bc757e60178dc18a592c3075b7139f4482081113ec1b6d4e26ab115987d3e3375f8f64a7b4ca27073b6a8da341452f4411c8d480e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yrhtmrm8.zip

Filesize
486KB

MD5
1e73cacce02ae20026a81f1e56416aa3

SHA1
f491a7301ce11cf11a92c0245c7e03d927422286

SHA256
0dd0dd38cde5a14e7d6d0830db62cc7037e521fd042b0b8da0763128b2c0b3f2

SHA512
afe77facd8b16cc744ac2277414ffaf83436999d15eb8ac707f8098e2f8ed4cb29b430392ebe46b7fa65b20730615bc33dee9416f7141da5032a630894980a0a

Download Submit
\Users\Admin\AppData\Local\Temp\etrbpet.exe

Filesize
137KB

MD5
fa9c760d2f1fa51f0c5fc931f60cdda9

SHA1
95e5d1b6f0e8157157ce62f593bab962a0fd6f5d

SHA256
555e76ed54851418c0bd60ab83c6cb8fe2b76edfed0f1383d9da18acf8c1a655

SHA512
22d661704bd3b50948bdbc203a6cd05c14e3c113097dcb350be26c58191c8fdf2ce3338d216dfdf02c135a1c0a64077de6c85c3ade12c9a32c71f356d0ad4b17

Download Submit
\Users\Admin\AppData\Local\Temp\etrbpet.exe

Filesize
137KB

MD5
fa9c760d2f1fa51f0c5fc931f60cdda9

SHA1
95e5d1b6f0e8157157ce62f593bab962a0fd6f5d

SHA256
555e76ed54851418c0bd60ab83c6cb8fe2b76edfed0f1383d9da18acf8c1a655

SHA512
22d661704bd3b50948bdbc203a6cd05c14e3c113097dcb350be26c58191c8fdf2ce3338d216dfdf02c135a1c0a64077de6c85c3ade12c9a32c71f356d0ad4b17

Download Submit
\Users\Admin\AppData\Local\Temp\etrbpet.exe

Filesize
137KB

MD5
fa9c760d2f1fa51f0c5fc931f60cdda9

SHA1
95e5d1b6f0e8157157ce62f593bab962a0fd6f5d

SHA256
555e76ed54851418c0bd60ab83c6cb8fe2b76edfed0f1383d9da18acf8c1a655

SHA512
22d661704bd3b50948bdbc203a6cd05c14e3c113097dcb350be26c58191c8fdf2ce3338d216dfdf02c135a1c0a64077de6c85c3ade12c9a32c71f356d0ad4b17

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
927KB

MD5
7fd80b1cc72dc580c02ca4cfbfb2592d

SHA1
18da905af878b27151b359cf1a7d0a650764e8a1

SHA256
1e6dccbdf8527abb53c289da920463b7895300d0d984cc7e91a3ecda4e673190

SHA512
13f7f29b5ed31c551aa5f27742557aa4d026a226087d6fcbca094819759ecc753a2c33b7422ae88dc6a4a0a966edb8485a18e59a0283ba2686cae5d78e0190a3

Download Submit
memory/596-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/596-75-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/596-76-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/596-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/596-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1264-82-0x0000000004310000-0x00000000043A6000-memory.dmp

Filesize
600KB

Download
memory/1264-77-0x0000000004B80000-0x0000000004CAA000-memory.dmp

Filesize
1.2MB

Download
memory/1264-73-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1264-86-0x0000000004310000-0x00000000043A6000-memory.dmp

Filesize
600KB

Download
memory/1492-80-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download
memory/1492-84-0x00000000008E0000-0x000000000096F000-memory.dmp

Filesize
572KB

Download
memory/1492-81-0x0000000001F60000-0x0000000002263000-memory.dmp

Filesize
3.0MB

Download
memory/1492-79-0x00000000009A0000-0x00000000009C2000-memory.dmp

Filesize
136KB

Download
memory/1492-78-0x00000000009A0000-0x00000000009C2000-memory.dmp

Filesize
136KB

Download
memory/1492-128-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download