Overview

overview

10

Static

static

1

Invoice.exe

windows7-x64

10

Invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-03-2023 08:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice.exe

  • Size

    592KB

  • MD5

    fed122c27dd23694b3f84df9bc37ea14

  • SHA1

    e5e8f651530c1ee6ad12d0bdc06b1f86bf74ff38

  • SHA256

    3d7a7cad37509dedfd5d195c2f974e4ed7b2a03ead71e4744d753f40a3d4b43d

  • SHA512

    6e2e84c925e4b6e561d0c27f997bef7b319c87f8ab12e1767e072ce33ae4d487c821835299dcc52c2a8084d98f2018750d7cc489cadcb11b43a6a411c179f17d

  • SSDEEP

    12288:LLxq34o4lbX2ZE2cjTYNqy+1oE9hPIc0ohhQ7OfJ+6bhwfK71aK:UohAcFhhQ7OBtf

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\oyj.exe,"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:228
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 36
        3⤵
        • Runs ping.exe
        PID:3820
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\oyj.exe,"
        3⤵
        • Modifies WinLogon for persistence
        PID:2028
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 40 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Invoice.exe" "C:\Users\Admin\AppData\Local\oyj.exe" && ping 127.0.0.1 -n 40 > nul && "C:\Users\Admin\AppData\Local\oyj.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4988
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 40
        3⤵
        • Runs ping.exe
        PID:4340
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 40
        3⤵
        • Runs ping.exe
        PID:2820
      • C:\Users\Admin\AppData\Local\oyj.exe
        "C:\Users\Admin\AppData\Local\oyj.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:928

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\oyj.exe
    Filesize

    592KB

    MD5

    fed122c27dd23694b3f84df9bc37ea14

    SHA1

    e5e8f651530c1ee6ad12d0bdc06b1f86bf74ff38

    SHA256

    3d7a7cad37509dedfd5d195c2f974e4ed7b2a03ead71e4744d753f40a3d4b43d

    SHA512

    6e2e84c925e4b6e561d0c27f997bef7b319c87f8ab12e1767e072ce33ae4d487c821835299dcc52c2a8084d98f2018750d7cc489cadcb11b43a6a411c179f17d

    Download Submit

  • C:\Users\Admin\AppData\Local\oyj.exe
    Filesize

    592KB

    MD5

    fed122c27dd23694b3f84df9bc37ea14

    SHA1

    e5e8f651530c1ee6ad12d0bdc06b1f86bf74ff38

    SHA256

    3d7a7cad37509dedfd5d195c2f974e4ed7b2a03ead71e4744d753f40a3d4b43d

    SHA512

    6e2e84c925e4b6e561d0c27f997bef7b319c87f8ab12e1767e072ce33ae4d487c821835299dcc52c2a8084d98f2018750d7cc489cadcb11b43a6a411c179f17d

    Download Submit

  • memory/928-160-0x0000000005490000-0x00000000054A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/928-159-0x0000000005490000-0x00000000054A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/928-158-0x0000000005490000-0x00000000054A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/928-157-0x0000000005490000-0x00000000054A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/928-156-0x0000000005490000-0x00000000054A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/928-155-0x0000000005490000-0x00000000054A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/928-154-0x0000000005490000-0x00000000054A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/928-153-0x0000000005490000-0x00000000054A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/928-152-0x0000000000FE0000-0x000000000107A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/1636-139-0x0000000004BE0000-0x0000000004BEA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1636-145-0x0000000005100000-0x0000000005110000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1636-144-0x0000000005100000-0x0000000005110000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1636-143-0x0000000005100000-0x0000000005110000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1636-142-0x0000000005100000-0x0000000005110000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1636-141-0x0000000005100000-0x0000000005110000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1636-140-0x0000000005100000-0x0000000005110000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1636-133-0x00000000005E0000-0x000000000067A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/1636-138-0x0000000005100000-0x0000000005110000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1636-137-0x00000000087F0000-0x0000000008882000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1636-136-0x0000000005100000-0x0000000005110000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1636-135-0x00000000051D0000-0x000000000526C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1636-134-0x0000000005780000-0x0000000005D24000-memory.dmp

    Filesize

    5.6MB

    Download