5c11c170ecb5809594f68e860f910f6d004e356d067be232c3c856c9ed78459f

Analysis

max time kernel
77s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-03-2023 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT SWIFT COPY.exe
Size

1.1MB
MD5

ec7c37ae9c0377f3240a274290c9c214
SHA1

432915cb9e9e860a84e142719bf0e82392c69a6a
SHA256

5c11c170ecb5809594f68e860f910f6d004e356d067be232c3c856c9ed78459f
SHA512

326f282eb2a8c6f79de6f7019fc7d16be88345467301bc1d28c36f5c7094ac38ec206dc068d24c8bcecd0cb02e39af1d5070f839f9518f0e8e149ac5c5c0c576
SSDEEP

24576:KZUu39V1vMSb4gz1o5Ti81zSdyrjLDjFPR6KrXmTDa:yltsSkW1o5Tiouy/z6KrXmX

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
920	PAYMENT SWIFT COPY.exe
920	PAYMENT SWIFT COPY.exe
920	PAYMENT SWIFT COPY.exe
920	PAYMENT SWIFT COPY.exe
920	PAYMENT SWIFT COPY.exe
920	PAYMENT SWIFT COPY.exe
920	PAYMENT SWIFT COPY.exe
920	PAYMENT SWIFT COPY.exe
920	PAYMENT SWIFT COPY.exe
920	PAYMENT SWIFT COPY.exe
1640	powershell.exe
588	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	920	PAYMENT SWIFT COPY.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 588	920	PAYMENT SWIFT COPY.exe	28
PID 920 wrote to memory of 588	920	PAYMENT SWIFT COPY.exe	28
PID 920 wrote to memory of 588	920	PAYMENT SWIFT COPY.exe	28
PID 920 wrote to memory of 588	920	PAYMENT SWIFT COPY.exe	28
PID 920 wrote to memory of 1640	920	PAYMENT SWIFT COPY.exe	30
PID 920 wrote to memory of 1640	920	PAYMENT SWIFT COPY.exe	30
PID 920 wrote to memory of 1640	920	PAYMENT SWIFT COPY.exe	30
PID 920 wrote to memory of 1640	920	PAYMENT SWIFT COPY.exe	30
PID 920 wrote to memory of 1544	920	PAYMENT SWIFT COPY.exe	32
PID 920 wrote to memory of 1544	920	PAYMENT SWIFT COPY.exe	32
PID 920 wrote to memory of 1544	920	PAYMENT SWIFT COPY.exe	32
PID 920 wrote to memory of 1544	920	PAYMENT SWIFT COPY.exe	32
PID 920 wrote to memory of 1160	920	PAYMENT SWIFT COPY.exe	34
PID 920 wrote to memory of 1160	920	PAYMENT SWIFT COPY.exe	34
PID 920 wrote to memory of 1160	920	PAYMENT SWIFT COPY.exe	34
PID 920 wrote to memory of 1160	920	PAYMENT SWIFT COPY.exe	34
PID 920 wrote to memory of 1680	920	PAYMENT SWIFT COPY.exe	35
PID 920 wrote to memory of 1680	920	PAYMENT SWIFT COPY.exe	35
PID 920 wrote to memory of 1680	920	PAYMENT SWIFT COPY.exe	35
PID 920 wrote to memory of 1680	920	PAYMENT SWIFT COPY.exe	35
PID 920 wrote to memory of 1004	920	PAYMENT SWIFT COPY.exe	36
PID 920 wrote to memory of 1004	920	PAYMENT SWIFT COPY.exe	36
PID 920 wrote to memory of 1004	920	PAYMENT SWIFT COPY.exe	36
PID 920 wrote to memory of 1004	920	PAYMENT SWIFT COPY.exe	36
PID 920 wrote to memory of 1628	920	PAYMENT SWIFT COPY.exe	37
PID 920 wrote to memory of 1628	920	PAYMENT SWIFT COPY.exe	37
PID 920 wrote to memory of 1628	920	PAYMENT SWIFT COPY.exe	37
PID 920 wrote to memory of 1628	920	PAYMENT SWIFT COPY.exe	37
PID 920 wrote to memory of 1652	920	PAYMENT SWIFT COPY.exe	38
PID 920 wrote to memory of 1652	920	PAYMENT SWIFT COPY.exe	38
PID 920 wrote to memory of 1652	920	PAYMENT SWIFT COPY.exe	38
PID 920 wrote to memory of 1652	920	PAYMENT SWIFT COPY.exe	38

C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:588
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QrErGuxRXcieO.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QrErGuxRXcieO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F7A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1544
- C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe"
  2⤵
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe"
  2⤵
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe"
  2⤵
  PID:1004
- C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe"
  2⤵
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe"
  2⤵
  PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2F7A.tmp

Filesize
1KB

MD5
902d90796b20684ff404d76e1aa1eef3

SHA1
20f558e093274939f78e811878fa58154c54e897

SHA256
256d8aff4eea621f3aeb4cbd30185591e70c3ee50f2e0be805629d0e7ad552d0

SHA512
2455b2c8e79054d305f9bf3e9e03d69fb15c75a550915d6ee7275bd94257adc7d47b7020024ac5699a4b691911d184be841593675fe465cc85d9fa2411732570

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DA8NMON28A5B83CE71X0.temp

Filesize
7KB

MD5
ad4cd157f75eca4289e0729821258c78

SHA1
f1f11bafec316c9571bcc0045b9000e64285ec6a

SHA256
9f61cced9edbf556b263919f47af8e4674a53082df529369a997a1bcef30b359

SHA512
e40bf4b65905890bce5addad1b2c8ed8455d58b85371c01198f1bbb32527e4cbaf8d26a7809eda875fb984aba9ce5cbd7d737cdc5d3cd44d0562532dc931aeb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ad4cd157f75eca4289e0729821258c78

SHA1
f1f11bafec316c9571bcc0045b9000e64285ec6a

SHA256
9f61cced9edbf556b263919f47af8e4674a53082df529369a997a1bcef30b359

SHA512
e40bf4b65905890bce5addad1b2c8ed8455d58b85371c01198f1bbb32527e4cbaf8d26a7809eda875fb984aba9ce5cbd7d737cdc5d3cd44d0562532dc931aeb0

Download Submit
memory/588-74-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/588-73-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/920-57-0x0000000000740000-0x0000000000780000-memory.dmp

Filesize
256KB

Download
memory/920-59-0x0000000008020000-0x000000000810C000-memory.dmp

Filesize
944KB

Download
memory/920-58-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/920-54-0x0000000000360000-0x0000000000474000-memory.dmp

Filesize
1.1MB

Download
memory/920-72-0x0000000005E50000-0x0000000005EC6000-memory.dmp

Filesize
472KB

Download
memory/920-56-0x00000000007C0000-0x00000000007E0000-memory.dmp

Filesize
128KB

Download
memory/920-55-0x0000000000740000-0x0000000000780000-memory.dmp

Filesize
256KB

Download
memory/1640-75-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download