00d4da9d4fbc98752b5b2d9ada463a4c5cd3ebfde5b81821525727b3c258a4de

Analysis

max time kernel
146s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT payment.exe
Size

280KB
MD5

0b53570dda412c985f1913d0ad097b6f
SHA1

69e8648f91033de6b221c969fa1804b370f9fea1
SHA256

00d4da9d4fbc98752b5b2d9ada463a4c5cd3ebfde5b81821525727b3c258a4de
SHA512

12042e8ac4ec3554c0e847c3d92114e031f6c2d526421cfa0e5373d6caeb957858f277a2f90099a14a873715fae2fa654e53bce0265b0182435ff1ebe98c5089
SSDEEP

6144:/Ya6R+XvLSi08M0pKNQkK/1D7oTr+xGZ/e3AaNAJpm3hAjttdNYFb2upPI:/YDqL68MNXuDaPWw9jttdFupA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	TT payment.exe

Loads dropped DLL 1 IoCs

pid	Process
3448	TT payment.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3448 set thread context of 4784	3448	TT payment.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe
4784	TT payment.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3448	TT payment.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	TT payment.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 4784	3448	TT payment.exe	86
PID 3448 wrote to memory of 4784	3448	TT payment.exe	86
PID 3448 wrote to memory of 4784	3448	TT payment.exe	86
PID 3448 wrote to memory of 4784	3448	TT payment.exe	86

C:\Users\Admin\AppData\Local\Temp\TT payment.exe
"C:\Users\Admin\AppData\Local\Temp\TT payment.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\TT payment.exe
  "C:\Users\Admin\AppData\Local\Temp\TT payment.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsf6DCF.tmp\hyjmxpu.dll

Filesize
62KB

MD5
ca24e7e81aefb3cb413667d916a21d95

SHA1
459b0078de3126776cd6969b2b7740a07aafe7d7

SHA256
e25490e7846e48655bf0339f7713568f40a9f21cf5a97ebdbfc4103d131f1421

SHA512
1ba52bb357cc805cf323ad50ef95ea1a4f1c9681502aebd82ef24fb1ecd4a29af88da14fc6a99c36d16b544a0950dec8d623caad9ca27d80ccd25376cef475be

Download Submit
memory/3448-138-0x0000000074990000-0x00000000749A3000-memory.dmp

Filesize
76KB

Download
memory/3448-140-0x0000000074990000-0x00000000749A3000-memory.dmp

Filesize
76KB

Download
memory/4784-139-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4784-141-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4784-142-0x0000000000A70000-0x0000000000DBA000-memory.dmp

Filesize
3.3MB

Download
memory/4784-143-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download