378f4daa6190153fc7f9cac724c04ad425e83918d92cfd3a186bceab66bae343

General

Target

PAYMENT BANK INSTRUCTION COPY.exe
Size

495KB
MD5

ef485efc8a94d9e7fc3bb0379a44f084
SHA1

6aa85df83a914bf32bd5165cd1299d26f1905dfb
SHA256

378f4daa6190153fc7f9cac724c04ad425e83918d92cfd3a186bceab66bae343
SHA512

0939bbfa97c2fb302b32c5f6598bbd510a203fc59dfc4c8a4e6b1105dff998f405903487e9c70439a51225ce3693f40baf85c9bb335a4a60023ef87717bac332
SSDEEP

12288:2nXB9dO8KsqQnirS0DSngIE0SCAtRnZagLCWh:2R9M8Kj9SJgT0sVZnLCWh

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2164	PAYMENT BANK INSTRUCTION COPY.exe
2164	PAYMENT BANK INSTRUCTION COPY.exe
2164	PAYMENT BANK INSTRUCTION COPY.exe
2164	PAYMENT BANK INSTRUCTION COPY.exe
2164	PAYMENT BANK INSTRUCTION COPY.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	PAYMENT BANK INSTRUCTION COPY.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2736	2164	PAYMENT BANK INSTRUCTION COPY.exe	30
PID 2164 wrote to memory of 2736	2164	PAYMENT BANK INSTRUCTION COPY.exe	30
PID 2164 wrote to memory of 2736	2164	PAYMENT BANK INSTRUCTION COPY.exe	30
PID 2164 wrote to memory of 2736	2164	PAYMENT BANK INSTRUCTION COPY.exe	30
PID 2164 wrote to memory of 2828	2164	PAYMENT BANK INSTRUCTION COPY.exe	32
PID 2164 wrote to memory of 2828	2164	PAYMENT BANK INSTRUCTION COPY.exe	32
PID 2164 wrote to memory of 2828	2164	PAYMENT BANK INSTRUCTION COPY.exe	32
PID 2164 wrote to memory of 2828	2164	PAYMENT BANK INSTRUCTION COPY.exe	32
PID 2164 wrote to memory of 2712	2164	PAYMENT BANK INSTRUCTION COPY.exe	33
PID 2164 wrote to memory of 2712	2164	PAYMENT BANK INSTRUCTION COPY.exe	33
PID 2164 wrote to memory of 2712	2164	PAYMENT BANK INSTRUCTION COPY.exe	33
PID 2164 wrote to memory of 2712	2164	PAYMENT BANK INSTRUCTION COPY.exe	33
PID 2164 wrote to memory of 2708	2164	PAYMENT BANK INSTRUCTION COPY.exe	34
PID 2164 wrote to memory of 2708	2164	PAYMENT BANK INSTRUCTION COPY.exe	34
PID 2164 wrote to memory of 2708	2164	PAYMENT BANK INSTRUCTION COPY.exe	34
PID 2164 wrote to memory of 2708	2164	PAYMENT BANK INSTRUCTION COPY.exe	34
PID 2164 wrote to memory of 2728	2164	PAYMENT BANK INSTRUCTION COPY.exe	35
PID 2164 wrote to memory of 2728	2164	PAYMENT BANK INSTRUCTION COPY.exe	35
PID 2164 wrote to memory of 2728	2164	PAYMENT BANK INSTRUCTION COPY.exe	35
PID 2164 wrote to memory of 2728	2164	PAYMENT BANK INSTRUCTION COPY.exe	35
PID 2164 wrote to memory of 2744	2164	PAYMENT BANK INSTRUCTION COPY.exe	36
PID 2164 wrote to memory of 2744	2164	PAYMENT BANK INSTRUCTION COPY.exe	36
PID 2164 wrote to memory of 2744	2164	PAYMENT BANK INSTRUCTION COPY.exe	36
PID 2164 wrote to memory of 2744	2164	PAYMENT BANK INSTRUCTION COPY.exe	36

C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LPuYvaJpW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE4F2.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe
  "{path}"
  2⤵
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe
  "{path}"
  2⤵
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe
  "{path}"
  2⤵
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe
  "{path}"
  2⤵
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe
  "{path}"
  2⤵
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE4F2.tmp

Filesize
1KB

MD5
52ded2d3d5db403471e3938b79744076

SHA1
d8683e240d5bf8f5e8f486ca051d2546f394a16f

SHA256
228b82fb96490804934c461f22e23a87f9de942f1b206468fb8a820eeb1ff05d

SHA512
23c0cde17e2821a7471c44e50f435bd71b4107a2dc9e627e6d5fcec09e069169a04b361c9f649ba0a9ce7edd0872ffac12c46b3d8b1ca3a295b7648ff1dce156

Download Submit
memory/2164-0-0x0000000000BA0000-0x0000000000C22000-memory.dmp

Filesize
520KB

Download
memory/2164-1-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2164-2-0x0000000000B20000-0x0000000000B60000-memory.dmp

Filesize
256KB

Download
memory/2164-3-0x00000000043E0000-0x0000000004492000-memory.dmp

Filesize
712KB

Download
memory/2164-4-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2164-5-0x0000000000B20000-0x0000000000B60000-memory.dmp

Filesize
256KB

Download
memory/2164-6-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/2164-7-0x00000000051B0000-0x000000000520E000-memory.dmp

Filesize
376KB

Download
memory/2164-8-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/2164-12-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads