378f4daa6190153fc7f9cac724c04ad425e83918d92cfd3a186bceab66bae343

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT BANK INSTRUCTION COPY.exe
Size

495KB
MD5

ef485efc8a94d9e7fc3bb0379a44f084
SHA1

6aa85df83a914bf32bd5165cd1299d26f1905dfb
SHA256

378f4daa6190153fc7f9cac724c04ad425e83918d92cfd3a186bceab66bae343
SHA512

0939bbfa97c2fb302b32c5f6598bbd510a203fc59dfc4c8a4e6b1105dff998f405903487e9c70439a51225ce3693f40baf85c9bb335a4a60023ef87717bac332
SSDEEP

12288:2nXB9dO8KsqQnirS0DSngIE0SCAtRnZagLCWh:2R9M8Kj9SJgT0sVZnLCWh

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
244	PAYMENT BANK INSTRUCTION COPY.exe
244	PAYMENT BANK INSTRUCTION COPY.exe
244	PAYMENT BANK INSTRUCTION COPY.exe
244	PAYMENT BANK INSTRUCTION COPY.exe
244	PAYMENT BANK INSTRUCTION COPY.exe
244	PAYMENT BANK INSTRUCTION COPY.exe
244	PAYMENT BANK INSTRUCTION COPY.exe
244	PAYMENT BANK INSTRUCTION COPY.exe
244	PAYMENT BANK INSTRUCTION COPY.exe
244	PAYMENT BANK INSTRUCTION COPY.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	244	PAYMENT BANK INSTRUCTION COPY.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 908	244	PAYMENT BANK INSTRUCTION COPY.exe	91
PID 244 wrote to memory of 908	244	PAYMENT BANK INSTRUCTION COPY.exe	91
PID 244 wrote to memory of 908	244	PAYMENT BANK INSTRUCTION COPY.exe	91
PID 244 wrote to memory of 2072	244	PAYMENT BANK INSTRUCTION COPY.exe	93
PID 244 wrote to memory of 2072	244	PAYMENT BANK INSTRUCTION COPY.exe	93
PID 244 wrote to memory of 2072	244	PAYMENT BANK INSTRUCTION COPY.exe	93
PID 244 wrote to memory of 3620	244	PAYMENT BANK INSTRUCTION COPY.exe	94
PID 244 wrote to memory of 3620	244	PAYMENT BANK INSTRUCTION COPY.exe	94
PID 244 wrote to memory of 3620	244	PAYMENT BANK INSTRUCTION COPY.exe	94
PID 244 wrote to memory of 2088	244	PAYMENT BANK INSTRUCTION COPY.exe	95
PID 244 wrote to memory of 2088	244	PAYMENT BANK INSTRUCTION COPY.exe	95
PID 244 wrote to memory of 2088	244	PAYMENT BANK INSTRUCTION COPY.exe	95
PID 244 wrote to memory of 400	244	PAYMENT BANK INSTRUCTION COPY.exe	96
PID 244 wrote to memory of 400	244	PAYMENT BANK INSTRUCTION COPY.exe	96
PID 244 wrote to memory of 400	244	PAYMENT BANK INSTRUCTION COPY.exe	96
PID 244 wrote to memory of 900	244	PAYMENT BANK INSTRUCTION COPY.exe	97
PID 244 wrote to memory of 900	244	PAYMENT BANK INSTRUCTION COPY.exe	97
PID 244 wrote to memory of 900	244	PAYMENT BANK INSTRUCTION COPY.exe	97

C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LPuYvaJpW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFA1A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:908
- C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe
  "{path}"
  2⤵
  PID:2072
- C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe
  "{path}"
  2⤵
  PID:3620
- C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe
  "{path}"
  2⤵
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe
  "{path}"
  2⤵
  PID:400
- C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe
  "{path}"
  2⤵
  PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFA1A.tmp

Filesize
1KB

MD5
2349aa256fcdd43edb4fe20eb013a289

SHA1
2ef6481509e6d8ac76f10333ae4d392f37bc26ad

SHA256
f079753f9f9fafc9bc136407965f06c8ba35b80660de2c634e18ff989abcf635

SHA512
cb2ec4c7a2e0a02cbe70ee5f5b52ce0c2b3863b076baf8dc5f5f128ab351a07aae942fc1cfd7c40e00ccc10dca151685b1e8301713a3e3320703655e97ef1e64

Download Submit
memory/244-0-0x0000000000D50000-0x0000000000DD2000-memory.dmp

Filesize
520KB

Download
memory/244-1-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/244-2-0x0000000005E10000-0x00000000063B4000-memory.dmp

Filesize
5.6MB

Download
memory/244-3-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/244-4-0x0000000005900000-0x000000000599C000-memory.dmp

Filesize
624KB

Download
memory/244-5-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/244-6-0x0000000005880000-0x000000000588A000-memory.dmp

Filesize
40KB

Download
memory/244-7-0x0000000005A90000-0x0000000005AE6000-memory.dmp

Filesize
344KB

Download
memory/244-8-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/244-9-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/244-14-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download