1a552b5db668c321e7f584e0f2d379afc41c00707e4fecad232823445bbcf8be

General

Target

Payment copy_Usd 163,500.exe
Size

931KB
MD5

8e841cfc7f7abab974f8adbc4e260346
SHA1

385ba1dad2877c6a712cda30dbb4cd47007d93ce
SHA256

1a552b5db668c321e7f584e0f2d379afc41c00707e4fecad232823445bbcf8be
SHA512

ae50615333524c4b3aa89bb790567d3464ec122d5fc494af62c55762c0e522b7a05c2bb024b1bb0a422f4ea22727b0f372d21735475dc93fafe3dada58748691
SSDEEP

24576:IwMf2oD5HOhpMmKHeErwqFSVSd+i92MScNXVbzQn:IBzODMmAeswqIHMtNX2

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2884 schtasks.exe

pid	process
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

Payment copy_Usd 163,500.exepowershell.exepowershell.exe

pid	process
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2200	Payment copy_Usd 163,500.exe
2672	powershell.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payment copy_Usd 163,500.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2200	Payment copy_Usd 163,500.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Payment copy_Usd 163,500.exepowershell.exe

description	pid	process	target process
PID 2200 wrote to memory of 2764	2200	Payment copy_Usd 163,500.exe	powershell.exe
PID 2200 wrote to memory of 2764	2200	Payment copy_Usd 163,500.exe	powershell.exe
PID 2200 wrote to memory of 2764	2200	Payment copy_Usd 163,500.exe	powershell.exe
PID 2200 wrote to memory of 2764	2200	Payment copy_Usd 163,500.exe	powershell.exe
PID 2200 wrote to memory of 2672	2200	Payment copy_Usd 163,500.exe	powershell.exe
PID 2200 wrote to memory of 2672	2200	Payment copy_Usd 163,500.exe	powershell.exe
PID 2200 wrote to memory of 2672	2200	Payment copy_Usd 163,500.exe	powershell.exe
PID 2200 wrote to memory of 2672	2200	Payment copy_Usd 163,500.exe	powershell.exe
PID 2200 wrote to memory of 2884	2200	Payment copy_Usd 163,500.exe	schtasks.exe
PID 2200 wrote to memory of 2884	2200	Payment copy_Usd 163,500.exe	schtasks.exe
PID 2200 wrote to memory of 2884	2200	Payment copy_Usd 163,500.exe	schtasks.exe
PID 2200 wrote to memory of 2884	2200	Payment copy_Usd 163,500.exe	schtasks.exe
PID 2200 wrote to memory of 2576	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2576	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2576	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2576	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2776	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2776	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2776	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2776	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2672 wrote to memory of 2524	2672	powershell.exe	dw20.exe
PID 2672 wrote to memory of 2524	2672	powershell.exe	dw20.exe
PID 2672 wrote to memory of 2524	2672	powershell.exe	dw20.exe
PID 2672 wrote to memory of 2524	2672	powershell.exe	dw20.exe
PID 2200 wrote to memory of 2532	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2532	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2532	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2532	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2540	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2540	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2540	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2540	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2572	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2572	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2572	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe
PID 2200 wrote to memory of 2572	2200	Payment copy_Usd 163,500.exe	Payment copy_Usd 163,500.exe

C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe
"C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IpqdQJORbvHjRe.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 712
3⤵
PID:2524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpqdQJORbvHjRe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF71B.tmp"
2⤵
- Creates scheduled task(s)
PID:2884

C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe
"C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"
2⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe
"C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"
2⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe
"C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"
2⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe
"C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"
2⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe
"C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"
2⤵
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF71B.tmp

Filesize
1KB

MD5
e732e095f663b3b0c0f00ded35ec19c0

SHA1
a2c3b57f7da038a044dcd9c95ad0b3eaddac0909

SHA256
b52c46159f524fb699ea77784bff5ab1c5ed10c714627e24fc78d21203c065d7

SHA512
a36477e8a07885f459ce7808b8cb68d3571eb18199f547ed5dc77d2bb4a4d465701bf96e5bd8b9fe32eba480ded1cfd08ef93f3e4cbb8d61e22b9b7a88fbd1ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G2XCTPWP7ZIDB5L4CSBR.temp

Filesize
7KB

MD5
0abb7db68d310cb5438e4ceef56ab6dc

SHA1
85047f7f18666f679c53fdf11e380cb5ec30eb0d

SHA256
bb5b7a3761b51262312036e6125a07c948b0d93b85594fcfc03408c206315d76

SHA512
de4c34fc4054e5dc26e3830d67ddb42d30c2b464ebb3d000162d028bb473581b11d8a33959d7ebf669bf234511a95aba68597100784569fb2a012acbd05d6ba3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0abb7db68d310cb5438e4ceef56ab6dc

SHA1
85047f7f18666f679c53fdf11e380cb5ec30eb0d

SHA256
bb5b7a3761b51262312036e6125a07c948b0d93b85594fcfc03408c206315d76

SHA512
de4c34fc4054e5dc26e3830d67ddb42d30c2b464ebb3d000162d028bb473581b11d8a33959d7ebf669bf234511a95aba68597100784569fb2a012acbd05d6ba3

Download Submit
memory/2200-5-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/2200-20-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-0-0x0000000000320000-0x000000000040E000-memory.dmp

Filesize
952KB

Download
memory/2200-6-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2200-7-0x0000000007A50000-0x0000000007AB0000-memory.dmp

Filesize
384KB

Download
memory/2200-3-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2200-2-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/2200-1-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-4-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-29-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/2672-22-0x000000006EDD0000-0x000000006F37B000-memory.dmp

Filesize
5.7MB

Download
memory/2672-24-0x000000006EDD0000-0x000000006F37B000-memory.dmp

Filesize
5.7MB

Download
memory/2672-26-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2672-28-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2672-30-0x000000006EDD0000-0x000000006F37B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-21-0x000000006EDD0000-0x000000006F37B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-23-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/2764-25-0x000000006EDD0000-0x000000006F37B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-27-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/2764-31-0x000000006EDD0000-0x000000006F37B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads