Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
29-09-2023 08:51
Static task
static1
Behavioral task
behavioral1
Sample
Payment copy_Usd 163,500.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Payment copy_Usd 163,500.exe
Resource
win10v2004-20230915-en
General
-
Target
Payment copy_Usd 163,500.exe
-
Size
931KB
-
MD5
8e841cfc7f7abab974f8adbc4e260346
-
SHA1
385ba1dad2877c6a712cda30dbb4cd47007d93ce
-
SHA256
1a552b5db668c321e7f584e0f2d379afc41c00707e4fecad232823445bbcf8be
-
SHA512
ae50615333524c4b3aa89bb790567d3464ec122d5fc494af62c55762c0e522b7a05c2bb024b1bb0a422f4ea22727b0f372d21735475dc93fafe3dada58748691
-
SSDEEP
24576:IwMf2oD5HOhpMmKHeErwqFSVSd+i92MScNXVbzQn:IBzODMmAeswqIHMtNX2
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Payment copy_Usd 163,500.exepowershell.exepowershell.exepid process 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2200 Payment copy_Usd 163,500.exe 2672 powershell.exe 2764 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Payment copy_Usd 163,500.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2200 Payment copy_Usd 163,500.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2764 powershell.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
Payment copy_Usd 163,500.exepowershell.exedescription pid process target process PID 2200 wrote to memory of 2764 2200 Payment copy_Usd 163,500.exe powershell.exe PID 2200 wrote to memory of 2764 2200 Payment copy_Usd 163,500.exe powershell.exe PID 2200 wrote to memory of 2764 2200 Payment copy_Usd 163,500.exe powershell.exe PID 2200 wrote to memory of 2764 2200 Payment copy_Usd 163,500.exe powershell.exe PID 2200 wrote to memory of 2672 2200 Payment copy_Usd 163,500.exe powershell.exe PID 2200 wrote to memory of 2672 2200 Payment copy_Usd 163,500.exe powershell.exe PID 2200 wrote to memory of 2672 2200 Payment copy_Usd 163,500.exe powershell.exe PID 2200 wrote to memory of 2672 2200 Payment copy_Usd 163,500.exe powershell.exe PID 2200 wrote to memory of 2884 2200 Payment copy_Usd 163,500.exe schtasks.exe PID 2200 wrote to memory of 2884 2200 Payment copy_Usd 163,500.exe schtasks.exe PID 2200 wrote to memory of 2884 2200 Payment copy_Usd 163,500.exe schtasks.exe PID 2200 wrote to memory of 2884 2200 Payment copy_Usd 163,500.exe schtasks.exe PID 2200 wrote to memory of 2576 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2576 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2576 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2576 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2776 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2776 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2776 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2776 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2672 wrote to memory of 2524 2672 powershell.exe dw20.exe PID 2672 wrote to memory of 2524 2672 powershell.exe dw20.exe PID 2672 wrote to memory of 2524 2672 powershell.exe dw20.exe PID 2672 wrote to memory of 2524 2672 powershell.exe dw20.exe PID 2200 wrote to memory of 2532 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2532 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2532 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2532 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2540 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2540 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2540 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2540 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2572 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2572 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2572 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe PID 2200 wrote to memory of 2572 2200 Payment copy_Usd 163,500.exe Payment copy_Usd 163,500.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IpqdQJORbvHjRe.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7123⤵PID:2524
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpqdQJORbvHjRe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF71B.tmp"2⤵
- Creates scheduled task(s)
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"2⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"2⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"2⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"2⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"C:\Users\Admin\AppData\Local\Temp\Payment copy_Usd 163,500.exe"2⤵PID:2572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e732e095f663b3b0c0f00ded35ec19c0
SHA1a2c3b57f7da038a044dcd9c95ad0b3eaddac0909
SHA256b52c46159f524fb699ea77784bff5ab1c5ed10c714627e24fc78d21203c065d7
SHA512a36477e8a07885f459ce7808b8cb68d3571eb18199f547ed5dc77d2bb4a4d465701bf96e5bd8b9fe32eba480ded1cfd08ef93f3e4cbb8d61e22b9b7a88fbd1ba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G2XCTPWP7ZIDB5L4CSBR.temp
Filesize7KB
MD50abb7db68d310cb5438e4ceef56ab6dc
SHA185047f7f18666f679c53fdf11e380cb5ec30eb0d
SHA256bb5b7a3761b51262312036e6125a07c948b0d93b85594fcfc03408c206315d76
SHA512de4c34fc4054e5dc26e3830d67ddb42d30c2b464ebb3d000162d028bb473581b11d8a33959d7ebf669bf234511a95aba68597100784569fb2a012acbd05d6ba3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD50abb7db68d310cb5438e4ceef56ab6dc
SHA185047f7f18666f679c53fdf11e380cb5ec30eb0d
SHA256bb5b7a3761b51262312036e6125a07c948b0d93b85594fcfc03408c206315d76
SHA512de4c34fc4054e5dc26e3830d67ddb42d30c2b464ebb3d000162d028bb473581b11d8a33959d7ebf669bf234511a95aba68597100784569fb2a012acbd05d6ba3