Overview

overview

10

Static

static

3

Invoice.exe

windows7-x64

7

Invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2023, 14:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice.exe

  • Size

    644KB

  • MD5

    378a8353e948f85fc2c580294b65b56e

  • SHA1

    446b17e72f61fc51ac27f9d31f7e649239116fe8

  • SHA256

    b8cc87b3e18517799b9d256edc93224ff87b14756d37b8c6c2d9a89eb3f9b533

  • SHA512

    d62162bcb09da9514e985866d9ff8ffdda1f09d29b4b7e107a780f5003166213e74000defa63869fe452563de7a366763595e832932cbb9f1e6bb3ddcc805cce

  • SSDEEP

    12288:xG7s9CfBQhxVbhcUgrNjsjgtRm7FiNQpPJabwupO8TSqH:Y7s9lVbpgrNLmISxJ103TSq

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UPKpThSaR.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2500
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UPKpThSaR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB51.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2488
    • C:\Users\Admin\AppData\Local\Temp\Invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2900

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpDB51.tmp
          Filesize

          1KB

          MD5

          32e67956ca59901d3e35181723fe06dc

          SHA1

          1dad09e99a75e222f0e4e95e273f0e49fe33bc6d

          SHA256

          2875822b403699b08bba0ee9bb34db0f547b47c3d04af1f141d53f47b639d1cd

          SHA512

          f9f014570308865e6b99b31d6296b45de6c5a4ad034bab66a07307bab0090608d8bc370f982d725ed76f7335eca6c83270ff94496c076a1e21bfc00c3e07b02b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AWBUOK0M9GR9F1YTN4M7.temp
          Filesize

          7KB

          MD5

          e9d3aff88fa265d3027eb3b5a19521cd

          SHA1

          3c22be5656a7f4278041fa83af750962d9b469a2

          SHA256

          95822a04a34d591b9638393a68eaeada42ef01b8feaaf2c335e7c89b580819dc

          SHA512

          0f8863c0e9e2401b6b52d911eccc4e87d888cf66342422b2981637ab345a417f43047a988f8bb7f74b4868d2938e6e8fee3b49bafc5df9ca421e5d0139b5b8f5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          e9d3aff88fa265d3027eb3b5a19521cd

          SHA1

          3c22be5656a7f4278041fa83af750962d9b469a2

          SHA256

          95822a04a34d591b9638393a68eaeada42ef01b8feaaf2c335e7c89b580819dc

          SHA512

          0f8863c0e9e2401b6b52d911eccc4e87d888cf66342422b2981637ab345a417f43047a988f8bb7f74b4868d2938e6e8fee3b49bafc5df9ca421e5d0139b5b8f5

          Download Submit

        • memory/1968-4-0x0000000074110000-0x00000000747FE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1968-1-0x0000000074110000-0x00000000747FE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1968-5-0x0000000000C40000-0x0000000000C80000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1968-6-0x0000000000590000-0x00000000005A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1968-7-0x0000000005240000-0x00000000052BA000-memory.dmp

          Filesize

          488KB

          Download

        • memory/1968-3-0x0000000000600000-0x0000000000618000-memory.dmp

          Filesize

          96KB

          Download

        • memory/1968-2-0x0000000000C40000-0x0000000000C80000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1968-32-0x0000000074110000-0x00000000747FE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1968-0-0x0000000000E30000-0x0000000000ED8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2500-44-0x00000000026D0000-0x0000000002710000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2500-43-0x00000000026D0000-0x0000000002710000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2500-45-0x000000006EE70000-0x000000006F41B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2500-39-0x000000006EE70000-0x000000006F41B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2500-37-0x000000006EE70000-0x000000006F41B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2600-40-0x000000006EE70000-0x000000006F41B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2600-38-0x00000000020B0000-0x00000000020F0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2600-46-0x000000006EE70000-0x000000006F41B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2600-36-0x000000006EE70000-0x000000006F41B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2600-42-0x00000000020B0000-0x00000000020F0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2900-26-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2900-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2900-33-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2900-41-0x0000000073020000-0x000000007370E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2900-30-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2900-24-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2900-22-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2900-20-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2900-35-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2900-47-0x0000000073020000-0x000000007370E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2900-48-0x00000000003A0000-0x00000000003E0000-memory.dmp

          Filesize

          256KB

          Download