77579d66a9a588f82d409def94002c74fad7729abf83d63388ce897b66b50804

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Receipt.exe
Size

846KB
MD5

4bb77e30a2cea771b1bda6ac99c4e19e
SHA1

b1bc299bb977c2732a93062903f70cb06c24a085
SHA256

77579d66a9a588f82d409def94002c74fad7729abf83d63388ce897b66b50804
SHA512

270c03ed9eee2068f7421198d5fa90584689d1e7b1a07c4e91702b1d864bb45f7e6b6c01f6327b2047094851086cd1b0bb07c172534c693a3ecc7e95358cae44
SSDEEP

12288:JVpBmiET9+jRl7DQuq9hUYnHmVam1FtI7DrCnboL7Q++448NCUcYuS9:uy9QrhPGVFICnbZ+Xj8Uj9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	Payment Receipt.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3168 set thread context of 4600	3168	Payment Receipt.exe	103
PID 4600 set thread context of 3140	4600	Payment Receipt.exe	35
PID 4600 set thread context of 416	4600	Payment Receipt.exe	106
PID 416 set thread context of 3140	416	ROUTE.EXE	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ROUTE.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3168	Payment Receipt.exe
3168	Payment Receipt.exe
3168	Payment Receipt.exe
3168	Payment Receipt.exe
4600	Payment Receipt.exe
4600	Payment Receipt.exe
4600	Payment Receipt.exe
4600	Payment Receipt.exe
4600	Payment Receipt.exe
4600	Payment Receipt.exe
2332	powershell.exe
2332	powershell.exe
4600	Payment Receipt.exe
4600	Payment Receipt.exe
4600	Payment Receipt.exe
4600	Payment Receipt.exe
4600	Payment Receipt.exe
4600	Payment Receipt.exe
4600	Payment Receipt.exe
4600	Payment Receipt.exe
4600	Payment Receipt.exe
4600	Payment Receipt.exe
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3140	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4600	Payment Receipt.exe
3140	Explorer.EXE
3140	Explorer.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE
416	ROUTE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3168	Payment Receipt.exe
Token: SeDebugPrivilege	2332	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 2332	3168	Payment Receipt.exe	100
PID 3168 wrote to memory of 2332	3168	Payment Receipt.exe	100
PID 3168 wrote to memory of 2332	3168	Payment Receipt.exe	100
PID 3168 wrote to memory of 1616	3168	Payment Receipt.exe	101
PID 3168 wrote to memory of 1616	3168	Payment Receipt.exe	101
PID 3168 wrote to memory of 1616	3168	Payment Receipt.exe	101
PID 3168 wrote to memory of 3840	3168	Payment Receipt.exe	104
PID 3168 wrote to memory of 3840	3168	Payment Receipt.exe	104
PID 3168 wrote to memory of 3840	3168	Payment Receipt.exe	104
PID 3168 wrote to memory of 4600	3168	Payment Receipt.exe	103
PID 3168 wrote to memory of 4600	3168	Payment Receipt.exe	103
PID 3168 wrote to memory of 4600	3168	Payment Receipt.exe	103
PID 3168 wrote to memory of 4600	3168	Payment Receipt.exe	103
PID 3168 wrote to memory of 4600	3168	Payment Receipt.exe	103
PID 3168 wrote to memory of 4600	3168	Payment Receipt.exe	103
PID 3140 wrote to memory of 416	3140	Explorer.EXE	106
PID 3140 wrote to memory of 416	3140	Explorer.EXE	106
PID 3140 wrote to memory of 416	3140	Explorer.EXE	106
PID 416 wrote to memory of 1948	416	ROUTE.EXE	109
PID 416 wrote to memory of 1948	416	ROUTE.EXE	109
PID 416 wrote to memory of 1948	416	ROUTE.EXE	109

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- - C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4600
- - C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"
    3⤵
    PID:3840
- C:\Windows\SysWOW64\ROUTE.EXE
  "C:\Windows\SysWOW64\ROUTE.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uvjcxjdo.q2l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/416-83-0x0000000001520000-0x00000000015C0000-memory.dmp

Filesize
640KB

Download
memory/416-76-0x0000000000EC0000-0x0000000000EFA000-memory.dmp

Filesize
232KB

Download
memory/416-73-0x0000000001520000-0x00000000015C0000-memory.dmp

Filesize
640KB

Download
memory/416-72-0x0000000000EC0000-0x0000000000EFA000-memory.dmp

Filesize
232KB

Download
memory/416-71-0x00000000016A0000-0x00000000019EA000-memory.dmp

Filesize
3.3MB

Download
memory/416-68-0x0000000000EC0000-0x0000000000EFA000-memory.dmp

Filesize
232KB

Download
memory/416-67-0x0000000000EC0000-0x0000000000EFA000-memory.dmp

Filesize
232KB

Download
memory/2332-37-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/2332-23-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/2332-54-0x0000000007380000-0x0000000007416000-memory.dmp

Filesize
600KB

Download
memory/2332-53-0x0000000007170000-0x000000000717A000-memory.dmp

Filesize
40KB

Download
memory/2332-52-0x0000000007100000-0x000000000711A000-memory.dmp

Filesize
104KB

Download
memory/2332-62-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/2332-16-0x0000000004780000-0x00000000047B6000-memory.dmp

Filesize
216KB

Download
memory/2332-17-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/2332-59-0x0000000007420000-0x0000000007428000-memory.dmp

Filesize
32KB

Download
memory/2332-18-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/2332-19-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/2332-20-0x0000000004E80000-0x00000000054A8000-memory.dmp

Filesize
6.2MB

Download
memory/2332-58-0x0000000007440000-0x000000000745A000-memory.dmp

Filesize
104KB

Download
memory/2332-22-0x00000000054E0000-0x0000000005502000-memory.dmp

Filesize
136KB

Download
memory/2332-57-0x0000000007340000-0x0000000007354000-memory.dmp

Filesize
80KB

Download
memory/2332-55-0x0000000007300000-0x0000000007311000-memory.dmp

Filesize
68KB

Download
memory/2332-33-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/2332-34-0x0000000005A30000-0x0000000005D84000-memory.dmp

Filesize
3.3MB

Download
memory/2332-35-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

Filesize
120KB

Download
memory/2332-36-0x0000000005E90000-0x0000000005EDC000-memory.dmp

Filesize
304KB

Download
memory/2332-56-0x0000000007330000-0x000000000733E000-memory.dmp

Filesize
56KB

Download
memory/2332-38-0x0000000006400000-0x0000000006432000-memory.dmp

Filesize
200KB

Download
memory/2332-39-0x0000000070420000-0x000000007046C000-memory.dmp

Filesize
304KB

Download
memory/2332-49-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/2332-50-0x0000000006FE0000-0x0000000007083000-memory.dmp

Filesize
652KB

Download
memory/2332-51-0x0000000007740000-0x0000000007DBA000-memory.dmp

Filesize
6.5MB

Download
memory/3140-74-0x00000000091A0000-0x0000000009291000-memory.dmp

Filesize
964KB

Download
memory/3140-75-0x00000000091A0000-0x0000000009291000-memory.dmp

Filesize
964KB

Download
memory/3140-84-0x00000000091A0000-0x0000000009291000-memory.dmp

Filesize
964KB

Download
memory/3168-8-0x0000000005470000-0x000000000547A000-memory.dmp

Filesize
40KB

Download
memory/3168-3-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/3168-9-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/3168-10-0x0000000006790000-0x000000000680E000-memory.dmp

Filesize
504KB

Download
memory/3168-15-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/3168-1-0x00000000005F0000-0x00000000006CA000-memory.dmp

Filesize
872KB

Download
memory/3168-2-0x0000000005650000-0x0000000005BF4000-memory.dmp

Filesize
5.6MB

Download
memory/3168-11-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/3168-0-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/3168-4-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/3168-7-0x0000000005450000-0x000000000545E000-memory.dmp

Filesize
56KB

Download
memory/3168-6-0x00000000053B0000-0x000000000544C000-memory.dmp

Filesize
624KB

Download
memory/3168-5-0x00000000050E0000-0x00000000050EA000-memory.dmp

Filesize
40KB

Download
memory/4600-70-0x00000000013A0000-0x00000000013C1000-memory.dmp

Filesize
132KB

Download
memory/4600-69-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4600-66-0x00000000013A0000-0x00000000013C1000-memory.dmp

Filesize
132KB

Download
memory/4600-65-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4600-12-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4600-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4600-63-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4600-13-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4600-21-0x0000000001550000-0x000000000189A000-memory.dmp

Filesize
3.3MB

Download