Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2023 16:21
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT INVOICE.BAT.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
PAYMENT INVOICE.BAT.exe
Resource
win10v2004-20231130-en
General
-
Target
PAYMENT INVOICE.BAT.exe
-
Size
639KB
-
MD5
78cdd7631daa770440ea9fa871fd8d63
-
SHA1
7a3e6d5992612d2f7b98d35f8ab2d96aa1950f61
-
SHA256
8d1d78a3ed7da56ab5783ebcc5e7c0b22921179f3d124aa7511bb952d199ef2b
-
SHA512
c915fe8ddc1e3b90d4e53ba30dd30336ef8a45843dff42413300c44ac0d67a82c92565efe9df2f8b8aeb59e15adc2942eeed7bec24292170236b9e4d704690f4
-
SSDEEP
12288:jE0QaueH5qRILAmLngh9QDBSfKaPUD2vNkbMRYjWOx:jE4qRILAmmuAOD/bMvO
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PAYMENT INVOICE.BAT.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation PAYMENT INVOICE.BAT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
PAYMENT INVOICE.BAT.exepowershell.exepid process 848 PAYMENT INVOICE.BAT.exe 848 PAYMENT INVOICE.BAT.exe 848 PAYMENT INVOICE.BAT.exe 848 PAYMENT INVOICE.BAT.exe 848 PAYMENT INVOICE.BAT.exe 848 PAYMENT INVOICE.BAT.exe 848 PAYMENT INVOICE.BAT.exe 848 PAYMENT INVOICE.BAT.exe 848 PAYMENT INVOICE.BAT.exe 848 PAYMENT INVOICE.BAT.exe 412 powershell.exe 412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PAYMENT INVOICE.BAT.exepowershell.exedescription pid process Token: SeDebugPrivilege 848 PAYMENT INVOICE.BAT.exe Token: SeDebugPrivilege 412 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
PAYMENT INVOICE.BAT.exedescription pid process target process PID 848 wrote to memory of 412 848 PAYMENT INVOICE.BAT.exe powershell.exe PID 848 wrote to memory of 412 848 PAYMENT INVOICE.BAT.exe powershell.exe PID 848 wrote to memory of 412 848 PAYMENT INVOICE.BAT.exe powershell.exe PID 848 wrote to memory of 1332 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 848 wrote to memory of 1332 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 848 wrote to memory of 1332 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 848 wrote to memory of 3548 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 848 wrote to memory of 3548 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 848 wrote to memory of 3548 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 848 wrote to memory of 4336 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 848 wrote to memory of 4336 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 848 wrote to memory of 4336 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 848 wrote to memory of 3588 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 848 wrote to memory of 3588 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 848 wrote to memory of 3588 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 848 wrote to memory of 4572 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 848 wrote to memory of 4572 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 848 wrote to memory of 4572 848 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:412 -
C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"2⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"2⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"2⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"2⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"2⤵PID:1332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82