5037f383f15e45cb88828e53082b6b643a024fafc8602dda686564e7b1f88dad

Analysis

max time kernel
178s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ST HIRE REMITANCE SLIP_USD280,000.exe
Size

649KB
MD5

eccf07847afbea25a8df68c3351375cf
SHA1

f5841cb1d9f7d8de1a08ceba7b4b68564f410e63
SHA256

5037f383f15e45cb88828e53082b6b643a024fafc8602dda686564e7b1f88dad
SHA512

0bc381908d518df6034a8c26963869b0061652bd01085b65613d4b238a1562230b7a05e75e4524b579935ac3e3fe3b60e7dc2366b899ef44a3d68dfabbed7f29
SSDEEP

12288:3KJmomWOHSn9KVsFQSeo/h8NFe8lasp16a1Ya+cnsP67go6se66rnNvTM5NncD:4b/BEkQSeo/h7clRUa96pvTWyD

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1300	icacls.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2944 set thread context of 532	2944	1ST HIRE REMITANCE SLIP_USD280,000.exe	93
PID 532 set thread context of 3452	532	1ST HIRE REMITANCE SLIP_USD280,000.exe	45
PID 532 set thread context of 1300	532	1ST HIRE REMITANCE SLIP_USD280,000.exe	96
PID 1300 set thread context of 3452	1300	icacls.exe	45

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	icacls.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
532	1ST HIRE REMITANCE SLIP_USD280,000.exe
3452	Explorer.EXE
3452	Explorer.EXE
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe
1300	icacls.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3452	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 532	2944	1ST HIRE REMITANCE SLIP_USD280,000.exe	93
PID 2944 wrote to memory of 532	2944	1ST HIRE REMITANCE SLIP_USD280,000.exe	93
PID 2944 wrote to memory of 532	2944	1ST HIRE REMITANCE SLIP_USD280,000.exe	93
PID 2944 wrote to memory of 532	2944	1ST HIRE REMITANCE SLIP_USD280,000.exe	93
PID 2944 wrote to memory of 532	2944	1ST HIRE REMITANCE SLIP_USD280,000.exe	93
PID 2944 wrote to memory of 532	2944	1ST HIRE REMITANCE SLIP_USD280,000.exe	93
PID 3452 wrote to memory of 1300	3452	Explorer.EXE	96
PID 3452 wrote to memory of 1300	3452	Explorer.EXE	96
PID 3452 wrote to memory of 1300	3452	Explorer.EXE	96
PID 1300 wrote to memory of 1728	1300	icacls.exe	97
PID 1300 wrote to memory of 1728	1300	icacls.exe	97
PID 1300 wrote to memory of 1728	1300	icacls.exe	97

C:\Users\Admin\AppData\Local\Temp\1ST HIRE REMITANCE SLIP_USD280,000.exe
"C:\Users\Admin\AppData\Local\Temp\1ST HIRE REMITANCE SLIP_USD280,000.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\1ST HIRE REMITANCE SLIP_USD280,000.exe
  "C:\Users\Admin\AppData\Local\Temp\1ST HIRE REMITANCE SLIP_USD280,000.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:532

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\SysWOW64\icacls.exe
  "C:\Windows\SysWOW64\icacls.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-22-0x0000000001D10000-0x0000000001D34000-memory.dmp

Filesize
144KB

Download
memory/532-18-0x0000000001D10000-0x0000000001D34000-memory.dmp

Filesize
144KB

Download
memory/532-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-14-0x0000000001990000-0x0000000001CDA000-memory.dmp

Filesize
3.3MB

Download
memory/532-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1300-19-0x0000000000C90000-0x0000000000CCA000-memory.dmp

Filesize
232KB

Download
memory/1300-30-0x0000000001300000-0x00000000013A3000-memory.dmp

Filesize
652KB

Download
memory/1300-26-0x0000000000C90000-0x0000000000CCA000-memory.dmp

Filesize
232KB

Download
memory/1300-25-0x0000000001300000-0x00000000013A3000-memory.dmp

Filesize
652KB

Download
memory/1300-24-0x0000000000C90000-0x0000000000CCA000-memory.dmp

Filesize
232KB

Download
memory/1300-23-0x0000000001430000-0x000000000177A000-memory.dmp

Filesize
3.3MB

Download
memory/1300-20-0x0000000000C90000-0x0000000000CCA000-memory.dmp

Filesize
232KB

Download
memory/2944-6-0x0000000004FD0000-0x0000000004FE4000-memory.dmp

Filesize
80KB

Download
memory/2944-2-0x00000000050A0000-0x0000000005644000-memory.dmp

Filesize
5.6MB

Download
memory/2944-7-0x0000000005000000-0x000000000500A000-memory.dmp

Filesize
40KB

Download
memory/2944-5-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

Filesize
40KB

Download
memory/2944-1-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2944-3-0x0000000004BE0000-0x0000000004C72000-memory.dmp

Filesize
584KB

Download
memory/2944-0-0x0000000000160000-0x0000000000208000-memory.dmp

Filesize
672KB

Download
memory/2944-4-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2944-10-0x0000000008620000-0x00000000086BC000-memory.dmp

Filesize
624KB

Download
memory/2944-13-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2944-9-0x0000000005ED0000-0x0000000005F4E000-memory.dmp

Filesize
504KB

Download
memory/2944-8-0x0000000005020000-0x000000000502E000-memory.dmp

Filesize
56KB

Download
memory/3452-27-0x0000000008AB0000-0x0000000008B9B000-memory.dmp

Filesize
940KB

Download
memory/3452-28-0x0000000008AB0000-0x0000000008B9B000-memory.dmp

Filesize
940KB

Download
memory/3452-36-0x0000000008AB0000-0x0000000008B9B000-memory.dmp

Filesize
940KB

Download