Analysis
-
max time kernel
135s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:12
Static task
static1
Behavioral task
behavioral1
Sample
receipt of full payment.exe
Resource
win7-20231129-en
General
-
Target
receipt of full payment.exe
-
Size
918KB
-
MD5
dc8adcc624f9599d45e5e3b63411e4c7
-
SHA1
65f0b0f038f3969d5080ec79ce559093b217c467
-
SHA256
2c2ca8d1a75eef32da01814983a7a3dbddff14915ae96346af68dc29c65db7ea
-
SHA512
51443b901a0abd5a74d69e22ec66367604a3b4005256efe3c96c843e5873ec158cec4dcc647508ca682975434514cf88977f170b6586bc31ae69b360919ce41e
-
SSDEEP
12288:mlUgySozdUd283S5qgkFCxjI4s+gGL+i7vJ0TG/r7jam+VM/NwNVJdPFZdVBo6U1:8mFudCDkFCx84OG9Brj7emT/NCVJdz
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
receipt of full payment.exedescription pid process target process PID 1964 set thread context of 2460 1964 receipt of full payment.exe receipt of full payment.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
receipt of full payment.exepowershell.exepowershell.exepid process 1964 receipt of full payment.exe 1964 receipt of full payment.exe 1964 receipt of full payment.exe 1964 receipt of full payment.exe 1964 receipt of full payment.exe 1964 receipt of full payment.exe 1964 receipt of full payment.exe 2648 powershell.exe 2712 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
receipt of full payment.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1964 receipt of full payment.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
receipt of full payment.exepid process 2460 receipt of full payment.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
receipt of full payment.exedescription pid process target process PID 1964 wrote to memory of 2648 1964 receipt of full payment.exe powershell.exe PID 1964 wrote to memory of 2648 1964 receipt of full payment.exe powershell.exe PID 1964 wrote to memory of 2648 1964 receipt of full payment.exe powershell.exe PID 1964 wrote to memory of 2648 1964 receipt of full payment.exe powershell.exe PID 1964 wrote to memory of 2712 1964 receipt of full payment.exe powershell.exe PID 1964 wrote to memory of 2712 1964 receipt of full payment.exe powershell.exe PID 1964 wrote to memory of 2712 1964 receipt of full payment.exe powershell.exe PID 1964 wrote to memory of 2712 1964 receipt of full payment.exe powershell.exe PID 1964 wrote to memory of 2632 1964 receipt of full payment.exe schtasks.exe PID 1964 wrote to memory of 2632 1964 receipt of full payment.exe schtasks.exe PID 1964 wrote to memory of 2632 1964 receipt of full payment.exe schtasks.exe PID 1964 wrote to memory of 2632 1964 receipt of full payment.exe schtasks.exe PID 1964 wrote to memory of 2460 1964 receipt of full payment.exe receipt of full payment.exe PID 1964 wrote to memory of 2460 1964 receipt of full payment.exe receipt of full payment.exe PID 1964 wrote to memory of 2460 1964 receipt of full payment.exe receipt of full payment.exe PID 1964 wrote to memory of 2460 1964 receipt of full payment.exe receipt of full payment.exe PID 1964 wrote to memory of 2460 1964 receipt of full payment.exe receipt of full payment.exe PID 1964 wrote to memory of 2460 1964 receipt of full payment.exe receipt of full payment.exe PID 1964 wrote to memory of 2460 1964 receipt of full payment.exe receipt of full payment.exe PID 1964 wrote to memory of 2460 1964 receipt of full payment.exe receipt of full payment.exe PID 1964 wrote to memory of 2460 1964 receipt of full payment.exe receipt of full payment.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VpfYGImQGmj.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VpfYGImQGmj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65A6.tmp"2⤵
- Creates scheduled task(s)
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a1c3b5bdf89cae4b28390ab4aabb6185
SHA16c5f8495e9e9acb90c3a87576b3e5fa7ba5a8724
SHA256d704f65028bde786c80191add1b60dbb03004bdc843e499079d3cba78296eb11
SHA512a84af3cee4590b1823ea9b3bc8f6c94e8ea8365e290571ab1a3f9d66eabe56751a578c1feede5e70dd1c6f8d9cd3d0ad885c0e71791609c002e0dba78532cc57
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD502f68375ce9989eb14f8858b43719a52
SHA16048d2dd23300601ac807a038f3cbe251467f643
SHA256e5e66616b2303123adcbc90c7942e1c111a7eaae6db1366b3a9025947e8bc403
SHA512aa4f3e0391f641706df05027d03d273d0ab6aef4a70c1dec78681f8b92d5b23bdff3e639e7a83c31ce1a8de4ac0f896185fafb9e341ecbcc3564118ec1a2ef6b