Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:12
Static task
static1
Behavioral task
behavioral1
Sample
receipt of full payment.exe
Resource
win7-20231129-en
General
-
Target
receipt of full payment.exe
-
Size
918KB
-
MD5
dc8adcc624f9599d45e5e3b63411e4c7
-
SHA1
65f0b0f038f3969d5080ec79ce559093b217c467
-
SHA256
2c2ca8d1a75eef32da01814983a7a3dbddff14915ae96346af68dc29c65db7ea
-
SHA512
51443b901a0abd5a74d69e22ec66367604a3b4005256efe3c96c843e5873ec158cec4dcc647508ca682975434514cf88977f170b6586bc31ae69b360919ce41e
-
SSDEEP
12288:mlUgySozdUd283S5qgkFCxjI4s+gGL+i7vJ0TG/r7jam+VM/NwNVJdPFZdVBo6U1:8mFudCDkFCx84OG9Brj7emT/NCVJdz
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
receipt of full payment.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation receipt of full payment.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
receipt of full payment.exedescription pid process target process PID 4420 set thread context of 60 4420 receipt of full payment.exe receipt of full payment.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
receipt of full payment.exepowershell.exepowershell.exepid process 4420 receipt of full payment.exe 4420 receipt of full payment.exe 4420 receipt of full payment.exe 4420 receipt of full payment.exe 4420 receipt of full payment.exe 4420 receipt of full payment.exe 1488 powershell.exe 3520 powershell.exe 4420 receipt of full payment.exe 1488 powershell.exe 3520 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
receipt of full payment.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4420 receipt of full payment.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 3520 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
receipt of full payment.exepid process 60 receipt of full payment.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
receipt of full payment.exedescription pid process target process PID 4420 wrote to memory of 1488 4420 receipt of full payment.exe powershell.exe PID 4420 wrote to memory of 1488 4420 receipt of full payment.exe powershell.exe PID 4420 wrote to memory of 1488 4420 receipt of full payment.exe powershell.exe PID 4420 wrote to memory of 3520 4420 receipt of full payment.exe powershell.exe PID 4420 wrote to memory of 3520 4420 receipt of full payment.exe powershell.exe PID 4420 wrote to memory of 3520 4420 receipt of full payment.exe powershell.exe PID 4420 wrote to memory of 4268 4420 receipt of full payment.exe schtasks.exe PID 4420 wrote to memory of 4268 4420 receipt of full payment.exe schtasks.exe PID 4420 wrote to memory of 4268 4420 receipt of full payment.exe schtasks.exe PID 4420 wrote to memory of 60 4420 receipt of full payment.exe receipt of full payment.exe PID 4420 wrote to memory of 60 4420 receipt of full payment.exe receipt of full payment.exe PID 4420 wrote to memory of 60 4420 receipt of full payment.exe receipt of full payment.exe PID 4420 wrote to memory of 60 4420 receipt of full payment.exe receipt of full payment.exe PID 4420 wrote to memory of 60 4420 receipt of full payment.exe receipt of full payment.exe PID 4420 wrote to memory of 60 4420 receipt of full payment.exe receipt of full payment.exe PID 4420 wrote to memory of 60 4420 receipt of full payment.exe receipt of full payment.exe PID 4420 wrote to memory of 60 4420 receipt of full payment.exe receipt of full payment.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VpfYGImQGmj.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VpfYGImQGmj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB1AC.tmp"2⤵
- Creates scheduled task(s)
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:60
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD55d93829a00bbe784dc4f15f781013051
SHA17a20cb9ee19b54712cd60de23148302c18b15350
SHA2569319e02af74869f0ba3ddedc64f33328c32a8618795ec03550a0afc68a816a3c
SHA512a85053cd4d2f30692eef426b7dcfd7be51d1e2befdaff24636f74392477d30a4c1aba20fb0918ba5db47ad6a5f164ff04a346c786699b166d7308d51a9fe011c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD580f5ec2cb220dae8cb8ddb25b7ee5d0d
SHA17c17c97a012d9e4ddadf808d961150f5af9148a1
SHA256eba1ecf8fab31e9cfa9c89ef739cdc7144501c0bb082755cde72129277966ad7
SHA512420110cda37ad54028dfd6a908a58667eaf116776875ada118ba6c263ec12ea68a339c392e83892c5d794c0b71e94316a59e2a67e8196ef4baa647b37169c4d8