Analysis Overview
SHA256
53f4f2fdacb71053c9f371a052d8deb9cd0dc357313f88e20a96c2c10588042b
Threat Level: Known bad
The file receipt of full payment.xz was found to be: Known bad.
Malicious Activity Summary
DarkCloud
Kinsing
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 17:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 17:12
Reported
2024-01-25 17:14
Platform
win7-20231129-en
Max time kernel
135s
Max time network
118s
Command Line
Signatures
DarkCloud
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1964 set thread context of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe
"C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VpfYGImQGmj.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VpfYGImQGmj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65A6.tmp"
C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe
"C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"
Network
Files
memory/1964-1-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/1964-0-0x0000000000910000-0x00000000009FC000-memory.dmp
memory/1964-2-0x00000000073B0000-0x00000000073F0000-memory.dmp
memory/1964-3-0x00000000004F0000-0x0000000000504000-memory.dmp
memory/1964-4-0x00000000005F0000-0x00000000005F8000-memory.dmp
memory/1964-5-0x0000000000600000-0x000000000060C000-memory.dmp
memory/1964-6-0x00000000075F0000-0x0000000007692000-memory.dmp
memory/1964-7-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/1964-8-0x00000000073B0000-0x00000000073F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 02f68375ce9989eb14f8858b43719a52 |
| SHA1 | 6048d2dd23300601ac807a038f3cbe251467f643 |
| SHA256 | e5e66616b2303123adcbc90c7942e1c111a7eaae6db1366b3a9025947e8bc403 |
| SHA512 | aa4f3e0391f641706df05027d03d273d0ab6aef4a70c1dec78681f8b92d5b23bdff3e639e7a83c31ce1a8de4ac0f896185fafb9e341ecbcc3564118ec1a2ef6b |
C:\Users\Admin\AppData\Local\Temp\tmp65A6.tmp
| MD5 | a1c3b5bdf89cae4b28390ab4aabb6185 |
| SHA1 | 6c5f8495e9e9acb90c3a87576b3e5fa7ba5a8724 |
| SHA256 | d704f65028bde786c80191add1b60dbb03004bdc843e499079d3cba78296eb11 |
| SHA512 | a84af3cee4590b1823ea9b3bc8f6c94e8ea8365e290571ab1a3f9d66eabe56751a578c1feede5e70dd1c6f8d9cd3d0ad885c0e71791609c002e0dba78532cc57 |
memory/2460-21-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2460-23-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2460-25-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2460-31-0x0000000000400000-0x0000000000463000-memory.dmp
memory/1964-33-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/2460-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2460-34-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2648-36-0x000000006F880000-0x000000006FE2B000-memory.dmp
memory/2712-38-0x000000006F880000-0x000000006FE2B000-memory.dmp
memory/2648-41-0x000000006F880000-0x000000006FE2B000-memory.dmp
memory/2460-44-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2712-45-0x000000006F880000-0x000000006FE2B000-memory.dmp
memory/2648-43-0x0000000002840000-0x0000000002880000-memory.dmp
memory/2712-42-0x0000000002D60000-0x0000000002DA0000-memory.dmp
memory/2648-40-0x0000000002840000-0x0000000002880000-memory.dmp
memory/2712-39-0x0000000002D60000-0x0000000002DA0000-memory.dmp
memory/2648-47-0x000000006F880000-0x000000006FE2B000-memory.dmp
memory/2712-46-0x000000006F880000-0x000000006FE2B000-memory.dmp
memory/2460-48-0x0000000000400000-0x0000000000463000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 17:12
Reported
2024-01-25 17:14
Platform
win10v2004-20231222-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
DarkCloud
Kinsing
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4420 set thread context of 60 | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe
"C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VpfYGImQGmj.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VpfYGImQGmj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB1AC.tmp"
C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe
"C:\Users\Admin\AppData\Local\Temp\receipt of full payment.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/4420-1-0x0000000074EB0000-0x0000000075660000-memory.dmp
memory/4420-0-0x0000000000D90000-0x0000000000E7C000-memory.dmp
memory/4420-2-0x0000000008290000-0x0000000008834000-memory.dmp
memory/4420-3-0x0000000007D80000-0x0000000007E12000-memory.dmp
memory/4420-4-0x0000000007FC0000-0x0000000007FD0000-memory.dmp
memory/4420-5-0x0000000003130000-0x000000000313A000-memory.dmp
memory/4420-7-0x000000000A710000-0x000000000A7AC000-memory.dmp
memory/4420-6-0x00000000081E0000-0x00000000081F4000-memory.dmp
memory/4420-8-0x00000000092B0000-0x00000000092B8000-memory.dmp
memory/4420-9-0x00000000092C0000-0x00000000092CC000-memory.dmp
memory/4420-10-0x000000000AA40000-0x000000000AAE2000-memory.dmp
memory/4420-11-0x0000000074EB0000-0x0000000075660000-memory.dmp
memory/4420-12-0x0000000007FC0000-0x0000000007FD0000-memory.dmp
memory/1488-18-0x0000000074EB0000-0x0000000075660000-memory.dmp
memory/1488-17-0x0000000004FC0000-0x0000000004FF6000-memory.dmp
memory/1488-19-0x0000000005060000-0x0000000005070000-memory.dmp
memory/1488-20-0x0000000005060000-0x0000000005070000-memory.dmp
memory/1488-21-0x00000000056A0000-0x0000000005CC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB1AC.tmp
| MD5 | 80f5ec2cb220dae8cb8ddb25b7ee5d0d |
| SHA1 | 7c17c97a012d9e4ddadf808d961150f5af9148a1 |
| SHA256 | eba1ecf8fab31e9cfa9c89ef739cdc7144501c0bb082755cde72129277966ad7 |
| SHA512 | 420110cda37ad54028dfd6a908a58667eaf116776875ada118ba6c263ec12ea68a339c392e83892c5d794c0b71e94316a59e2a67e8196ef4baa647b37169c4d8 |
memory/3520-22-0x0000000074EB0000-0x0000000075660000-memory.dmp
memory/1488-24-0x00000000055A0000-0x00000000055C2000-memory.dmp
memory/3520-25-0x0000000005120000-0x0000000005186000-memory.dmp
memory/3520-28-0x00000000053B0000-0x0000000005416000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pdwvbw0j.mar.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/60-29-0x0000000000400000-0x0000000000463000-memory.dmp
memory/3520-41-0x0000000005420000-0x0000000005774000-memory.dmp
memory/4420-40-0x0000000074EB0000-0x0000000075660000-memory.dmp
memory/60-26-0x0000000000400000-0x0000000000463000-memory.dmp
memory/1488-53-0x0000000006560000-0x000000000657E000-memory.dmp
memory/3520-54-0x0000000005A30000-0x0000000005A7C000-memory.dmp
memory/3520-68-0x0000000005FA0000-0x0000000005FBE000-memory.dmp
memory/3520-58-0x000000007F4C0000-0x000000007F4D0000-memory.dmp
memory/1488-81-0x0000000005060000-0x0000000005070000-memory.dmp
memory/3520-80-0x00000000069E0000-0x0000000006A83000-memory.dmp
memory/3520-70-0x00000000020D0000-0x00000000020E0000-memory.dmp
memory/1488-69-0x00000000716A0000-0x00000000716EC000-memory.dmp
memory/3520-57-0x00000000716A0000-0x00000000716EC000-memory.dmp
memory/3520-83-0x0000000007370000-0x00000000079EA000-memory.dmp
memory/1488-84-0x0000000007910000-0x000000000791A000-memory.dmp
memory/1488-82-0x0000000007890000-0x00000000078AA000-memory.dmp
memory/1488-56-0x0000000006B40000-0x0000000006B72000-memory.dmp
memory/1488-55-0x000000007F030000-0x000000007F040000-memory.dmp
memory/3520-85-0x0000000006FA0000-0x0000000007036000-memory.dmp
memory/1488-86-0x0000000007A90000-0x0000000007AA1000-memory.dmp
memory/1488-88-0x0000000007AD0000-0x0000000007AE4000-memory.dmp
memory/1488-87-0x0000000007AC0000-0x0000000007ACE000-memory.dmp
memory/3520-90-0x0000000007040000-0x0000000007048000-memory.dmp
memory/1488-89-0x0000000007BD0000-0x0000000007BEA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/3520-97-0x0000000074EB0000-0x0000000075660000-memory.dmp
memory/1488-96-0x0000000074EB0000-0x0000000075660000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5d93829a00bbe784dc4f15f781013051 |
| SHA1 | 7a20cb9ee19b54712cd60de23148302c18b15350 |
| SHA256 | 9319e02af74869f0ba3ddedc64f33328c32a8618795ec03550a0afc68a816a3c |
| SHA512 | a85053cd4d2f30692eef426b7dcfd7be51d1e2befdaff24636f74392477d30a4c1aba20fb0918ba5db47ad6a5f164ff04a346c786699b166d7308d51a9fe011c |
memory/60-98-0x0000000000400000-0x0000000000463000-memory.dmp