Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-01-2024 02:00
Static task
static1
Behavioral task
behavioral1
Sample
payment receipts.exe
Resource
win7-20231215-en
General
-
Target
payment receipts.exe
-
Size
986KB
-
MD5
cdcfa8aab8a4766ddb88df4635104d83
-
SHA1
7ad43cc7224f694995e53325a581e659eabe2e16
-
SHA256
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8
-
SHA512
9948e0571bfd8a167ad456a7aa4380b7f73f0bc77475b827bb20303a5fe1bce03670900e275cec573c88df51cd42a2060012bba623c7358640af8e1209210acb
-
SSDEEP
24576:FJRsQJVHvu3/mAUf45P3z55KTBmfswlibk:bWgHv0wq50TAfpEk
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment receipts.exedescription pid process target process PID 1992 set thread context of 2584 1992 payment receipts.exe payment receipts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
payment receipts.exepowershell.exepowershell.exepid process 1992 payment receipts.exe 1992 payment receipts.exe 1992 payment receipts.exe 1992 payment receipts.exe 1992 payment receipts.exe 1992 payment receipts.exe 1992 payment receipts.exe 1992 payment receipts.exe 1992 payment receipts.exe 1992 payment receipts.exe 2788 powershell.exe 2248 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
payment receipts.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1992 payment receipts.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 2248 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
payment receipts.exepid process 2584 payment receipts.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
payment receipts.exedescription pid process target process PID 1992 wrote to memory of 2248 1992 payment receipts.exe powershell.exe PID 1992 wrote to memory of 2248 1992 payment receipts.exe powershell.exe PID 1992 wrote to memory of 2248 1992 payment receipts.exe powershell.exe PID 1992 wrote to memory of 2248 1992 payment receipts.exe powershell.exe PID 1992 wrote to memory of 2788 1992 payment receipts.exe powershell.exe PID 1992 wrote to memory of 2788 1992 payment receipts.exe powershell.exe PID 1992 wrote to memory of 2788 1992 payment receipts.exe powershell.exe PID 1992 wrote to memory of 2788 1992 payment receipts.exe powershell.exe PID 1992 wrote to memory of 2960 1992 payment receipts.exe schtasks.exe PID 1992 wrote to memory of 2960 1992 payment receipts.exe schtasks.exe PID 1992 wrote to memory of 2960 1992 payment receipts.exe schtasks.exe PID 1992 wrote to memory of 2960 1992 payment receipts.exe schtasks.exe PID 1992 wrote to memory of 2584 1992 payment receipts.exe payment receipts.exe PID 1992 wrote to memory of 2584 1992 payment receipts.exe payment receipts.exe PID 1992 wrote to memory of 2584 1992 payment receipts.exe payment receipts.exe PID 1992 wrote to memory of 2584 1992 payment receipts.exe payment receipts.exe PID 1992 wrote to memory of 2584 1992 payment receipts.exe payment receipts.exe PID 1992 wrote to memory of 2584 1992 payment receipts.exe payment receipts.exe PID 1992 wrote to memory of 2584 1992 payment receipts.exe payment receipts.exe PID 1992 wrote to memory of 2584 1992 payment receipts.exe payment receipts.exe PID 1992 wrote to memory of 2584 1992 payment receipts.exe payment receipts.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UbaskbOLQNa.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbaskbOLQNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB8E3.tmp"2⤵
- Creates scheduled task(s)
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5463cd327d3e513344550f47f1a84e4b0
SHA1cab2121180c408fe2b13e0763f6eafad10fb8a4a
SHA256985f73850f31683037816aa9b2bada09230a3231f1a427ccd695b02ab270dcdf
SHA512cb6cdbd06cb8a204be1bc7835aa8b0d9aeca6697c349b4a30ed7978576a57813bd4ac7942fda873f5bde7c5772419a206833a5688cf89c41f9058d1ce847b707
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD559bf2f4d6b2d30afc4eb15e5b02c7a33
SHA1a1cae98570e728c2f772fd7a3abd59197a29bd32
SHA2566207e0c0c893e4bbea11a5d7e53cffc7ebdc04d97db6bc466b33ca517621f48b
SHA5128b00b710e8b608de374b835a5e0c4d215e2b0ec4338ca24527bd62bfbbb41756deca66362ed41bae9a7939cff289a2471ba6ba49a7dd88aeeccc7981f9ceb0d6