Analysis
-
max time kernel
135s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-01-2024 15:04
Static task
static1
Behavioral task
behavioral1
Sample
payment receipts.exe
Resource
win7-20231129-en
General
-
Target
payment receipts.exe
-
Size
986KB
-
MD5
cdcfa8aab8a4766ddb88df4635104d83
-
SHA1
7ad43cc7224f694995e53325a581e659eabe2e16
-
SHA256
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8
-
SHA512
9948e0571bfd8a167ad456a7aa4380b7f73f0bc77475b827bb20303a5fe1bce03670900e275cec573c88df51cd42a2060012bba623c7358640af8e1209210acb
-
SSDEEP
24576:FJRsQJVHvu3/mAUf45P3z55KTBmfswlibk:bWgHv0wq50TAfpEk
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment receipts.exedescription pid process target process PID 2152 set thread context of 2704 2152 payment receipts.exe payment receipts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
payment receipts.exepowershell.exepowershell.exepid process 2152 payment receipts.exe 2152 payment receipts.exe 2152 payment receipts.exe 2152 payment receipts.exe 2152 payment receipts.exe 2152 payment receipts.exe 2152 payment receipts.exe 2624 powershell.exe 2572 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
payment receipts.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2152 payment receipts.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
payment receipts.exepid process 2704 payment receipts.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
payment receipts.exedescription pid process target process PID 2152 wrote to memory of 2624 2152 payment receipts.exe powershell.exe PID 2152 wrote to memory of 2624 2152 payment receipts.exe powershell.exe PID 2152 wrote to memory of 2624 2152 payment receipts.exe powershell.exe PID 2152 wrote to memory of 2624 2152 payment receipts.exe powershell.exe PID 2152 wrote to memory of 2572 2152 payment receipts.exe powershell.exe PID 2152 wrote to memory of 2572 2152 payment receipts.exe powershell.exe PID 2152 wrote to memory of 2572 2152 payment receipts.exe powershell.exe PID 2152 wrote to memory of 2572 2152 payment receipts.exe powershell.exe PID 2152 wrote to memory of 2712 2152 payment receipts.exe schtasks.exe PID 2152 wrote to memory of 2712 2152 payment receipts.exe schtasks.exe PID 2152 wrote to memory of 2712 2152 payment receipts.exe schtasks.exe PID 2152 wrote to memory of 2712 2152 payment receipts.exe schtasks.exe PID 2152 wrote to memory of 2704 2152 payment receipts.exe payment receipts.exe PID 2152 wrote to memory of 2704 2152 payment receipts.exe payment receipts.exe PID 2152 wrote to memory of 2704 2152 payment receipts.exe payment receipts.exe PID 2152 wrote to memory of 2704 2152 payment receipts.exe payment receipts.exe PID 2152 wrote to memory of 2704 2152 payment receipts.exe payment receipts.exe PID 2152 wrote to memory of 2704 2152 payment receipts.exe payment receipts.exe PID 2152 wrote to memory of 2704 2152 payment receipts.exe payment receipts.exe PID 2152 wrote to memory of 2704 2152 payment receipts.exe payment receipts.exe PID 2152 wrote to memory of 2704 2152 payment receipts.exe payment receipts.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2704 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbaskbOLQNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp734C.tmp"2⤵
- Creates scheduled task(s)
PID:2712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UbaskbOLQNa.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fc0a9e528c27d61b5320e9650643117c
SHA1251d3acf0e5f8d653abf42c977e9f82ddb7da06d
SHA2561b8b77e1399ce5611ba9ee527f83f5aada86c24df90761600ff4ff9e7aa2f3bf
SHA5126ffc5ff51afb7b07a69596552d6ad9e23e7aa332ce7e23b375cc9da06cdef09c7a556eafbdeedc2e4e066a845eba5c732f2da18115da22dcb6088e5843260271
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5716e332a3292c2d12c4d3b3f3dfc1d20
SHA1ea360a3e63f4480e1bb39c6d574af89cb7e0520d
SHA256fa6564d3f570d3174456a66b10968f9cf2d0f808f256d5a7ad3ce802dca51841
SHA512fcab6a27c6640859d6e6e47551b0cb223e7fd9f78a61d8968224753ff16ad1fdb07ea9221f8a5644fa036e1ca7ab62dd09f78e306900a3e21a8f796d319c0e93