Analysis Overview
SHA256
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8
Threat Level: Known bad
The file payment receipts.exe was found to be: Known bad.
Malicious Activity Summary
DarkCloud
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-31 15:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-31 15:04
Reported
2024-01-31 15:06
Platform
win7-20231129-en
Max time kernel
135s
Max time network
119s
Command Line
Signatures
DarkCloud
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2152 set thread context of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
"C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"
C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
"C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbaskbOLQNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp734C.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UbaskbOLQNa.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"
Network
Files
memory/2152-1-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2152-0-0x0000000000B90000-0x0000000000C8C000-memory.dmp
memory/2152-2-0x0000000000490000-0x00000000004D0000-memory.dmp
memory/2152-3-0x00000000005A0000-0x00000000005B8000-memory.dmp
memory/2152-4-0x0000000000940000-0x0000000000948000-memory.dmp
memory/2152-5-0x0000000000950000-0x000000000095C000-memory.dmp
memory/2152-6-0x0000000007870000-0x0000000007912000-memory.dmp
memory/2152-7-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2152-8-0x0000000000490000-0x00000000004D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp734C.tmp
| MD5 | fc0a9e528c27d61b5320e9650643117c |
| SHA1 | 251d3acf0e5f8d653abf42c977e9f82ddb7da06d |
| SHA256 | 1b8b77e1399ce5611ba9ee527f83f5aada86c24df90761600ff4ff9e7aa2f3bf |
| SHA512 | 6ffc5ff51afb7b07a69596552d6ad9e23e7aa332ce7e23b375cc9da06cdef09c7a556eafbdeedc2e4e066a845eba5c732f2da18115da22dcb6088e5843260271 |
memory/2704-21-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2704-23-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2704-31-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2704-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2152-35-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2704-33-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2572-37-0x000000006E4F0000-0x000000006EA9B000-memory.dmp
memory/2704-25-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2572-40-0x0000000002940000-0x0000000002980000-memory.dmp
memory/2624-39-0x00000000029E0000-0x0000000002A20000-memory.dmp
memory/2624-41-0x000000006E4F0000-0x000000006EA9B000-memory.dmp
memory/2624-38-0x000000006E4F0000-0x000000006EA9B000-memory.dmp
memory/2572-42-0x000000006E4F0000-0x000000006EA9B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 716e332a3292c2d12c4d3b3f3dfc1d20 |
| SHA1 | ea360a3e63f4480e1bb39c6d574af89cb7e0520d |
| SHA256 | fa6564d3f570d3174456a66b10968f9cf2d0f808f256d5a7ad3ce802dca51841 |
| SHA512 | fcab6a27c6640859d6e6e47551b0cb223e7fd9f78a61d8968224753ff16ad1fdb07ea9221f8a5644fa036e1ca7ab62dd09f78e306900a3e21a8f796d319c0e93 |
memory/2572-46-0x0000000002940000-0x0000000002980000-memory.dmp
memory/2704-47-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2624-45-0x00000000029E0000-0x0000000002A20000-memory.dmp
memory/2624-44-0x00000000029E0000-0x0000000002A20000-memory.dmp
memory/2572-43-0x0000000002940000-0x0000000002980000-memory.dmp
memory/2572-49-0x000000006E4F0000-0x000000006EA9B000-memory.dmp
memory/2624-48-0x000000006E4F0000-0x000000006EA9B000-memory.dmp
memory/2704-50-0x0000000000400000-0x0000000000463000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-31 15:04
Reported
2024-01-31 15:06
Platform
win10v2004-20231222-en
Max time kernel
136s
Max time network
148s
Command Line
Signatures
DarkCloud
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4972 set thread context of 3736 | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment receipts.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
"C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbaskbOLQNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB82.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UbaskbOLQNa.exe"
C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
"C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
Files
memory/4972-1-0x0000000074980000-0x0000000075130000-memory.dmp
memory/4972-3-0x0000000007DC0000-0x0000000007E52000-memory.dmp
memory/4972-4-0x0000000003530000-0x0000000003540000-memory.dmp
memory/4972-6-0x0000000007FF0000-0x000000000808C000-memory.dmp
memory/4972-5-0x0000000003310000-0x000000000331A000-memory.dmp
memory/4972-2-0x0000000008370000-0x0000000008914000-memory.dmp
memory/4972-0-0x0000000000DC0000-0x0000000000EBC000-memory.dmp
memory/4972-7-0x0000000008340000-0x0000000008358000-memory.dmp
memory/4972-9-0x0000000008120000-0x000000000812C000-memory.dmp
memory/4972-8-0x0000000007FE0000-0x0000000007FE8000-memory.dmp
memory/4972-10-0x00000000096A0000-0x0000000009742000-memory.dmp
memory/4972-11-0x0000000074980000-0x0000000075130000-memory.dmp
memory/4972-12-0x0000000003530000-0x0000000003540000-memory.dmp
memory/764-17-0x00000000029F0000-0x0000000002A26000-memory.dmp
memory/764-18-0x0000000074980000-0x0000000075130000-memory.dmp
memory/1372-19-0x00000000054C0000-0x0000000005AE8000-memory.dmp
memory/764-20-0x0000000002AD0000-0x0000000002AE0000-memory.dmp
memory/1372-21-0x0000000074980000-0x0000000075130000-memory.dmp
memory/764-22-0x0000000005360000-0x0000000005382000-memory.dmp
memory/1372-24-0x0000000004E80000-0x0000000004E90000-memory.dmp
memory/1372-27-0x0000000004E80000-0x0000000004E90000-memory.dmp
memory/764-29-0x0000000005D60000-0x00000000060B4000-memory.dmp
memory/764-28-0x0000000002AD0000-0x0000000002AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_arefjtf2.zyo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3736-36-0x0000000000400000-0x0000000000463000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAB82.tmp
| MD5 | bb0544b4076432dbff5c8177144e2bbb |
| SHA1 | 880874a4e90540eeec479dbd0d52a98fea40ccfb |
| SHA256 | 26026364938eb1ce04b467d5a43ae856b61c63f1a06f570fca394c23c33d5ae1 |
| SHA512 | cf2661b342d8044678537917a994f4863540237f60436ee44f6cec8ddbe7611e3c1c18d44ad3f82969031dd01b3fe494e6d77981929f92571667c7e3468bad1d |
memory/4972-53-0x0000000074980000-0x0000000075130000-memory.dmp
memory/3736-50-0x0000000000400000-0x0000000000463000-memory.dmp
memory/1372-26-0x0000000005CA0000-0x0000000005D06000-memory.dmp
memory/1372-23-0x00000000053B0000-0x0000000005416000-memory.dmp
memory/764-55-0x0000000006310000-0x000000000632E000-memory.dmp
memory/764-56-0x0000000006340000-0x000000000638C000-memory.dmp
memory/764-66-0x0000000075210000-0x000000007525C000-memory.dmp
memory/764-81-0x0000000007500000-0x00000000075A3000-memory.dmp
memory/1372-82-0x0000000004E80000-0x0000000004E90000-memory.dmp
memory/764-83-0x0000000002AD0000-0x0000000002AE0000-memory.dmp
memory/1372-72-0x0000000006870000-0x000000000688E000-memory.dmp
memory/1372-60-0x0000000075210000-0x000000007525C000-memory.dmp
memory/1372-85-0x0000000007600000-0x000000000761A000-memory.dmp
memory/764-86-0x00000000076B0000-0x00000000076BA000-memory.dmp
memory/764-84-0x0000000007C80000-0x00000000082FA000-memory.dmp
memory/1372-87-0x0000000007880000-0x0000000007916000-memory.dmp
memory/764-88-0x0000000007840000-0x0000000007851000-memory.dmp
memory/764-59-0x000000007FAC0000-0x000000007FAD0000-memory.dmp
memory/764-58-0x00000000068D0000-0x0000000006902000-memory.dmp
memory/1372-57-0x000000007EF10000-0x000000007EF20000-memory.dmp
memory/764-89-0x0000000007870000-0x000000000787E000-memory.dmp
memory/764-91-0x0000000007980000-0x000000000799A000-memory.dmp
memory/1372-92-0x0000000007920000-0x0000000007928000-memory.dmp
memory/764-90-0x0000000007880000-0x0000000007894000-memory.dmp
memory/1372-99-0x0000000074980000-0x0000000075130000-memory.dmp
memory/764-98-0x0000000074980000-0x0000000075130000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bcbf21974cd645249dd30220c1c0656e |
| SHA1 | 4f8384c59cbfe134e8f9bbbc347aa5c9e488e70c |
| SHA256 | d5f5620454d7c7079ec2c382b8f0c44084cad53caf0e8345de2931e371718816 |
| SHA512 | 76ac433a22a76389f854e6a561d7fcfaeb7cb21ae441f70bb87a916f4770137c976027fed7da5a13a97e0d50a780a969a3921db1af4d98b255ea914adb32e138 |
memory/3736-100-0x0000000000400000-0x0000000000463000-memory.dmp