Overview

overview

8

Static

static

3

paypalmoneygen.exe

windows7-x64

8

paypalmoneygen.exe

windows10-2004-x64

8

Resubmissions

09-03-2024 23:39

240309-3nca1seb46 8

09-03-2024 23:35

240309-3lfknaee9s 8

09-03-2024 23:31

240309-3hvkeadh98 8

09-03-2024 23:29

240309-3gspesdh76 8

Analysis

  • max time kernel
    80s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-03-2024 23:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    paypalmoneygen.exe

  • Size

    409KB

  • MD5

    aab68536e0cfbb3c3149a02021a09206

  • SHA1

    1f2a2e8517d764281b0e076cab5c98c4b9a2cb94

  • SHA256

    4364fdf8e6b7b58cbfc34aab3a86368c1c73467ec5d74847b07d72b50a99d3d7

  • SHA512

    e622a0797e3455fc213c2078ccc1cc5b769cd09d94d3c4acb140ca87fe607485ac919be83e1d7661199383bee0f3471a5653e6ef9800fde94230b7e3d3311659

  • SSDEEP

    12288:wORqrdkTyk4Osir2upORqrdOOsir2upORqrdHOsir2u:jiKJFfr2Pixfr2Pi4fr2

Score
8/10
persistence

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\paypalmoneygen.exe
    "C:\Users\Admin\AppData\Local\Temp\paypalmoneygen.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2060
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\HookDLL64.dll
    Filesize

    137KB

    MD5

    453d2cdee9141c2b68cb1005252cbb38

    SHA1

    35a6104146f4dabb3a55b3b6b4adf5a1e50cbe7e

    SHA256

    c9382948f62a4505f5e4b7d9bebae020ecd1e39ea9758175f6c727306d826ec4

    SHA512

    43f9a3f67126d1950f0fde6e98d3171e005a9ef42ed68924cb893ba4ba2dbf8afba9b5c74430524bb6376fce892782667e3b3299a8db470025c7429f52202bf1

    Download Submit

  • memory/2680-4-0x0000000076EF0000-0x0000000076EF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2680-5-0x000007FEFD810000-0x000007FEFD811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2680-6-0x0000000002C40000-0x0000000002C92000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2680-7-0x0000000003F20000-0x0000000003F21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2680-8-0x0000000003F20000-0x0000000003F21000-memory.dmp

    Filesize

    4KB

    Download