f983d90eba7902a6656cfb2b5734f5b72aabe656bc24f2bf21ec9b8ab0428b88

General

Target

BILLING REPORT.exe
Size

670KB
MD5

0e2cf387d4c9e428e4fe7426267dcf78
SHA1

6b9d263c151a33ed3f4a190ff946d52220e0f4f9
SHA256

4f632d095e16ece2c5dfae8a7960012ae4c94d5d8420c1a4370161d7eb2cf16d
SHA512

fb006aefc41f72b39ab9c6d45056af8bc8c52ade79aa4991977535632075ee555d74495eae741c9a19c28461d3da853d8d07d8ceaba8364c0e2fdd46d614ccc4
SSDEEP

12288:B7NtLK1lOYgzMEcgyAZx94KgLGeq/tsWzsCywR8Sk4:hicNQ+xCKaGhloPT

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2972 schtasks.exe

pid	process
2972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

BILLING REPORT.exepowershell.exepowershell.exe

pid	process
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2500	BILLING REPORT.exe
2388	powershell.exe
2832	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

BILLING REPORT.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2500 BILLING REPORT.exe
Token: SeDebugPrivilege 2388 powershell.exe
Token: SeDebugPrivilege 2832 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2500	BILLING REPORT.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

BILLING REPORT.exe

description	pid	process	target process
PID 2500 wrote to memory of 2388	2500	BILLING REPORT.exe	powershell.exe
PID 2500 wrote to memory of 2388	2500	BILLING REPORT.exe	powershell.exe
PID 2500 wrote to memory of 2388	2500	BILLING REPORT.exe	powershell.exe
PID 2500 wrote to memory of 2388	2500	BILLING REPORT.exe	powershell.exe
PID 2500 wrote to memory of 2832	2500	BILLING REPORT.exe	powershell.exe
PID 2500 wrote to memory of 2832	2500	BILLING REPORT.exe	powershell.exe
PID 2500 wrote to memory of 2832	2500	BILLING REPORT.exe	powershell.exe
PID 2500 wrote to memory of 2832	2500	BILLING REPORT.exe	powershell.exe
PID 2500 wrote to memory of 2972	2500	BILLING REPORT.exe	schtasks.exe
PID 2500 wrote to memory of 2972	2500	BILLING REPORT.exe	schtasks.exe
PID 2500 wrote to memory of 2972	2500	BILLING REPORT.exe	schtasks.exe
PID 2500 wrote to memory of 2972	2500	BILLING REPORT.exe	schtasks.exe
PID 2500 wrote to memory of 1720	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1720	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1720	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1720	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1972	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1972	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1972	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1972	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1940	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1940	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1940	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1940	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1716	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1716	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1716	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1716	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1964	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1964	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1964	2500	BILLING REPORT.exe	BILLING REPORT.exe
PID 2500 wrote to memory of 1964	2500	BILLING REPORT.exe	BILLING REPORT.exe

C:\Users\Admin\AppData\Local\Temp\BILLING REPORT.exe
"C:\Users\Admin\AppData\Local\Temp\BILLING REPORT.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BILLING REPORT.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SOhaQHvG.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOhaQHvG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F70.tmp"
2⤵
- Creates scheduled task(s)
PID:2972

C:\Users\Admin\AppData\Local\Temp\BILLING REPORT.exe
"C:\Users\Admin\AppData\Local\Temp\BILLING REPORT.exe"
2⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\BILLING REPORT.exe
"C:\Users\Admin\AppData\Local\Temp\BILLING REPORT.exe"
2⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\BILLING REPORT.exe
"C:\Users\Admin\AppData\Local\Temp\BILLING REPORT.exe"
2⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\BILLING REPORT.exe
"C:\Users\Admin\AppData\Local\Temp\BILLING REPORT.exe"
2⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\BILLING REPORT.exe
"C:\Users\Admin\AppData\Local\Temp\BILLING REPORT.exe"
2⤵
PID:1964

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3F70.tmp
Filesize
1KB

MD5
7ae7b4f5acd15f6cff34a6d3404b2fbd

SHA1
a61ace4c1e20f49afadd3b395b66f26d3c41e8e7

SHA256
a5dca4fd864538ae7fc4257cca2f789de4111ce8a97fe7e2b84c88ecb74e53fe

SHA512
43284fa9398781c5fdf9d3bfe60a123140615267c3a5791b6bac2368f879aa0fa673b9984cc6a2a7dc2279e42acc0154f678096e6cc24c1d54b176e0e05fd217

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EA3S9QCNLSHB82EPH4Q9.temp
Filesize
7KB

MD5
1ffb99b0a6106888f08ef51d25e79b9e

SHA1
1c724944f9d0f543ffe305c79217bfb1e24aa355

SHA256
00673dae94dfae6164d17678d7c7e1ab008c41353431a5a4964fd9452298e5dc

SHA512
ddf295667410e56f7f9794501947804fa48e6a6585a5f55478c5cbe2b2da7cf54ce5e34093a2d248e6ef66a8442764acb7e260fa2869cd2147f9880e03e1334a

Download Submit
memory/2388-25-0x000000006DF60000-0x000000006E50B000-memory.dmp

Filesize
5.7MB

Download
memory/2388-21-0x000000006DF60000-0x000000006E50B000-memory.dmp

Filesize
5.7MB

Download
memory/2388-30-0x000000006DF60000-0x000000006E50B000-memory.dmp

Filesize
5.7MB

Download
memory/2388-26-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/2388-27-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/2388-24-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/2500-20-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/2500-5-0x0000000005510000-0x0000000005592000-memory.dmp

Filesize
520KB

Download
memory/2500-18-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/2500-3-0x00000000003F0000-0x000000000040A000-memory.dmp

Filesize
104KB

Download
memory/2500-19-0x0000000002210000-0x0000000002250000-memory.dmp

Filesize
256KB

Download
memory/2500-4-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2500-1-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/2500-0-0x0000000000040000-0x00000000000EE000-memory.dmp

Filesize
696KB

Download
memory/2500-2-0x0000000002210000-0x0000000002250000-memory.dmp

Filesize
256KB

Download
memory/2832-22-0x000000006DF60000-0x000000006E50B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-28-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/2832-29-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/2832-31-0x000000006DF60000-0x000000006E50B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-23-0x000000006DF60000-0x000000006E50B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads