Overview

overview

10

Static

static

10

Tax Paymen...pt.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    453s
  • max time network
    455s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 05:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tax Payment Receipt.exe

  • Size

    877KB

  • MD5

    cac42f0744e58164039fbc2ef62da404

  • SHA1

    85e2ffe52fb62712a110cf8d9d2d6fa6269306b6

  • SHA256

    7757fb2455891d1cbcf89ca3cdf291bacaee9c3f1835826a4831c49fbd8249f1

  • SHA512

    64cd76c4d78b2e0dd1c2e5a96fc71426c06b3584e4ff61e0aed3f7de88c9e573f96b9c3aaf2f27fce3514093adbd8a0f1f3d8479438b0fd8bb1fb064365a6e85

  • SSDEEP

    12288:5xP/62UAecZ/n6Z5P3Z8sO46A9jmP/uhu/yMS08CkntxYRkL:v6vAZZ/6bisZfmP/UDMS08Ckn37

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tax Payment Receipt.exe
    "C:\Users\Admin\AppData\Local\Temp\Tax Payment Receipt.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\SysWOW64\mspaint.exe
        "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
        3⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2320
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
    1⤵
      PID:2044
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3544
      • C:\Users\Admin\AppData\Local\Temp\Tax Payment Receipt.exe
        "C:\Users\Admin\AppData\Local\Temp\Tax Payment Receipt.exe"
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:912
      • C:\Users\Admin\AppData\Local\Temp\Tax Payment Receipt.exe
        "C:\Users\Admin\AppData\Local\Temp\Tax Payment Receipt.exe"
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:1192
      • C:\Windows\system32\mspaint.exe
        "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
        1⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3812

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Debug\WIA\wiatrace.log
        Filesize

        1KB

        MD5

        a0a45248f1d9a895ced9a88fa6d409a7

        SHA1

        7ef42cc73c81d94b60ee89c106275ba722c09a9f

        SHA256

        0e8fc47aff3af3fd1336bfdd81f5d29488bafc3498b19240ab08f595e247ef52

        SHA512

        8941b23e2b095160eefebb26af72ae3fd122802be3afba2aea8ca3fe6eec204bff3e1a50f5fb53e9d263873eda1c4163e42ce24ce2cfcc7f75a4abc00318202a

        Download Submit