d741ff9965978c828a9517b0b1d3ad6a8997762af665a53857e03e6abb89b5b8

General

Target

Credit_Card_Generator.rar
Size

6.7MB
MD5

26515231a367ffe425a46b143435f556
SHA1

c79cc5bcc134dfd0591444d797d6b4bef5fbd9d5
SHA256

d741ff9965978c828a9517b0b1d3ad6a8997762af665a53857e03e6abb89b5b8
SHA512

264a4cfa4d2253b5f7d33c6d49be90276babd50a359ed35b1be3aa095ab7a5779c16143a998a7df979bb110eb4db2457a9c0f055d0a5d0425058ffaf8d454674
SSDEEP

196608:175pJmw0HJHIHznEQWQY13LrTA5+XX8iQtnQ+StfTQE:5o7pyEQHK05VfStH

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1668	Credit Card Generator Setup.exe
1748	Credit Card Generator Setup.exe

Loads dropped DLL 4 IoCs

pid	Process
1132	Process not Found
1132	Process not Found
1748	Credit Card Generator Setup.exe
1132	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001745d-56.dat	upx
behavioral1/memory/1748-58-0x000007FEF5770000-0x000007FEF5D5A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2576	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2552	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2552	7zFM.exe
Token: 35	2552	7zFM.exe
Token: SeSecurityPrivilege	2552	7zFM.exe
Token: SeSecurityPrivilege	2552	7zFM.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2552	7zFM.exe
2552	7zFM.exe
2552	7zFM.exe
2552	7zFM.exe
3012	SndVol.exe
3012	SndVol.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
3012	SndVol.exe
3012	SndVol.exe
3012	SndVol.exe
3012	SndVol.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2552	2252	cmd.exe	29
PID 2252 wrote to memory of 2552	2252	cmd.exe	29
PID 2252 wrote to memory of 2552	2252	cmd.exe	29
PID 2552 wrote to memory of 2576	2552	7zFM.exe	30
PID 2552 wrote to memory of 2576	2552	7zFM.exe	30
PID 2552 wrote to memory of 2576	2552	7zFM.exe	30
PID 1668 wrote to memory of 1748	1668	Credit Card Generator Setup.exe	37
PID 1668 wrote to memory of 1748	1668	Credit Card Generator Setup.exe	37
PID 1668 wrote to memory of 1748	1668	Credit Card Generator Setup.exe	37

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Credit_Card_Generator.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Credit_Card_Generator.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO8F989746\Password_Credit.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2576

C:\Windows\system32\SndVol.exe
SndVol.exe -f 45548699 22365
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3012

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1560

C:\Users\Admin\Desktop\Credit Card Generator Setup.exe
"C:\Users\Admin\Desktop\Credit Card Generator Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\Desktop\Credit Card Generator Setup.exe
  "C:\Users\Admin\Desktop\Credit Card Generator Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO8F989746\Password_Credit.txt

Filesize
39B

MD5
b7848233394532164483d16ba92d6980

SHA1
b50b88a6de5fd6d641e9f22afbfeff76fd57aa95

SHA256
d7ccdc0c5741d1cdc62542e0ac111ecfff781a1b0ab49f5e9547ddb3f3696df4

SHA512
f7fdfbfb2bc1c2259a8a83ac2105757956f64dac9c0907f1abf767c581d22c0c8bf0c620c1956727418bee5931e6b43a8954e35c9453d89b70cc120589423914

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16682\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
\Users\Admin\Desktop\Credit Card Generator Setup.exe

Filesize
6.8MB

MD5
4c9131a29420ef639e6b00384fc56a14

SHA1
c89774e6ade2fb43d063cd0ef7d7295ecbb4fd91

SHA256
1580cb73273e63ee07e4e6ca8541354786ce6c624a8f1106cb828f04ca6b22d8

SHA512
99856fde62480721118321c8ddac89b30dcf3fcce78f9e4724aedf4e118ae3f00594785a86fac553900f8735ebf219e2d1e6b2ab4c5695ec27014c518bc8a6e0

Download Submit
memory/1748-58-0x000007FEF5770000-0x000007FEF5D5A000-memory.dmp

Filesize
5.9MB

Download
memory/3012-31-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing