dbba073f0c88fe42a7614b65cb8db2f5ad346fdfb1e21763288d2d73e65c9b6f

General

Target

Tools-Invoice.pdf.7z
Size

2.0MB
MD5

0cdc67b3f8a598bec1e06964536d5998
SHA1

99c6c928f0a7843e422a89d578175ad011ea4f10
SHA256

dbba073f0c88fe42a7614b65cb8db2f5ad346fdfb1e21763288d2d73e65c9b6f
SHA512

4414cd2085a1d207d4d02d0cafd33cca7fcd0faa57c2264891b088ff8fd0b872cb45bf932fe49b72ca0e6611eb165e20f9a432d6d5c8daf73ecb042b77cb2326
SSDEEP

49152:ZXWm5vNti62RUJhdigVRTX1uIpEI+1ZoEatFg0uU/:z26cUJhNnEImoJFg05/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3364	Tools-Invoice.pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4404	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4404	7zFM.exe
Token: 35	4404	7zFM.exe
Token: SeSecurityPrivilege	4404	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4404	7zFM.exe
4404	7zFM.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 4404	1480	cmd.exe	92
PID 1480 wrote to memory of 4404	1480	cmd.exe	92
PID 4404 wrote to memory of 3364	4404	7zFM.exe	104
PID 4404 wrote to memory of 3364	4404	7zFM.exe	104

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Tools-Invoice.pdf.7z
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Tools-Invoice.pdf.7z"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\7zO4315C819\Tools-Invoice.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO4315C819\Tools-Invoice.pdf.exe"
    3⤵
    - Executes dropped EXE
    PID:3364
  - - C:\Users\Admin\AppData\Local\Temp\7zO4315C819\TvtuziedoTs.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO4315C819\TvtuziedoTs.exe"
      4⤵
      PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\7zO4315C819\Tools-Invoice.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO4315C819\Tools-Invoice.pdf.exe" /s
      4⤵
      PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Tools-Invoice.pdf.exe.log

Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4315C819\Tools-Invoice.pdf.exe

Filesize
225.2MB

MD5
aa48773536e86519ea90ecc99bfe2e3b

SHA1
ae3e01f471757e81437294764d42a72edb2e544a

SHA256
7a45fc31e0c15a3830fb33a1013b6f369171f92948db3698561b9f6740c93e6b

SHA512
34ad6192f72bc7df4adf150d289d4ad26ce9892e4dbb55011450dad5b9a4485c2eb903dbc32c3addd83900f1a69c70c340c05f5764b2aede83a96763e64712ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4315C819\Tools-Invoice.pdf.exe

Filesize
228.6MB

MD5
13544d748e29e5ca97e476f537a9cd0b

SHA1
39dd656ea57d5c23114c8f161186e8fc593ebbf3

SHA256
eb9f5f0faa16e1a15f6038935108034b1f7f3dee72b9500d2fb6f3330eac3437

SHA512
3499be99950b3b211578d320fe25c2f51b3f840b13db9bf16359e907fd062f11fc81b027a819c2faabaa9eebdbbc92fb5a2778c0ff764ccf3d43569d8f858490

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4315C819\Tools-Invoice.pdf.exe

Filesize
103.4MB

MD5
d27e720689553fa4837323a84991959f

SHA1
b5c094461d6b6a81823b18030d1da17573f4c65e

SHA256
78109c54caa9d7f75f304b0e0592c45a39ed4a9272d5f8f128539624749b68ad

SHA512
3b6ad500f5a1763285992a0b73a0826673b2dda0deae565a9e3009f7f54344384f853a56b3d9a7bdd96a07b5b176b691bab6af83876633844a7f307a7f8788d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4315C819\Tools-Invoice.pdf.exe

Filesize
242.9MB

MD5
7b657d089add86f7a990e69fc134bf97

SHA1
3654c96049d8ce98847d2bceecd1e6fc566086ce

SHA256
4bfd073afe558921156bb54c82aaf88305db780c745e513a43b35890cee79c1f

SHA512
3a2534d480b575fa5911e0c9cf298d9b0a94a730bf32d80d8fa173425ad1fa3193bbe6f2844ecf37cd519a8e99d5ba95b0225e1f524758957104fe8b9b6e1d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4315C819\TvtuziedoTs.exe

Filesize
997KB

MD5
dbc534854dd385e59a3f1906ddfb9020

SHA1
2b3062d82232ce10a8713829199769ff0d12e0fc

SHA256
06486febb76aaa7bf469ba1bf46a92c4eafc42a5626646184e8865c862d09dd0

SHA512
1506fbc8fca0a3ca06e24fdae2fb9e8cb345fd6197f5cbbaa990490cc20a25b72906ab9668725f29c0bfce6528bd7dca5dc15ca0ac3c0327d1876e58e3d47951

Download Submit
memory/3364-12-0x00000000006A0000-0x00000000008DE000-memory.dmp

Filesize
2.2MB

Download
memory/3364-13-0x00007FF9862E0000-0x00007FF986DA1000-memory.dmp

Filesize
10.8MB

Download
memory/3364-25-0x00007FF9862E0000-0x00007FF986DA1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-26-0x00007FF9862E0000-0x00007FF986DA1000-memory.dmp

Filesize
10.8MB

Download
memory/4428-27-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing