Overview

overview

10

Static

static

3

Invoice an...pt.exe

windows7-x64

3

Invoice an...pt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-04-2024 13:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice and receipt.exe

  • Size

    727KB

  • MD5

    b4b32117b40b70fb1bfeab298ba44557

  • SHA1

    a74707a387129c37ce14a7ebacd053a8864e2e7d

  • SHA256

    6dd5d1309948dac371cf1cc1083f758ea313161d8658d9d3842e3f908bd280d5

  • SHA512

    dbd3f35c3c6b3ebe18276672a607475d0a8a9999b1e666256a7dac3994367c35887109ba8e1106ea04eb2574d387ce9e198d7d2ac0b33fa85865850fad507906

  • SSDEEP

    12288:61ta/jCVo69W+WkpmDodcb1NrOvPA/cxSgDXwJWTrDVylYtnh:g8/jCa69DpOodcbnrOw0ZwJWTrpUYL

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2532
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PKgJBVbBBXr.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2536
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKgJBVbBBXr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp42DA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2960
    • C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"
      2⤵
        PID:2384
      • C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe
        "C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"
        2⤵
          PID:2380
        • C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe
          "C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"
          2⤵
            PID:2400
          • C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe
            "C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"
            2⤵
              PID:2428
            • C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe
              "C:\Users\Admin\AppData\Local\Temp\Invoice and receipt.exe"
              2⤵
                PID:2456

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Persistence

            Scheduled Task/Job

            1
            T1053

            Privilege Escalation

            Scheduled Task/Job

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp42DA.tmp
              Filesize

              1KB

              MD5

              d2b95335f0585a7c17f2a8f19e1a4766

              SHA1

              2e5d266df208582db439d38b7bbec14022385e5f

              SHA256

              a34fab80f645c9d8cd6388238eaf41260cddfc08519b17e91d805e9ea9c9a9fa

              SHA512

              45736e8fbf0408f1cac0af09f0080ce62becf154adc5e02b51e99e3e34186738e316abf9498432c70d26ada7b25a363e939801d4315ff98d510eaa9e9951b8e6

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              b14f372ca0c851403fa90f9708eeb448

              SHA1

              efbfa97178ac9039c13cbbc3760c54a3c88a30ae

              SHA256

              0510185d7b43e7964be8f0a461700a1e672aedc7b922883c7a99c8ad021fbd22

              SHA512

              520d30f0b46cbaf3737ba0b78c45abe39be6877a327e748729b23947a5e1a0b889e36886b80380512cad1d38b9c9f77aa244d85c23d70e0e5084ed95aee6cded

              Download Submit
            • memory/1968-0-0x00000000003A0000-0x000000000045A000-memory.dmp
              Filesize

              744KB

              Download
            • memory/1968-1-0x0000000074640000-0x0000000074D2E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/1968-2-0x00000000006D0000-0x0000000000710000-memory.dmp
              Filesize

              256KB

              Download
            • memory/1968-3-0x0000000004FC0000-0x0000000005068000-memory.dmp
              Filesize

              672KB

              Download
            • memory/1968-4-0x0000000000250000-0x0000000000262000-memory.dmp
              Filesize

              72KB

              Download
            • memory/1968-5-0x0000000000350000-0x0000000000358000-memory.dmp
              Filesize

              32KB

              Download
            • memory/1968-6-0x0000000000360000-0x000000000036C000-memory.dmp
              Filesize

              48KB

              Download
            • memory/1968-7-0x0000000004E20000-0x0000000004EAC000-memory.dmp
              Filesize

              560KB

              Download
            • memory/1968-25-0x0000000074640000-0x0000000074D2E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/2532-26-0x000000006F550000-0x000000006FAFB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/2532-22-0x0000000002A40000-0x0000000002A80000-memory.dmp
              Filesize

              256KB

              Download
            • memory/2532-24-0x0000000002A40000-0x0000000002A80000-memory.dmp
              Filesize

              256KB

              Download
            • memory/2532-21-0x000000006F550000-0x000000006FAFB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/2532-30-0x000000006F550000-0x000000006FAFB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/2536-23-0x0000000002AA0000-0x0000000002AE0000-memory.dmp
              Filesize

              256KB

              Download
            • memory/2536-20-0x000000006F550000-0x000000006FAFB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/2536-27-0x000000006F550000-0x000000006FAFB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/2536-28-0x0000000002AA0000-0x0000000002AE0000-memory.dmp
              Filesize

              256KB

              Download
            • memory/2536-29-0x000000006F550000-0x000000006FAFB000-memory.dmp
              Filesize

              5.7MB

              Download