993a12eb263fac02f7279502d0968e6666a5e56af2b28e0ceb6e745eca91acba

General

Target

TNT Original Invoice.scr
Size

697KB
MD5

4aa63ea35a6a68252888080722f2b403
SHA1

63ecde53df066919f84d35926dbea4efc1610b00
SHA256

8f26ff4683a2d8c5dda6b8aff8c4d6b95ffe97c2432b413e0f8f0a0c16c96d32
SHA512

a36aa7db91c5a98964b9285e85d07b255b4449dfd361ef09d8c4a8239c80adf895756c048f9ddc5ef9e35481a490005ace3aa36d1f93a0d59e80edae50ee8aa3
SSDEEP

12288:2+DbgRB778QekIKVkQv77DBpPMJ3aofMw98A/wR0Q+bnEimiQZWOWiP6ZtZbUqu9:vgRB1HbGHfMv0wR0vEJN6vpR+

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2664 schtasks.exe

pid	process
2664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

TNT Original Invoice.scrpowershell.exepowershell.exe

pid	process
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2016	TNT Original Invoice.scr
2512	powershell.exe
2472	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

TNT Original Invoice.scrpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2016	TNT Original Invoice.scr
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

TNT Original Invoice.scr

description	pid	process	target process
PID 2016 wrote to memory of 2512	2016	TNT Original Invoice.scr	powershell.exe
PID 2016 wrote to memory of 2512	2016	TNT Original Invoice.scr	powershell.exe
PID 2016 wrote to memory of 2512	2016	TNT Original Invoice.scr	powershell.exe
PID 2016 wrote to memory of 2512	2016	TNT Original Invoice.scr	powershell.exe
PID 2016 wrote to memory of 2472	2016	TNT Original Invoice.scr	powershell.exe
PID 2016 wrote to memory of 2472	2016	TNT Original Invoice.scr	powershell.exe
PID 2016 wrote to memory of 2472	2016	TNT Original Invoice.scr	powershell.exe
PID 2016 wrote to memory of 2472	2016	TNT Original Invoice.scr	powershell.exe
PID 2016 wrote to memory of 2664	2016	TNT Original Invoice.scr	schtasks.exe
PID 2016 wrote to memory of 2664	2016	TNT Original Invoice.scr	schtasks.exe
PID 2016 wrote to memory of 2664	2016	TNT Original Invoice.scr	schtasks.exe
PID 2016 wrote to memory of 2664	2016	TNT Original Invoice.scr	schtasks.exe
PID 2016 wrote to memory of 2432	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2432	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2432	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2432	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2524	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2524	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2524	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2524	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2840	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2840	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2840	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2840	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2896	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2896	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2896	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2896	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2412	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2412	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2412	2016	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2016 wrote to memory of 2412	2016	TNT Original Invoice.scr	TNT Original Invoice.scr

C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr
"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr" /S
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QKidaN.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QKidaN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A19.tmp"
2⤵
- Creates scheduled task(s)
PID:2664

C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr
"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"
2⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr
"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"
2⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr
"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"
2⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr
"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"
2⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr
"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"
2⤵
PID:2412

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6A19.tmp
Filesize
1KB

MD5
2029edf50c8d6e9cd5059d452f59fd9d

SHA1
5416b9a99c2216e5f549e0285a0a789136ee0d15

SHA256
62120faa5fecf0c89b11938900a3d4c5f03e03f2b15b86ae96c0288acbdac762

SHA512
117e63834f62b43eb01b2b2d0fa48f39ee946a8a1aff853a1255a3bb8c22adba2becaa97d6aee22ee37a9912bf3f4c959a7e8806ea331a535a860a09e73dfe53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
94b87d956ef12a4590be6b855524b66a

SHA1
6bd53008d2cb507006c31300f9f526ebd6e745ee

SHA256
0f0aaab2b259b0cf00950fc6f649f54f8a4f00219fcb7fafda2d127bdb47fdde

SHA512
e0ec1ef2d1dbfd6873577ecf26b329ceea6ae58dc4f0763d9d4fb62533002f6ba0bb5c40d47f702c786ba8309c1a2edc7c10a77d6f2523c36c35bac87b0ca5dc

Download Submit
memory/2016-0-0x0000000000360000-0x0000000000414000-memory.dmp

Filesize
720KB

Download
memory/2016-1-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-2-0x0000000004460000-0x00000000044A0000-memory.dmp

Filesize
256KB

Download
memory/2016-3-0x0000000000300000-0x0000000000318000-memory.dmp

Filesize
96KB

Download
memory/2016-4-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/2016-5-0x0000000000350000-0x0000000000366000-memory.dmp

Filesize
88KB

Download
memory/2016-6-0x0000000005340000-0x00000000053C4000-memory.dmp

Filesize
528KB

Download
memory/2016-19-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads