Overview

overview

10

Static

static

10

Payment Co...on.exe

windows7-x64

10

Payment Co...on.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    136s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2024 21:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Confirmation.exe

  • Size

    529KB

  • MD5

    d998b9339c956239dc2199b761501441

  • SHA1

    39f82f942c9de8cd0207e8bacc221351469938a7

  • SHA256

    aacf855f3810c4aa02e714dae8c8da78b8d8bfbaa041aa85ddfbdb83c3ade756

  • SHA512

    0a50c1ee25e052081346a5cc2e7090a413f8d91baaca2d5f45fbc9c08a2f6dc7cf93f0417f24ac59cd7a4f4abd0f8e80abe48ef6773af312072012f4c0e8ab6c

  • SSDEEP

    12288:XFZ5tWdM8H4+iH88V7kVC46A9jmP/uhu/yMS08CkntxYRCL:XGE+iZ7kVtfmP/UDMS08Ckn3h

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3084
      • C:\Windows\SysWOW64\mspaint.exe
        "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1892
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
    1⤵
      PID:3156

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads