af92beb74147dfd4f21e426fadde4d083430a2495517e0fef4d802ba81909483

General

Target

Payment details.scr
Size

902KB
MD5

023fad9ba7a69c5ea2e5abb346d40ed9
SHA1

fd08e5e193224ea4ad3e948533ffd22489e0c4d1
SHA256

af92beb74147dfd4f21e426fadde4d083430a2495517e0fef4d802ba81909483
SHA512

95d3ccdf606c56996e6c17a73a051cc7a87474a98fbdf2e354b09c058a95db5ab4cafb48e73af06b3a6fe0094c05b3c2b1f030e7781cd2725ef86fcd1f32a471
SSDEEP

24576:TifgM3q7kTSbUjZ5G7ygYi61ZU8+gHZA8:Tig7SSANUWgYPZU8+g5A8

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2388	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 1904	2776	Payment details.scr	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2872	1904	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment details.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2388	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2388	2776	Payment details.scr	30
PID 2776 wrote to memory of 2388	2776	Payment details.scr	30
PID 2776 wrote to memory of 2388	2776	Payment details.scr	30
PID 2776 wrote to memory of 2388	2776	Payment details.scr	30
PID 2776 wrote to memory of 1904	2776	Payment details.scr	32
PID 2776 wrote to memory of 1904	2776	Payment details.scr	32
PID 2776 wrote to memory of 1904	2776	Payment details.scr	32
PID 2776 wrote to memory of 1904	2776	Payment details.scr	32
PID 2776 wrote to memory of 1904	2776	Payment details.scr	32
PID 2776 wrote to memory of 1904	2776	Payment details.scr	32
PID 2776 wrote to memory of 1904	2776	Payment details.scr	32
PID 2776 wrote to memory of 1904	2776	Payment details.scr	32
PID 2776 wrote to memory of 1904	2776	Payment details.scr	32
PID 2776 wrote to memory of 1904	2776	Payment details.scr	32
PID 2776 wrote to memory of 1904	2776	Payment details.scr	32
PID 2776 wrote to memory of 1904	2776	Payment details.scr	32
PID 2776 wrote to memory of 1904	2776	Payment details.scr	32
PID 2776 wrote to memory of 1904	2776	Payment details.scr	32
PID 1904 wrote to memory of 2872	1904	RegSvcs.exe	33
PID 1904 wrote to memory of 2872	1904	RegSvcs.exe	33
PID 1904 wrote to memory of 2872	1904	RegSvcs.exe	33
PID 1904 wrote to memory of 2872	1904	RegSvcs.exe	33

C:\Users\Admin\AppData\Local\Temp\Payment details.scr
"C:\Users\Admin\AppData\Local\Temp\Payment details.scr" /S
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment details.scr"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 88
    3⤵
    - Program crash
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1904-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1904-13-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1904-8-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1904-10-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1904-11-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1904-21-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1904-17-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1904-23-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1904-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2776-1-0x0000000000080000-0x0000000000164000-memory.dmp

Filesize
912KB

Download
memory/2776-7-0x0000000005B90000-0x0000000005C2C000-memory.dmp

Filesize
624KB

Download
memory/2776-6-0x0000000000900000-0x0000000000916000-memory.dmp

Filesize
88KB

Download
memory/2776-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

Filesize
4KB

Download
memory/2776-5-0x0000000000720000-0x000000000072E000-memory.dmp

Filesize
56KB

Download
memory/2776-4-0x0000000000700000-0x000000000071A000-memory.dmp

Filesize
104KB

Download
memory/2776-3-0x0000000004940000-0x0000000004A02000-memory.dmp

Filesize
776KB

Download
memory/2776-2-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2776-24-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing