fd3f5aeb106a31bcdff757034091438369d3ca3b71e163ad0747a0ab5b87191b

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Balance payment.exe
Size

1.4MB
MD5

86e5efa7d3dce6320ffcdfc12f628cba
SHA1

d3d26c7eddb95e028c13b97f94f330e5ad5dbba4
SHA256

07c65671acce67cfa5a214ce2285563f6b3eaeadd5afbcd21bcaa42a536f7ba6
SHA512

cb5d2fa04260b9ca8b8200dfa8881d82ae7cd701822c0cb3c8df5846a6f315c60475a39dc9048094d78fc8c2be21e4df734b805ac2f205c3c67b1a1b89cd8e23
SSDEEP

24576:ivrA5SXIIYCcp3WLcndXJp80oPQZ3aO30KISlm7mgXKrqEKdCSu59m6nnjqKoe:ivOkRYCcp3ZrpBooF1Tm6g6rFKdg9rjF

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2072	powershell.exe
1856	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balance payment.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2348	Balance payment.exe
2348	Balance payment.exe
2348	Balance payment.exe
2348	Balance payment.exe
2348	Balance payment.exe
2348	Balance payment.exe
2348	Balance payment.exe
2348	Balance payment.exe
2348	Balance payment.exe
2348	Balance payment.exe
2072	powershell.exe
1856	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	Balance payment.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2072	2348	Balance payment.exe	31
PID 2348 wrote to memory of 2072	2348	Balance payment.exe	31
PID 2348 wrote to memory of 2072	2348	Balance payment.exe	31
PID 2348 wrote to memory of 2072	2348	Balance payment.exe	31
PID 2348 wrote to memory of 1856	2348	Balance payment.exe	33
PID 2348 wrote to memory of 1856	2348	Balance payment.exe	33
PID 2348 wrote to memory of 1856	2348	Balance payment.exe	33
PID 2348 wrote to memory of 1856	2348	Balance payment.exe	33
PID 2348 wrote to memory of 2744	2348	Balance payment.exe	34
PID 2348 wrote to memory of 2744	2348	Balance payment.exe	34
PID 2348 wrote to memory of 2744	2348	Balance payment.exe	34
PID 2348 wrote to memory of 2744	2348	Balance payment.exe	34
PID 2348 wrote to memory of 2316	2348	Balance payment.exe	37
PID 2348 wrote to memory of 2316	2348	Balance payment.exe	37
PID 2348 wrote to memory of 2316	2348	Balance payment.exe	37
PID 2348 wrote to memory of 2316	2348	Balance payment.exe	37
PID 2348 wrote to memory of 2316	2348	Balance payment.exe	37
PID 2348 wrote to memory of 2316	2348	Balance payment.exe	37
PID 2348 wrote to memory of 2316	2348	Balance payment.exe	37
PID 2348 wrote to memory of 2632	2348	Balance payment.exe	38
PID 2348 wrote to memory of 2632	2348	Balance payment.exe	38
PID 2348 wrote to memory of 2632	2348	Balance payment.exe	38
PID 2348 wrote to memory of 2632	2348	Balance payment.exe	38
PID 2348 wrote to memory of 2632	2348	Balance payment.exe	38
PID 2348 wrote to memory of 2632	2348	Balance payment.exe	38
PID 2348 wrote to memory of 2632	2348	Balance payment.exe	38
PID 2348 wrote to memory of 2872	2348	Balance payment.exe	39
PID 2348 wrote to memory of 2872	2348	Balance payment.exe	39
PID 2348 wrote to memory of 2872	2348	Balance payment.exe	39
PID 2348 wrote to memory of 2872	2348	Balance payment.exe	39
PID 2348 wrote to memory of 2872	2348	Balance payment.exe	39
PID 2348 wrote to memory of 2872	2348	Balance payment.exe	39
PID 2348 wrote to memory of 2872	2348	Balance payment.exe	39
PID 2348 wrote to memory of 2772	2348	Balance payment.exe	40
PID 2348 wrote to memory of 2772	2348	Balance payment.exe	40
PID 2348 wrote to memory of 2772	2348	Balance payment.exe	40
PID 2348 wrote to memory of 2772	2348	Balance payment.exe	40
PID 2348 wrote to memory of 2772	2348	Balance payment.exe	40
PID 2348 wrote to memory of 2772	2348	Balance payment.exe	40
PID 2348 wrote to memory of 2772	2348	Balance payment.exe	40
PID 2348 wrote to memory of 2652	2348	Balance payment.exe	41
PID 2348 wrote to memory of 2652	2348	Balance payment.exe	41
PID 2348 wrote to memory of 2652	2348	Balance payment.exe	41
PID 2348 wrote to memory of 2652	2348	Balance payment.exe	41
PID 2348 wrote to memory of 2652	2348	Balance payment.exe	41
PID 2348 wrote to memory of 2652	2348	Balance payment.exe	41
PID 2348 wrote to memory of 2652	2348	Balance payment.exe	41

C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
"C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OkbpwNyH.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OkbpwNyH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD394.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
  "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
  2⤵
  PID:2316
- C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
  "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
  2⤵
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
  "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
  2⤵
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
  "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
  2⤵
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
  "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
  2⤵
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD394.tmp

Filesize
1KB

MD5
8da6570799c1cae13210d18ac6de1213

SHA1
cc16a6650fa7b661f0aa6db9457457dc8fdf993c

SHA256
4b4cd65f92e208942581a350b12a7e330812b03184223bcc479ae66ac443276a

SHA512
ddaf953d7e4b20a2fcb614676a7688fa427ad823b373efbed06bc96922ee12960222cac99e06985cffa81cae1bed0f4f35a1e68a7b6c747d6df493307a56d438

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TEL77CHEAL60BPINEO5R.temp

Filesize
7KB

MD5
7af798c748e0a561727f302808e1ba60

SHA1
34646fdb47ccc40a3d4b4178575daf1a61a4a45c

SHA256
2894056c672ed04496b5142148c600e410b788a973ed98ff2c57fcaed1677c1f

SHA512
cbea603ed0430e41eb4436c511be93194be3f99278d2e204dc9dfe78b83da3c24efe3f44b5e670ecffeb127608a056ae552555b223d367b04cf7069a3c25d22a

Download Submit
memory/2348-0-0x00000000741AE000-0x00000000741AF000-memory.dmp

Filesize
4KB

Download
memory/2348-1-0x00000000003D0000-0x000000000053E000-memory.dmp

Filesize
1.4MB

Download
memory/2348-2-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/2348-3-0x0000000004FB0000-0x00000000050DE000-memory.dmp

Filesize
1.2MB

Download
memory/2348-4-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/2348-5-0x00000000741AE000-0x00000000741AF000-memory.dmp

Filesize
4KB

Download
memory/2348-6-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/2348-7-0x0000000005D30000-0x0000000005E46000-memory.dmp

Filesize
1.1MB

Download
memory/2348-20-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download