Analysis
-
max time kernel
126s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 01:07
Static task
static1
Behavioral task
behavioral1
Sample
payment slip.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
payment slip.exe
Resource
win10v2004-20240802-en
General
-
Target
payment slip.exe
-
Size
1.3MB
-
MD5
89caacf3b4c7850f58e13b22c1abf425
-
SHA1
612fa3a9c39e7740026ae6685708bec6a170a442
-
SHA256
060f6e4baa9b2ac462805c173f9bec5927321333ae978c91d4de3bd0da6b415d
-
SHA512
3b6d5b46ba51764e29fc063742e8871262dd5ba01e726a1864db2ee3768f726a8f12955b24408a8203250eeecff7a45e98d482e811674120b71a2259cbbf4cd0
-
SSDEEP
24576:ffmMv6Ckr7Mny5QLXI0mlORaXRY6n4u0uUTTzPVbSG/oe:f3v+7/5QLSf6610uUfpbD/L
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3388 set thread context of 4428 3388 payment slip.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language payment slip.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4428 svchost.exe 4428 svchost.exe 4428 svchost.exe 4428 svchost.exe 4428 svchost.exe 4428 svchost.exe 4428 svchost.exe 4428 svchost.exe 4428 svchost.exe 4428 svchost.exe 4428 svchost.exe 4428 svchost.exe 4428 svchost.exe 4428 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3388 payment slip.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3388 wrote to memory of 4428 3388 payment slip.exe 89 PID 3388 wrote to memory of 4428 3388 payment slip.exe 89 PID 3388 wrote to memory of 4428 3388 payment slip.exe 89 PID 3388 wrote to memory of 4428 3388 payment slip.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment slip.exe"C:\Users\Admin\AppData\Local\Temp\payment slip.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\payment slip.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4008,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=1044 /prefetch:81⤵PID:3140