d2320e5704e90bc713c59a0521bacf04ca5751c2481e1dd4e3a95494981d867c

General

Target

REVISED INVOICE.exe
Size

983KB
MD5

8274b1a41b53bf35e0b4330a20010d4c
SHA1

0b263f01dd3e10389cd4fe6575d114ea301ee874
SHA256

d2320e5704e90bc713c59a0521bacf04ca5751c2481e1dd4e3a95494981d867c
SHA512

727ed4fe93c9f0da19df61b81d3f92a9ddc9b6680b2ac841e1ed3ed37bbbe7ecc4a628dfddf31429d2fb5034edd6bc7f742a84f6e76fe7f7401dcd98ea3ec644
SSDEEP

12288:KBu+je2mGYUNpeqzfAOKUXWkP/8KYfNrnEoYhJLAMhuwIm/toWyqTnoXnPolxsq8:D+63cWqv3nANr8xAGuwIm/yWiopvC9wG

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2500	powershell.exe
864	powershell.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Hemicrane.ini	REVISED INVOICE.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\federalt\Telephonists230.Ube	REVISED INVOICE.exe
File opened for modification	C:\Windows\resources\snagline.sub	REVISED INVOICE.exe
File created	C:\Windows\resources\0409\syntonolydian\statsminister.lnk	REVISED INVOICE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REVISED INVOICE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2500	powershell.exe
864	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2500	804	REVISED INVOICE.exe	31
PID 804 wrote to memory of 2500	804	REVISED INVOICE.exe	31
PID 804 wrote to memory of 2500	804	REVISED INVOICE.exe	31
PID 804 wrote to memory of 2500	804	REVISED INVOICE.exe	31
PID 804 wrote to memory of 864	804	REVISED INVOICE.exe	33
PID 804 wrote to memory of 864	804	REVISED INVOICE.exe	33
PID 804 wrote to memory of 864	804	REVISED INVOICE.exe	33
PID 804 wrote to memory of 864	804	REVISED INVOICE.exe	33

C:\Users\Admin\AppData\Local\Temp\REVISED INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\REVISED INVOICE.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\Admin\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\Admin\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\depoh.lnk

Filesize
852B

MD5
f531f1b805017206cd3d0f52e088fbbf

SHA1
00eacc2e15236a38e743d0203493335c029d97ca

SHA256
0b472228e563bfb78ab84bcee81c5e86bfb54ed3d24b1cef470c00d54c6d1a22

SHA512
bceeb4c7dbcb458e42a923ed21f1e37a6404c75f7e76d43a0005bef21a9c6c7efc8e0b4aec8b301f98f8dc95e8e741dfa5bb86ace74548f56331e6eec7b5bb09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
42dc7628d29552efa816d58b47854bda

SHA1
fe1b84cf8d51ef7d1cc7a63d406d364bf91f930a

SHA256
3e0e531a7e57c1ce28b41b7e2d32b166becca191834f2ccd7740e5a81a05c46f

SHA512
f3e21306802232587d6851154a39a521a164d007e742c48be76a1d12b6a2eec71d0cdd9dffaf8fc09b821666b54335891523c19b30204d055d20fe34aedb4a14

Download Submit
memory/2500-172-0x0000000073B71000-0x0000000073B72000-memory.dmp

Filesize
4KB

Download
memory/2500-173-0x0000000073B70000-0x000000007411B000-memory.dmp

Filesize
5.7MB

Download
memory/2500-175-0x0000000073B70000-0x000000007411B000-memory.dmp

Filesize
5.7MB

Download
memory/2500-174-0x0000000073B70000-0x000000007411B000-memory.dmp

Filesize
5.7MB

Download
memory/2500-176-0x0000000073B70000-0x000000007411B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing