Analysis
-
max time kernel
71s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/11/2024, 07:42
Static task
static1
Behavioral task
behavioral1
Sample
Payment info.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Payment info.exe
Resource
win10v2004-20241007-en
General
-
Target
Payment info.exe
-
Size
1.4MB
-
MD5
83e7ad8161455e90c7c32051be5dd529
-
SHA1
443ffb5d55631689b0d5c43d2bd5426f2ce24e59
-
SHA256
ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d
-
SHA512
916a2c9e3f26b9fd6f338adee5eed101c9cb874f952c51fafbe9084ebbccb9ed84faa73d23af4afeeb41861f24553dce7f8cc8c2c19028b5a496ddf455fb3b82
-
SSDEEP
24576:/qDEvCTbMWu7rQYlBQcBiT6rprG8aaf/49lT9X1U0da2vejCBDToJ:/TvC/MTQYxsWR7aafoe6DejCBvo
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Esher.vbs Esher.exe -
Executes dropped EXE 2 IoCs
pid Process 2196 Esher.exe 2296 Esher.exe -
Loads dropped DLL 1 IoCs
pid Process 2148 Payment info.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000016c56-7.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2296 set thread context of 2012 2296 Esher.exe 34 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Esher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payment info.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Esher.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2196 Esher.exe 2296 Esher.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2012 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2296 Esher.exe 2296 Esher.exe 2296 Esher.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2148 Payment info.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2196 Esher.exe 2296 Esher.exe 2296 Esher.exe 2296 Esher.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2196 2148 Payment info.exe 31 PID 2148 wrote to memory of 2196 2148 Payment info.exe 31 PID 2148 wrote to memory of 2196 2148 Payment info.exe 31 PID 2148 wrote to memory of 2196 2148 Payment info.exe 31 PID 2196 wrote to memory of 2408 2196 Esher.exe 32 PID 2196 wrote to memory of 2408 2196 Esher.exe 32 PID 2196 wrote to memory of 2408 2196 Esher.exe 32 PID 2196 wrote to memory of 2408 2196 Esher.exe 32 PID 2196 wrote to memory of 2408 2196 Esher.exe 32 PID 2196 wrote to memory of 2408 2196 Esher.exe 32 PID 2196 wrote to memory of 2408 2196 Esher.exe 32 PID 2196 wrote to memory of 2296 2196 Esher.exe 33 PID 2196 wrote to memory of 2296 2196 Esher.exe 33 PID 2196 wrote to memory of 2296 2196 Esher.exe 33 PID 2196 wrote to memory of 2296 2196 Esher.exe 33 PID 2296 wrote to memory of 2012 2296 Esher.exe 34 PID 2296 wrote to memory of 2012 2296 Esher.exe 34 PID 2296 wrote to memory of 2012 2296 Esher.exe 34 PID 2296 wrote to memory of 2012 2296 Esher.exe 34 PID 2296 wrote to memory of 2012 2296 Esher.exe 34 PID 2296 wrote to memory of 2012 2296 Esher.exe 34 PID 2296 wrote to memory of 2012 2296 Esher.exe 34 PID 2296 wrote to memory of 2012 2296 Esher.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment info.exe"C:\Users\Admin\AppData\Local\Temp\Payment info.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Okeghem\Esher.exe"C:\Users\Admin\AppData\Local\Temp\Payment info.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Payment info.exe"3⤵PID:2408
-
-
C:\Users\Admin\AppData\Local\Okeghem\Esher.exe"C:\Users\Admin\AppData\Local\Okeghem\Esher.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Okeghem\Esher.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD583e7ad8161455e90c7c32051be5dd529
SHA1443ffb5d55631689b0d5c43d2bd5426f2ce24e59
SHA256ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d
SHA512916a2c9e3f26b9fd6f338adee5eed101c9cb874f952c51fafbe9084ebbccb9ed84faa73d23af4afeeb41861f24553dce7f8cc8c2c19028b5a496ddf455fb3b82