Analysis
-
max time kernel
140s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2024, 07:42
Static task
static1
Behavioral task
behavioral1
Sample
Payment info.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Payment info.exe
Resource
win10v2004-20241007-en
General
-
Target
Payment info.exe
-
Size
1.4MB
-
MD5
83e7ad8161455e90c7c32051be5dd529
-
SHA1
443ffb5d55631689b0d5c43d2bd5426f2ce24e59
-
SHA256
ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d
-
SHA512
916a2c9e3f26b9fd6f338adee5eed101c9cb874f952c51fafbe9084ebbccb9ed84faa73d23af4afeeb41861f24553dce7f8cc8c2c19028b5a496ddf455fb3b82
-
SSDEEP
24576:/qDEvCTbMWu7rQYlBQcBiT6rprG8aaf/49lT9X1U0da2vejCBDToJ:/TvC/MTQYxsWR7aafoe6DejCBvo
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Esher.vbs Esher.exe -
Executes dropped EXE 1 IoCs
pid Process 3148 Esher.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000023bc3-5.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3148 set thread context of 2228 3148 Esher.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Esher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payment info.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2228 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3148 Esher.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2228 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3968 Payment info.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe 3148 Esher.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3968 wrote to memory of 3148 3968 Payment info.exe 92 PID 3968 wrote to memory of 3148 3968 Payment info.exe 92 PID 3968 wrote to memory of 3148 3968 Payment info.exe 92 PID 3148 wrote to memory of 2228 3148 Esher.exe 95 PID 3148 wrote to memory of 2228 3148 Esher.exe 95 PID 3148 wrote to memory of 2228 3148 Esher.exe 95 PID 3148 wrote to memory of 2228 3148 Esher.exe 95 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment info.exe"C:\Users\Admin\AppData\Local\Temp\Payment info.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Local\Okeghem\Esher.exe"C:\Users\Admin\AppData\Local\Temp\Payment info.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Payment info.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2228
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD583e7ad8161455e90c7c32051be5dd529
SHA1443ffb5d55631689b0d5c43d2bd5426f2ce24e59
SHA256ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d
SHA512916a2c9e3f26b9fd6f338adee5eed101c9cb874f952c51fafbe9084ebbccb9ed84faa73d23af4afeeb41861f24553dce7f8cc8c2c19028b5a496ddf455fb3b82