54f50cdad3e5039d3207566e1b9de6e16913993ba2aa711e6f91a68e093ed9c4

Analysis

max time kernel
103s
max time network
112s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
18/04/2025, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Outstanding Invoice Payment00199pdf.exe
Size

642KB
MD5

9b2a1cefdfe5a139f0280c3ea3d3011f
SHA1

f7c7217d5cf033202ddc38d189d12287e09903d7
SHA256

54f50cdad3e5039d3207566e1b9de6e16913993ba2aa711e6f91a68e093ed9c4
SHA512

c6fe3e87eab347fa519b285b07e420eca261e56a777464cfaf37f00febaa6185d8d91b3dece74355604de6ed12b52e0f2845086e477b700adf3bc6cd03f28348
SSDEEP

12288:kqFCggCRxM6E1CpqSgcxOYqEEHhhHUiQEiYQsWZFOF/kR:L+6sE2EEBhHUiQEiLsIOY

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4532	powershell.exe
4980	powershell.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Outstanding Invoice Payment00199pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1732	Outstanding Invoice Payment00199pdf.exe
1732	Outstanding Invoice Payment00199pdf.exe
1732	Outstanding Invoice Payment00199pdf.exe
1732	Outstanding Invoice Payment00199pdf.exe
1732	Outstanding Invoice Payment00199pdf.exe
1732	Outstanding Invoice Payment00199pdf.exe
4980	powershell.exe
1732	Outstanding Invoice Payment00199pdf.exe
1732	Outstanding Invoice Payment00199pdf.exe
4532	powershell.exe
1732	Outstanding Invoice Payment00199pdf.exe
1732	Outstanding Invoice Payment00199pdf.exe
1732	Outstanding Invoice Payment00199pdf.exe
1732	Outstanding Invoice Payment00199pdf.exe
1732	Outstanding Invoice Payment00199pdf.exe
1732	Outstanding Invoice Payment00199pdf.exe
4532	powershell.exe
4980	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	Outstanding Invoice Payment00199pdf.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 4532	1732	Outstanding Invoice Payment00199pdf.exe	78
PID 1732 wrote to memory of 4532	1732	Outstanding Invoice Payment00199pdf.exe	78
PID 1732 wrote to memory of 4532	1732	Outstanding Invoice Payment00199pdf.exe	78
PID 1732 wrote to memory of 4980	1732	Outstanding Invoice Payment00199pdf.exe	80
PID 1732 wrote to memory of 4980	1732	Outstanding Invoice Payment00199pdf.exe	80
PID 1732 wrote to memory of 4980	1732	Outstanding Invoice Payment00199pdf.exe	80
PID 1732 wrote to memory of 5100	1732	Outstanding Invoice Payment00199pdf.exe	82
PID 1732 wrote to memory of 5100	1732	Outstanding Invoice Payment00199pdf.exe	82
PID 1732 wrote to memory of 5100	1732	Outstanding Invoice Payment00199pdf.exe	82
PID 1732 wrote to memory of 4396	1732	Outstanding Invoice Payment00199pdf.exe	84
PID 1732 wrote to memory of 4396	1732	Outstanding Invoice Payment00199pdf.exe	84
PID 1732 wrote to memory of 4396	1732	Outstanding Invoice Payment00199pdf.exe	84
PID 1732 wrote to memory of 4140	1732	Outstanding Invoice Payment00199pdf.exe	85
PID 1732 wrote to memory of 4140	1732	Outstanding Invoice Payment00199pdf.exe	85
PID 1732 wrote to memory of 4140	1732	Outstanding Invoice Payment00199pdf.exe	85
PID 1732 wrote to memory of 5132	1732	Outstanding Invoice Payment00199pdf.exe	86
PID 1732 wrote to memory of 5132	1732	Outstanding Invoice Payment00199pdf.exe	86
PID 1732 wrote to memory of 5132	1732	Outstanding Invoice Payment00199pdf.exe	86
PID 1732 wrote to memory of 5288	1732	Outstanding Invoice Payment00199pdf.exe	87
PID 1732 wrote to memory of 5288	1732	Outstanding Invoice Payment00199pdf.exe	87
PID 1732 wrote to memory of 5288	1732	Outstanding Invoice Payment00199pdf.exe	87
PID 1732 wrote to memory of 1076	1732	Outstanding Invoice Payment00199pdf.exe	88
PID 1732 wrote to memory of 1076	1732	Outstanding Invoice Payment00199pdf.exe	88
PID 1732 wrote to memory of 1076	1732	Outstanding Invoice Payment00199pdf.exe	88

C:\Users\Admin\AppData\Local\Temp\Outstanding Invoice Payment00199pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Outstanding Invoice Payment00199pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Outstanding Invoice Payment00199pdf.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\efQbHyNNWR.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\efQbHyNNWR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF54D.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:5132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:5288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1076

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cedb17c539abf964e7d191e61d6e10f8

SHA1
b5ebcde3a3c1ec8f6518a744ea679fe2c3be1680

SHA256
b9fe8c31168c2d3fc5d16f6bf9f8415efc23402e07d87ba973bbb5666300af81

SHA512
f1229a7d3e19c17b55c46f86813337679171ef54a229aacd80a9322f6e806c2bcfbf64b81fcac18a4349a78533bfd0188cfc57d151800ab99b0c43b38d3896b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bgrmyjkg.btc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF54D.tmp

Filesize
1KB

MD5
121ee61de153435db77678d5077f34f2

SHA1
71f23c56b102cf2a7a92ad3aaaba43130c40bebb

SHA256
539e5c27a4690af7d2a0e863799966efa1721ab8e48af55d658f4ec05e328d04

SHA512
e52a85f2f526ad05253f8991a5ee0b497059cfa4385e2b8e994d024974bf112fe49c72d2f948b9621599be552c496e190de561841c3364132962300ae6defacd

Download Submit
memory/1732-6-0x00000000058C0000-0x000000000595C000-memory.dmp

Filesize
624KB

Download
memory/1732-5-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/1732-4-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/1732-7-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/1732-8-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/1732-9-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/1732-10-0x00000000082C0000-0x0000000008338000-memory.dmp

Filesize
480KB

Download
memory/1732-3-0x0000000005660000-0x00000000056F2000-memory.dmp

Filesize
584KB

Download
memory/1732-2-0x0000000005C10000-0x00000000061B6000-memory.dmp

Filesize
5.6MB

Download
memory/1732-0-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/1732-1-0x0000000000B00000-0x0000000000BA4000-memory.dmp

Filesize
656KB

Download
memory/1732-28-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/4532-69-0x0000000007580000-0x0000000007BFA000-memory.dmp

Filesize
6.5MB

Download
memory/4532-58-0x00000000061B0000-0x00000000061CE000-memory.dmp

Filesize
120KB

Download
memory/4532-15-0x00000000023D0000-0x0000000002406000-memory.dmp

Filesize
216KB

Download
memory/4532-16-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/4532-84-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/4532-77-0x0000000007270000-0x0000000007278000-memory.dmp

Filesize
32KB

Download
memory/4532-75-0x0000000007180000-0x0000000007195000-memory.dmp

Filesize
84KB

Download
memory/4532-76-0x0000000007280000-0x000000000729A000-memory.dmp

Filesize
104KB

Download
memory/4532-17-0x0000000004FC0000-0x00000000055EA000-memory.dmp

Filesize
6.2MB

Download
memory/4532-45-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/4532-46-0x0000000005BE0000-0x0000000005BFE000-memory.dmp

Filesize
120KB

Download
memory/4532-47-0x0000000005C90000-0x0000000005CDC000-memory.dmp

Filesize
304KB

Download
memory/4532-49-0x0000000074E10000-0x0000000074E5C000-memory.dmp

Filesize
304KB

Download
memory/4532-59-0x0000000006DF0000-0x0000000006E94000-memory.dmp

Filesize
656KB

Download
memory/4532-74-0x0000000007170000-0x000000000717E000-memory.dmp

Filesize
56KB

Download
memory/4532-72-0x00000000071C0000-0x0000000007256000-memory.dmp

Filesize
600KB

Download
memory/4532-70-0x0000000006F30000-0x0000000006F4A000-memory.dmp

Filesize
104KB

Download
memory/4532-18-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/4532-48-0x0000000006DB0000-0x0000000006DE4000-memory.dmp

Filesize
208KB

Download
memory/4980-71-0x0000000007540000-0x000000000754A000-memory.dmp

Filesize
40KB

Download
memory/4980-22-0x0000000005A70000-0x0000000005AD6000-memory.dmp

Filesize
408KB

Download
memory/4980-73-0x00000000076D0000-0x00000000076E1000-memory.dmp

Filesize
68KB

Download
memory/4980-60-0x0000000074E10000-0x0000000074E5C000-memory.dmp

Filesize
304KB

Download
memory/4980-23-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/4980-27-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/4980-20-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/4980-24-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/4980-83-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/4980-26-0x0000000005CC0000-0x0000000006017000-memory.dmp

Filesize
3.3MB

Download
memory/4980-21-0x00000000051D0000-0x00000000051F2000-memory.dmp

Filesize
136KB

Download