Analysis
-
max time kernel
62s -
max time network
75s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 17:55
Static task
static1
Behavioral task
behavioral1
Sample
Factura de pago.exe
Resource
win7
Behavioral task
behavioral2
Sample
Factura de pago.exe
Resource
win10v200430
General
-
Target
Factura de pago.exe
-
Size
798KB
-
MD5
3c409356f954ac50a25de19954bbf681
-
SHA1
6e3a4701d83d60e703c5641ce209a3cc61875bb1
-
SHA256
c82e474e76b1641ab73aafe25ebe9f509a27997a3d4e76015c5eabca15acdc63
-
SHA512
815a920e7168cd56e23012d2e00e887abf79c5f4d2b9c8ff4d47bc1777f00f62478d189062e949b72aa53db3ba87be69ed2a7db52a8b27ec1e944a635dfc6daf
Malware Config
Signatures
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/616-0-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/616-2-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/616-3-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Factura de pago.exeFactura de pago.exepid process 892 Factura de pago.exe 616 Factura de pago.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Factura de pago.exedescription pid process Token: SeDebugPrivilege 616 Factura de pago.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Factura de pago.exedescription pid process target process PID 892 set thread context of 616 892 Factura de pago.exe Factura de pago.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Factura de pago.exedescription pid process target process PID 892 wrote to memory of 616 892 Factura de pago.exe Factura de pago.exe PID 892 wrote to memory of 616 892 Factura de pago.exe Factura de pago.exe PID 892 wrote to memory of 616 892 Factura de pago.exe Factura de pago.exe PID 892 wrote to memory of 616 892 Factura de pago.exe Factura de pago.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Factura de pago.exepid process 892 Factura de pago.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Factura de pago.exe"C:\Users\Admin\AppData\Local\Temp\Factura de pago.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\Factura de pago.exe"C:\Users\Admin\AppData\Local\Temp\Factura de pago.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/616-0-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/616-1-0x000000000044E500-mapping.dmp
-
memory/616-2-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/616-3-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/616-4-0x0000000000280000-0x00000000002A2000-memory.dmpFilesize
136KB
-
memory/616-5-0x0000000001F32000-0x0000000001F33000-memory.dmpFilesize
4KB
-
memory/616-6-0x0000000000220000-0x000000000023C000-memory.dmpFilesize
112KB