c82e474e76b1641ab73aafe25ebe9f509a27997a3d4e76015c5eabca15acdc63

General

Target

Factura de pago.exe
Size

798KB
MD5

3c409356f954ac50a25de19954bbf681
SHA1

6e3a4701d83d60e703c5641ce209a3cc61875bb1
SHA256

c82e474e76b1641ab73aafe25ebe9f509a27997a3d4e76015c5eabca15acdc63
SHA512

815a920e7168cd56e23012d2e00e887abf79c5f4d2b9c8ff4d47bc1777f00f62478d189062e949b72aa53db3ba87be69ed2a7db52a8b27ec1e944a635dfc6daf

Score

8^/10

spyware

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Factura de pago.exe

description	pid	process	target process
PID 3812 wrote to memory of 2536	3812	Factura de pago.exe	Factura de pago.exe
PID 3812 wrote to memory of 2536	3812	Factura de pago.exe	Factura de pago.exe
PID 3812 wrote to memory of 2536	3812	Factura de pago.exe	Factura de pago.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Factura de pago.exe

pid process

3812 Factura de pago.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Factura de pago.exe

description pid process target process

PID 3812 set thread context of 2536 3812 Factura de pago.exe Factura de pago.exe

pid	process
3812	Factura de pago.exe

description	pid	process	target process
PID 3812 set thread context of 2536	3812	Factura de pago.exe	Factura de pago.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/2536-0-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2536-2-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2536-3-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 checkip.dyndns.org
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Factura de pago.exeFactura de pago.exe

pid process

3812 Factura de pago.exe
3812 Factura de pago.exe
2536 Factura de pago.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Factura de pago.exe

description pid process

Token: SeDebugPrivilege 2536 Factura de pago.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

flow	ioc
1	checkip.dyndns.org

pid	process
3812	Factura de pago.exe
3812	Factura de pago.exe
2536	Factura de pago.exe

description	pid	process
Token: SeDebugPrivilege	2536	Factura de pago.exe

C:\Users\Admin\AppData\Local\Temp\Factura de pago.exe
"C:\Users\Admin\AppData\Local\Temp\Factura de pago.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3812

C:\Users\Admin\AppData\Local\Temp\Factura de pago.exe
"C:\Users\Admin\AppData\Local\Temp\Factura de pago.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2536-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2536-1-0x000000000044E500-mapping.dmp

Download
memory/2536-2-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2536-3-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2536-4-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/2536-5-0x00000000006F2000-0x00000000006F3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing