Overview

overview

10

Static

static

Facturas y...io.exe

windows7_x64

10

Facturas y...io.exe

windows10_x64

8

Analysis

  • max time kernel
    126s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    08-07-2020 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Facturas y extracto bancario.exe

  • Size

    1.1MB

  • MD5

    680abdbc32da4b031df7d510393bd60c

  • SHA1

    aba459e8efa99baa8c90b6dd2e596bb892915749

  • SHA256

    7b45908d8c0f59d45c8c4186ae1713289e813c6c0cd3e53184e61f576da936a4

  • SHA512

    a405a7f1d40318fc8a2d7dfe66873f71d3372f5bfaba17e98334d3bfe4223f45edb876072b3f11b61a573f956a5ffb7347ae81c89802a04c81353c82cfda4096

Score
8/10

Malware Config

Signatures

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Facturas y extracto bancario.exe
    "C:\Users\Admin\AppData\Local\Temp\Facturas y extracto bancario.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetThreadContext
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\Facturas y extracto bancario.exe
      "C:\Users\Admin\AppData\Local\Temp\Facturas y extracto bancario.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Facturas y extracto bancario.exe' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4048
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Facturas y extracto bancario.exe'
          4⤵
            PID:3820
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 708
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Program crash
              • Suspicious use of AdjustPrivilegeToken
              PID:3792

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1712-0-0x0000000000400000-0x0000000000564000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1712-2-0x0000000000400000-0x0000000000564000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1712-3-0x0000000000400000-0x0000000000564000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1712-4-0x0000000002330000-0x00000000023D8000-memory.dmp

      Filesize

      672KB

      Download

    • memory/1712-5-0x0000000000A12000-0x0000000000A13000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3792-16-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3792-9-0x0000000004370000-0x0000000004371000-memory.dmp

      Filesize

      4KB

      Download