Analysis
-
max time kernel
147s -
max time network
112s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 11:13
Static task
static1
Behavioral task
behavioral1
Sample
Facturas.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Facturas.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Facturas.exe
-
Size
909KB
-
MD5
d75a4be4b55e4b2359298cde65d5fa9e
-
SHA1
4dd995bf2183bc545d422f67abd6f3666bb14e1e
-
SHA256
bbbfb4d66a6d1ff1fb9f476cc8607a2a0b1a0bb27bdaba095a3715489d8e4315
-
SHA512
b56490322992d50d188f1b34c3c6971df8893d7b2c5c3db428018ffbe3ae93f00f9b2338710eb6a7c98b63731316063346ea8a743bcc4033274f448dc60559b5
Score
7/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
Facturas.exeFacturas.exerundll32.exepid process 616 Facturas.exe 1260 Facturas.exe 1260 Facturas.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Facturas.exeFacturas.exerundll32.exedescription pid process target process PID 616 set thread context of 1260 616 Facturas.exe Facturas.exe PID 1260 set thread context of 1264 1260 Facturas.exe Explorer.EXE PID 1428 set thread context of 1264 1428 rundll32.exe Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Dithdvx\updateztqlxdix.exe rundll32.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\K62XHZYXTH = "C:\\Program Files (x86)\\Dithdvx\\updateztqlxdix.exe" rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Facturas.exeExplorer.EXErundll32.exedescription pid process target process PID 616 wrote to memory of 1260 616 Facturas.exe Facturas.exe PID 616 wrote to memory of 1260 616 Facturas.exe Facturas.exe PID 616 wrote to memory of 1260 616 Facturas.exe Facturas.exe PID 616 wrote to memory of 1260 616 Facturas.exe Facturas.exe PID 1264 wrote to memory of 1428 1264 Explorer.EXE rundll32.exe PID 1264 wrote to memory of 1428 1264 Explorer.EXE rundll32.exe PID 1264 wrote to memory of 1428 1264 Explorer.EXE rundll32.exe PID 1264 wrote to memory of 1428 1264 Explorer.EXE rundll32.exe PID 1264 wrote to memory of 1428 1264 Explorer.EXE rundll32.exe PID 1264 wrote to memory of 1428 1264 Explorer.EXE rundll32.exe PID 1264 wrote to memory of 1428 1264 Explorer.EXE rundll32.exe PID 1428 wrote to memory of 1508 1428 rundll32.exe cmd.exe PID 1428 wrote to memory of 1508 1428 rundll32.exe cmd.exe PID 1428 wrote to memory of 1508 1428 rundll32.exe cmd.exe PID 1428 wrote to memory of 1508 1428 rundll32.exe cmd.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Facturas.exeFacturas.exerundll32.exepid process 616 Facturas.exe 1260 Facturas.exe 1260 Facturas.exe 1260 Facturas.exe 1428 rundll32.exe 1428 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Facturas.exerundll32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1260 Facturas.exe Token: SeDebugPrivilege 1428 rundll32.exe Token: SeShutdownPrivilege 1264 Explorer.EXE -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1508 cmd.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE -
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\Facturas.exe"C:\Users\Admin\AppData\Local\Temp\Facturas.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:616 -
C:\Users\Admin\AppData\Local\Temp\Facturas.exe"C:\Users\Admin\AppData\Local\Temp\Facturas.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1260 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
PID:1428 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Facturas.exe"3⤵
- Deletes itself
PID:1508
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\1LRAN99E\1LRlogim.jpeg
-
C:\Users\Admin\AppData\Roaming\1LRAN99E\1LRlogri.ini
-
C:\Users\Admin\AppData\Roaming\1LRAN99E\1LRlogrv.ini
-
memory/1260-0-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1260-1-0x000000000041B690-mapping.dmp
-
memory/1428-2-0x0000000000000000-mapping.dmp
-
memory/1428-3-0x00000000009D0000-0x00000000009DE000-memory.dmpFilesize
56KB
-
memory/1428-5-0x00000000030A0000-0x00000000031A1000-memory.dmpFilesize
1.0MB
-
memory/1428-6-0x0000000075760000-0x000000007576C000-memory.dmpFilesize
48KB
-
memory/1428-7-0x0000000076A70000-0x0000000076B8D000-memory.dmpFilesize
1.1MB
-
memory/1508-4-0x0000000000000000-mapping.dmp