Static

static

PAGO_EN_TO...41.exe

windows7_x64

8

PAGO_EN_TO...41.exe

windows10_x64

8

Analysis

  • max time kernel
    124s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    02-10-2020 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAGO_EN_TOTALIDAD_300920209857512014789653202356985868320175948756230159865230214758968574210236582141.exe

  • Size

    854KB

  • MD5

    ee25cc3a8bfe7ca957ceabba93532f98

  • SHA1

    58d4cda42858beae2cabc81b3431662a1706c169

  • SHA256

    e9faa7dce8d4693ebef2e9f47d3af496323b887e7733e38eca4e40a937cd1dfe

  • SHA512

    6f6663c56c7c0867da762d82015cb20757669edc980ed3d302de1df43ae61e4baa11329b3ab0ea065add9d4a4f43d1a1020720269a3b09df76f2cf62cdde058b

Score
8/10
persistence

Malware Config

Signatures

  • Blacklisted process makes network request 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\PAGO_EN_TOTALIDAD_300920209857512014789653202356985868320175948756230159865230214758968574210236582141.exe
    "C:\Users\Admin\AppData\Local\Temp\PAGO_EN_TOTALIDAD_300920209857512014789653202356985868320175948756230159865230214758968574210236582141.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo tfJK
      2⤵
        PID:2080
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c cmd < VWjxBKXxtoNK.com
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3980
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3948
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 vAyrJy.woJRtj
            4⤵
            • Runs ping.exe
            PID:576
          • C:\Windows\SysWOW64\certutil.exe
            certutil -decode hbMSEvVVhDZPqqUGJul.com g
            4⤵
              PID:2220
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsass.com
              lsass.com g
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3748
              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsass.com
                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsass.com g
                5⤵
                • Executes dropped EXE
                • Drops startup file
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:3988
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\attrib.exe
                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\attrib.exe
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  • Views/modifies file attributes
                  PID:2488
                  • C:\Windows\SysWOW64\REG.exe
                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v cred /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\cred.dll, Main"
                    7⤵
                    • Adds Run key to start application
                    PID:2268
                  • C:\Windows\SysWOW64\rundll32.exe
                    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cred.dll, Main
                    7⤵
                    • Blacklisted process makes network request
                    • Loads dropped DLL
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4016
                  • C:\Windows\SysWOW64\REG.exe
                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v scr /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\scr.dll, Main"
                    7⤵
                    • Adds Run key to start application
                    PID:744
                  • C:\Windows\SysWOW64\rundll32.exe
                    rundll32.exe C:\Users\Admin\AppData\Local\Temp\scr.dll, Main
                    7⤵
                    • Blacklisted process makes network request
                    • Loads dropped DLL
                    PID:4036
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 30
              4⤵
              • Runs ping.exe
              PID:3124

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2488-19-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/2488-16-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download