e9faa7dce8d4693ebef2e9f47d3af496323b887e7733e38eca4e40a937cd1dfe

Analysis

max time kernel
124s
max time network
126s
platform
windows10_x64
resource
win10v200722
submitted
02-10-2020 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAGO_EN_TOTALIDAD_300920209857512014789653202356985868320175948756230159865230214758968574210236582141.exe
Size

854KB
MD5

ee25cc3a8bfe7ca957ceabba93532f98
SHA1

58d4cda42858beae2cabc81b3431662a1706c169
SHA256

e9faa7dce8d4693ebef2e9f47d3af496323b887e7733e38eca4e40a937cd1dfe
SHA512

6f6663c56c7c0867da762d82015cb20757669edc980ed3d302de1df43ae61e4baa11329b3ab0ea065add9d4a4f43d1a1020720269a3b09df76f2cf62cdde058b

Score

8^/10

persistence

Malware Config

Signatures

Blacklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

16 4016 rundll32.exe
18 4036 rundll32.exe
Executes dropped EXE 3 IoCs

Processes:

lsass.comlsass.comattrib.exe

pid process

3748 lsass.com
3988 lsass.com
2488 attrib.exe
Drops startup file 1 IoCs

Processes:

lsass.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.url lsass.com
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4016 rundll32.exe
4036 rundll32.exe
4036 rundll32.exe

flow	pid	process
16	4016	rundll32.exe
18	4036	rundll32.exe

pid	process
3748	lsass.com
3988	lsass.com
2488	attrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.url	lsass.com

pid	process
4016	rundll32.exe
4036	rundll32.exe
4036	rundll32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exeREG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\cred = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\cred.dll, Main"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\scr = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\scr.dll, Main"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

lsass.com

description pid process target process

PID 3988 set thread context of 2488 3988 lsass.com attrib.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

576 PING.EXE
3124 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

4016 rundll32.exe
4016 rundll32.exe
4016 rundll32.exe
4016 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

lsass.com

pid process

3988 lsass.com

description	pid	process	target process
PID 3988 set thread context of 2488	3988	lsass.com	attrib.exe

pid	process
576	PING.EXE
3124	PING.EXE

pid	process
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe

pid	process
3988	lsass.com

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

PAGO_EN_TOTALIDAD_300920209857512014789653202356985868320175948756230159865230214758968574210236582141.execmd.execmd.exelsass.comlsass.comattrib.exe

description	pid	process	target process
PID 3876 wrote to memory of 2080	3876	PAGO_EN_TOTALIDAD_300920209857512014789653202356985868320175948756230159865230214758968574210236582141.exe	cmd.exe
PID 3876 wrote to memory of 2080	3876	PAGO_EN_TOTALIDAD_300920209857512014789653202356985868320175948756230159865230214758968574210236582141.exe	cmd.exe
PID 3876 wrote to memory of 2080	3876	PAGO_EN_TOTALIDAD_300920209857512014789653202356985868320175948756230159865230214758968574210236582141.exe	cmd.exe
PID 3876 wrote to memory of 3980	3876	PAGO_EN_TOTALIDAD_300920209857512014789653202356985868320175948756230159865230214758968574210236582141.exe	cmd.exe
PID 3876 wrote to memory of 3980	3876	PAGO_EN_TOTALIDAD_300920209857512014789653202356985868320175948756230159865230214758968574210236582141.exe	cmd.exe
PID 3876 wrote to memory of 3980	3876	PAGO_EN_TOTALIDAD_300920209857512014789653202356985868320175948756230159865230214758968574210236582141.exe	cmd.exe
PID 3980 wrote to memory of 3948	3980	cmd.exe	cmd.exe
PID 3980 wrote to memory of 3948	3980	cmd.exe	cmd.exe
PID 3980 wrote to memory of 3948	3980	cmd.exe	cmd.exe
PID 3948 wrote to memory of 576	3948	cmd.exe	PING.EXE
PID 3948 wrote to memory of 576	3948	cmd.exe	PING.EXE
PID 3948 wrote to memory of 576	3948	cmd.exe	PING.EXE
PID 3948 wrote to memory of 2220	3948	cmd.exe	certutil.exe
PID 3948 wrote to memory of 2220	3948	cmd.exe	certutil.exe
PID 3948 wrote to memory of 2220	3948	cmd.exe	certutil.exe
PID 3948 wrote to memory of 3748	3948	cmd.exe	lsass.com
PID 3948 wrote to memory of 3748	3948	cmd.exe	lsass.com
PID 3948 wrote to memory of 3748	3948	cmd.exe	lsass.com
PID 3948 wrote to memory of 3124	3948	cmd.exe	PING.EXE
PID 3948 wrote to memory of 3124	3948	cmd.exe	PING.EXE
PID 3948 wrote to memory of 3124	3948	cmd.exe	PING.EXE
PID 3748 wrote to memory of 3988	3748	lsass.com	lsass.com
PID 3748 wrote to memory of 3988	3748	lsass.com	lsass.com
PID 3748 wrote to memory of 3988	3748	lsass.com	lsass.com
PID 3988 wrote to memory of 2488	3988	lsass.com	attrib.exe
PID 3988 wrote to memory of 2488	3988	lsass.com	attrib.exe
PID 3988 wrote to memory of 2488	3988	lsass.com	attrib.exe
PID 3988 wrote to memory of 2488	3988	lsass.com	attrib.exe
PID 2488 wrote to memory of 2268	2488	attrib.exe	REG.exe
PID 2488 wrote to memory of 2268	2488	attrib.exe	REG.exe
PID 2488 wrote to memory of 2268	2488	attrib.exe	REG.exe
PID 2488 wrote to memory of 4016	2488	attrib.exe	rundll32.exe
PID 2488 wrote to memory of 4016	2488	attrib.exe	rundll32.exe
PID 2488 wrote to memory of 4016	2488	attrib.exe	rundll32.exe
PID 2488 wrote to memory of 744	2488	attrib.exe	REG.exe
PID 2488 wrote to memory of 744	2488	attrib.exe	REG.exe
PID 2488 wrote to memory of 744	2488	attrib.exe	REG.exe
PID 2488 wrote to memory of 4036	2488	attrib.exe	rundll32.exe
PID 2488 wrote to memory of 4036	2488	attrib.exe	rundll32.exe
PID 2488 wrote to memory of 4036	2488	attrib.exe	rundll32.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2488 attrib.exe

pid	process
2488	attrib.exe

C:\Users\Admin\AppData\Local\Temp\PAGO_EN_TOTALIDAD_300920209857512014789653202356985868320175948756230159865230214758968574210236582141.exe
"C:\Users\Admin\AppData\Local\Temp\PAGO_EN_TOTALIDAD_300920209857512014789653202356985868320175948756230159865230214758968574210236582141.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo tfJK
2⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < VWjxBKXxtoNK.com
2⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\PING.EXE
ping -n 1 vAyrJy.woJRtj
4⤵
- Runs ping.exe
PID:576

C:\Windows\SysWOW64\certutil.exe
certutil -decode hbMSEvVVhDZPqqUGJul.com g
4⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsass.com
lsass.com g
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsass.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsass.com g
5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\attrib.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\attrib.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Views/modifies file attributes
PID:2488

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v cred /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\cred.dll, Main"
7⤵
- Adds Run key to start application
PID:2268

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cred.dll, Main
7⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v scr /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\scr.dll, Main"
7⤵
- Adds Run key to start application
PID:744

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\scr.dll, Main
7⤵
- Blacklisted process makes network request
- Loads dropped DLL
PID:4036

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:3124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EnaZCtNwN.com
MD5
48ed6a8c928dd924c9621b157014fc44

SHA1
7e93b04ef9839423053ab7d8a441b2042141339e

SHA256
1a028182c16d2fce31b93b7484cde8375a9e9577609b8276ed2b1c257d90e8fd

SHA512
10f3069936cd6e554c505b7293e7c4b73f6a95aa158c8cd1046fda938b451a05d8d10c6f96b22fad1952eedcd7d5bf3a30d74280936da7773778d18d0a1e9c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\VWjxBKXxtoNK.com
MD5
b47cfbc361ee1280d5ad49ebebd86548

SHA1
83bae8649d7fc8dbc9fd3fc7bfee7e859750bcd0

SHA256
daf4141975615c27f6f3dcc829fe485cd4aa4519743ba6514fcb8a20c7023933

SHA512
61306c2398a1f8cac9b1097cb4265f3d36a26658380e4969d6e43a6f0864067c779844112ed5187657ab34464aaba85b05547508916be70e64ad3d721cf23ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\attrib.exe
MD5
86a994b7694c1749acb41af87416876b

SHA1
b84cfb9c22dcbdf91bf5e48d90de98b7479bf2d2

SHA256
cafc9e5a12be5522d47a9b856dcbc4afcc48fdc85232300446af2e564c380d11

SHA512
f1e5b6f6b888abd41b806659c0203df8bc46198f53e189d2446ce5675e9902576355d28e85bd5ec7cafc93a8b1d65fab5bac570a7ff958c66f3398c256f12582

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\attrib.exe
MD5
86a994b7694c1749acb41af87416876b

SHA1
b84cfb9c22dcbdf91bf5e48d90de98b7479bf2d2

SHA256
cafc9e5a12be5522d47a9b856dcbc4afcc48fdc85232300446af2e564c380d11

SHA512
f1e5b6f6b888abd41b806659c0203df8bc46198f53e189d2446ce5675e9902576355d28e85bd5ec7cafc93a8b1d65fab5bac570a7ff958c66f3398c256f12582

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\g
MD5
fd8e0031f5d3e96348fd91ad62898d84

SHA1
7078eb54b4b3df9eb853d6ae9fd4d1ec46810dcc

SHA256
47d706f4066cdf06a9e600606b51dfbd019b995195c10c65b1499ef14d6ef31c

SHA512
7981d43b229384eea7c5b53dd107907da47bed2e5fbf90dfae3eea663064158cd14f7a5e2fe4a7f6b185c943d7699901beac5d8c26a7742beb2c7fb19236fe99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\hbMSEvVVhDZPqqUGJul.com
MD5
4e1fd8d85a304bba94fb00d517101be8

SHA1
be5e62467f8ea6a4ca4961048202cd619a51e5b2

SHA256
d9eaa48b34a764aa31d8342e827a7fa68f3e17ccd7fb4233a6a14b63101d4b5a

SHA512
5399dc78d7f6d75d8af6c553462a1380edfc84185582ad490b051fb8df9628c7f57809ce315ed4e43925898ede7b35656c4fb4195ae620adb9447e6ff8465834

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsass.com
MD5
7098bdf41092092927874259196e5d80

SHA1
7ed19875c88e93fe3c0cc38b8bff56c61d0a8307

SHA256
140864a83fd7c075010791ea30de0acf1ec4725febb1c30dec785b7a893d8558

SHA512
dcb5a1e7fa194546cdf0186d949eb16a638d9f0cdef9f0f149b13e27d046d36d196e4ea7c6ae7d733eaaca31ce1ebd3b11b614ce2607729b9e97feb18e282b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsass.com
MD5
7098bdf41092092927874259196e5d80

SHA1
7ed19875c88e93fe3c0cc38b8bff56c61d0a8307

SHA256
140864a83fd7c075010791ea30de0acf1ec4725febb1c30dec785b7a893d8558

SHA512
dcb5a1e7fa194546cdf0186d949eb16a638d9f0cdef9f0f149b13e27d046d36d196e4ea7c6ae7d733eaaca31ce1ebd3b11b614ce2607729b9e97feb18e282b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsass.com
MD5
7098bdf41092092927874259196e5d80

SHA1
7ed19875c88e93fe3c0cc38b8bff56c61d0a8307

SHA256
140864a83fd7c075010791ea30de0acf1ec4725febb1c30dec785b7a893d8558

SHA512
dcb5a1e7fa194546cdf0186d949eb16a638d9f0cdef9f0f149b13e27d046d36d196e4ea7c6ae7d733eaaca31ce1ebd3b11b614ce2607729b9e97feb18e282b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xbgVttWA.com
MD5
392e5cc019e763f0019337277db81081

SHA1
9402765f17c7e2b0cf15520ffef56476a855ab2c

SHA256
852ed04ac131800dae464471a51a7d54063dad88ce1ebab7ce22fcab66900d01

SHA512
4e0de123e4ff6f40bacded145bc0505a73a2cf39ff01878b8703b1dd6fc0059d4ce1e39c0d6043b389b7ecee0126e326c6e258b0bf472bf297179b3b945db553

Download Submit
C:\Users\Admin\AppData\Local\Temp\cred.dll
MD5
534011e44589ccb05a3927dcee2320a9

SHA1
d4da2c09653f529183aaf0cd9262af3dd32f6819

SHA256
8437af9312fa3a3f5ed17a5b1877502024832eb2b050fb93566389817c47f551

SHA512
90de4618d7832bcdb606eb2f017e970589f4b5e233857e163454dff3582596f938081a54b1084869fdb5ccebd375ba9efe0765f2909e0f6449ab70d478fd9b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr.dll
MD5
31f97b7fa2f4924fc1c8633607128fc7

SHA1
ea4edc1af6ff4c8dddc524b5e546ab37b304d8f8

SHA256
c408659f786e17b2cbb5a2668ce4923a70a6c59e7320df0c3c206a4ba5c17989

SHA512
7eba3bc9cda6ab768d44d2437050dd60c6fa1f9a4b786c5dd573cf69ca9d73af2edca761c06e0eae79245b4941d70f55937fd8e2ceceef4b76e193e69de6220e

Download Submit
\Users\Admin\AppData\Local\Temp\cred.dll
MD5
534011e44589ccb05a3927dcee2320a9

SHA1
d4da2c09653f529183aaf0cd9262af3dd32f6819

SHA256
8437af9312fa3a3f5ed17a5b1877502024832eb2b050fb93566389817c47f551

SHA512
90de4618d7832bcdb606eb2f017e970589f4b5e233857e163454dff3582596f938081a54b1084869fdb5ccebd375ba9efe0765f2909e0f6449ab70d478fd9b61

Download Submit
\Users\Admin\AppData\Local\Temp\scr.dll
MD5
31f97b7fa2f4924fc1c8633607128fc7

SHA1
ea4edc1af6ff4c8dddc524b5e546ab37b304d8f8

SHA256
c408659f786e17b2cbb5a2668ce4923a70a6c59e7320df0c3c206a4ba5c17989

SHA512
7eba3bc9cda6ab768d44d2437050dd60c6fa1f9a4b786c5dd573cf69ca9d73af2edca761c06e0eae79245b4941d70f55937fd8e2ceceef4b76e193e69de6220e

Download Submit
\Users\Admin\AppData\Local\Temp\scr.dll
MD5
31f97b7fa2f4924fc1c8633607128fc7

SHA1
ea4edc1af6ff4c8dddc524b5e546ab37b304d8f8

SHA256
c408659f786e17b2cbb5a2668ce4923a70a6c59e7320df0c3c206a4ba5c17989

SHA512
7eba3bc9cda6ab768d44d2437050dd60c6fa1f9a4b786c5dd573cf69ca9d73af2edca761c06e0eae79245b4941d70f55937fd8e2ceceef4b76e193e69de6220e

Download Submit
memory/576-4-0x0000000000000000-mapping.dmp

Download
memory/744-25-0x0000000000000000-mapping.dmp

Download
memory/2080-0-0x0000000000000000-mapping.dmp

Download
memory/2220-6-0x0000000000000000-mapping.dmp

Download
memory/2268-21-0x0000000000000000-mapping.dmp

Download
memory/2488-19-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2488-17-0x0000000000401240-mapping.dmp

Download
memory/2488-16-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3124-10-0x0000000000000000-mapping.dmp

Download
memory/3748-8-0x0000000000000000-mapping.dmp

Download
memory/3948-3-0x0000000000000000-mapping.dmp

Download
memory/3980-1-0x0000000000000000-mapping.dmp

Download
memory/3988-12-0x0000000000000000-mapping.dmp

Download
memory/4016-22-0x0000000000000000-mapping.dmp

Download
memory/4036-26-0x0000000000000000-mapping.dmp

Download