Overview

overview

10

Static

static

BANCOLOMBI...IN.exe

windows7_x64

1

BANCOLOMBI...IN.exe

windows10_x64

10

Analysis

  • max time kernel
    3s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    28-12-2020 17:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BANCOLOMBIA LE INFORMA QUE SU CUENTA DE AHORRO ESTA PRESENTANDO MOVIVIMIENTOS INUSUALES VALIDE SU IN.exe

  • Size

    321KB

  • MD5

    24b6a2657a73c3bad64be3b3eadc5ecd

  • SHA1

    5f35c84e24163264be7ccb807d8121695c3b1c4d

  • SHA256

    cdbadb90de6d5cbdd15f273917be1ba0a17142aa84b3196becafb5c670ec5d28

  • SHA512

    55a820b8fa4be1a8313c5ec9d33ab5314635d98428141c52ab62f49441fbf755832ddacf2ec7455c266893fb716803afe319ae5fc9d845055cf97a0d401a74ea

Score
1/10

Malware Config

Signatures

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BANCOLOMBIA LE INFORMA QUE SU CUENTA DE AHORRO ESTA PRESENTANDO MOVIVIMIENTOS INUSUALES VALIDE SU IN.exe
    "C:\Users\Admin\AppData\Local\Temp\BANCOLOMBIA LE INFORMA QUE SU CUENTA DE AHORRO ESTA PRESENTANDO MOVIVIMIENTOS INUSUALES VALIDE SU IN.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN explorer.exe /XML "C:\Users\Admin\AppData\Local\Temp\a2c3156a75534383bff0c301114bc906.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN explorer.exe /XML "C:\Users\Admin\AppData\Local\Temp\a2c3156a75534383bff0c301114bc906.xml"
        3⤵
        • Creates scheduled task(s)
        PID:1916
    • C:\Users\Admin\AppData\Local\Temp\BANCOLOMBIA LE INFORMA QUE SU CUENTA DE AHORRO ESTA PRESENTANDO MOVIVIMIENTOS INUSUALES VALIDE SU IN.exe
      "C:\Users\Admin\AppData\Local\Temp\BANCOLOMBIA LE INFORMA QUE SU CUENTA DE AHORRO ESTA PRESENTANDO MOVIVIMIENTOS INUSUALES VALIDE SU IN.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Users\Admin\AppData\Local\Temp\BANCOLOMBIA LE INFORMA QUE SU CUENTA DE AHORRO ESTA PRESENTANDO MOVIVIMIENTOS INUSUALES VALIDE SU IN.exe
        "C:\Users\Admin\AppData\Local\Temp\BANCOLOMBIA LE INFORMA QUE SU CUENTA DE AHORRO ESTA PRESENTANDO MOVIVIMIENTOS INUSUALES VALIDE SU IN.exe"
        3⤵
          PID:1424

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\a2c3156a75534383bff0c301114bc906.xml
      MD5

      41c8b948ca663611de289d29534a0ded

      SHA1

      4ad42bc9e26bfba7d71634677c995bbe72f5387b

      SHA256

      63e2d926dfc4bd6ff0044329462094a85b66d04ab66a4bceb4afc0ec7f66c82c

      SHA512

      370a7f87ec7d4e0f21fc2cb0bd151268c601f39a4b077244a2f2a6692fa04f3b68af8d1d59a4e0f8a0e7e7fe3f224a5b6cfc848622440843233413039acb6d6d

      Download Submit
    • memory/1292-2-0x0000000000000000-mapping.dmp
      Download
    • memory/1308-3-0x0000000000000000-mapping.dmp
      Download
    • memory/1424-4-0x0000000000000000-mapping.dmp
      Download
    • memory/1916-5-0x0000000000000000-mapping.dmp
      Download