7a8eebf6eada42c5c69de9a87a982c5d5654f681cebd074d924856a5ea54517b

General

Target

Transferencia,pdf.scr
Size

883KB
MD5

2b8f56aded46aa04a89c3a7266a305c4
SHA1

c09ab6301b41dbc56a13055bd2f1c4a6449ead1f
SHA256

7a8eebf6eada42c5c69de9a87a982c5d5654f681cebd074d924856a5ea54517b
SHA512

7914345fc6b13447c6a80ef5002bea10c188421a92c5cb17c25f82ca1dce44abc818b1a81d451b258c16c889de24af14cc093323b5849122947a187985bc14e5

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

Transferencia,pdf.scr

description pid process target process

PID 1184 set thread context of 1844 1184 Transferencia,pdf.scr Transferencia,pdf.scr

description	pid	process	target process
PID 1184 set thread context of 1844	1184	Transferencia,pdf.scr	Transferencia,pdf.scr

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Transferencia,pdf.scr

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Transferencia,pdf.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Transferencia,pdf.scr

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Transferencia,pdf.scr

pid process

1844 Transferencia,pdf.scr
1844 Transferencia,pdf.scr
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Transferencia,pdf.scr

description pid process

Token: SeDebugPrivilege 1844 Transferencia,pdf.scr

pid	process
1844	Transferencia,pdf.scr
1844	Transferencia,pdf.scr

description	pid	process
Token: SeDebugPrivilege	1844	Transferencia,pdf.scr

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Transferencia,pdf.scr

description	pid	process	target process
PID 1184 wrote to memory of 1844	1184	Transferencia,pdf.scr	Transferencia,pdf.scr
PID 1184 wrote to memory of 1844	1184	Transferencia,pdf.scr	Transferencia,pdf.scr
PID 1184 wrote to memory of 1844	1184	Transferencia,pdf.scr	Transferencia,pdf.scr
PID 1184 wrote to memory of 1844	1184	Transferencia,pdf.scr	Transferencia,pdf.scr
PID 1184 wrote to memory of 1844	1184	Transferencia,pdf.scr	Transferencia,pdf.scr
PID 1184 wrote to memory of 1844	1184	Transferencia,pdf.scr	Transferencia,pdf.scr

C:\Users\Admin\AppData\Local\Temp\Transferencia,pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Transferencia,pdf.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\Transferencia,pdf.scr
C:\Users\Admin\AppData\Local\Temp\Transferencia,pdf.scr
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-2-0x000007FEF7E30000-0x000007FEF80AA000-memory.dmp

Filesize
2.5MB

Download
memory/1844-3-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1844-4-0x000000000040CCEF-mapping.dmp

Download
memory/1844-5-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1844-6-0x0000000001DC0000-0x0000000001DD1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads