Analysis
-
max time kernel
60s -
max time network
62s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-01-2021 18:09
Static task
static1
Behavioral task
behavioral1
Sample
Transferencia,pdf.scr
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Transferencia,pdf.scr
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Transferencia,pdf.scr
-
Size
883KB
-
MD5
2b8f56aded46aa04a89c3a7266a305c4
-
SHA1
c09ab6301b41dbc56a13055bd2f1c4a6449ead1f
-
SHA256
7a8eebf6eada42c5c69de9a87a982c5d5654f681cebd074d924856a5ea54517b
-
SHA512
7914345fc6b13447c6a80ef5002bea10c188421a92c5cb17c25f82ca1dce44abc818b1a81d451b258c16c889de24af14cc093323b5849122947a187985bc14e5
Score
5/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Transferencia,pdf.scrdescription pid process target process PID 1184 set thread context of 1844 1184 Transferencia,pdf.scr Transferencia,pdf.scr -
Processes:
Transferencia,pdf.scrdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Transferencia,pdf.scr Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Transferencia,pdf.scr -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Transferencia,pdf.scrpid process 1844 Transferencia,pdf.scr 1844 Transferencia,pdf.scr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Transferencia,pdf.scrdescription pid process Token: SeDebugPrivilege 1844 Transferencia,pdf.scr -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Transferencia,pdf.scrdescription pid process target process PID 1184 wrote to memory of 1844 1184 Transferencia,pdf.scr Transferencia,pdf.scr PID 1184 wrote to memory of 1844 1184 Transferencia,pdf.scr Transferencia,pdf.scr PID 1184 wrote to memory of 1844 1184 Transferencia,pdf.scr Transferencia,pdf.scr PID 1184 wrote to memory of 1844 1184 Transferencia,pdf.scr Transferencia,pdf.scr PID 1184 wrote to memory of 1844 1184 Transferencia,pdf.scr Transferencia,pdf.scr PID 1184 wrote to memory of 1844 1184 Transferencia,pdf.scr Transferencia,pdf.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\Transferencia,pdf.scr"C:\Users\Admin\AppData\Local\Temp\Transferencia,pdf.scr" /S1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Transferencia,pdf.scrC:\Users\Admin\AppData\Local\Temp\Transferencia,pdf.scr2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/532-2-0x000007FEF7E30000-0x000007FEF80AA000-memory.dmpFilesize
2.5MB
-
memory/1844-3-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/1844-4-0x000000000040CCEF-mapping.dmp
-
memory/1844-5-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/1844-6-0x0000000001DC0000-0x0000000001DD1000-memory.dmpFilesize
68KB