Analysis
-
max time kernel
119s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-01-2021 18:09
Static task
static1
Behavioral task
behavioral1
Sample
Transferencia,pdf.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Transferencia,pdf.scr
Resource
win10v20201028
General
-
Target
Transferencia,pdf.scr
-
Size
883KB
-
MD5
2b8f56aded46aa04a89c3a7266a305c4
-
SHA1
c09ab6301b41dbc56a13055bd2f1c4a6449ead1f
-
SHA256
7a8eebf6eada42c5c69de9a87a982c5d5654f681cebd074d924856a5ea54517b
-
SHA512
7914345fc6b13447c6a80ef5002bea10c188421a92c5cb17c25f82ca1dce44abc818b1a81d451b258c16c889de24af14cc093323b5849122947a187985bc14e5
Malware Config
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
Transferencia,pdf.scrdescription ioc process File created C:\Windows\assembly\Desktop.ini Transferencia,pdf.scr File opened for modification C:\Windows\assembly\Desktop.ini Transferencia,pdf.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Transferencia,pdf.scrdescription pid process target process PID 728 set thread context of 1108 728 Transferencia,pdf.scr Transferencia,pdf.scr -
Drops file in Windows directory 3 IoCs
Processes:
Transferencia,pdf.scrdescription ioc process File opened for modification C:\Windows\assembly Transferencia,pdf.scr File created C:\Windows\assembly\Desktop.ini Transferencia,pdf.scr File opened for modification C:\Windows\assembly\Desktop.ini Transferencia,pdf.scr -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Transferencia,pdf.scrpid process 1108 Transferencia,pdf.scr 1108 Transferencia,pdf.scr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Transferencia,pdf.scrdescription pid process Token: SeDebugPrivilege 1108 Transferencia,pdf.scr -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Transferencia,pdf.scrdescription pid process target process PID 728 wrote to memory of 1108 728 Transferencia,pdf.scr Transferencia,pdf.scr PID 728 wrote to memory of 1108 728 Transferencia,pdf.scr Transferencia,pdf.scr PID 728 wrote to memory of 1108 728 Transferencia,pdf.scr Transferencia,pdf.scr PID 728 wrote to memory of 1108 728 Transferencia,pdf.scr Transferencia,pdf.scr PID 728 wrote to memory of 1108 728 Transferencia,pdf.scr Transferencia,pdf.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\Transferencia,pdf.scr"C:\Users\Admin\AppData\Local\Temp\Transferencia,pdf.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Transferencia,pdf.scrC:\Users\Admin\AppData\Local\Temp\Transferencia,pdf.scr2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1108-2-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/1108-3-0x000000000040CCEF-mapping.dmp
-
memory/1108-4-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/1108-5-0x0000000002290000-0x0000000002291000-memory.dmpFilesize
4KB
-
memory/1108-6-0x0000000002290000-0x0000000002291000-memory.dmpFilesize
4KB