d509a1aac6989c651953416b29ee6c949eba0be53df193b29e2e95e5b9e4635e

General

Target

Nuevo documento de confirmación de solicitud..exe
Size

812KB
MD5

ca9350da27b53b25146a0d8b6913b06c
SHA1

f54b3cb317ac7410ea510839718484595534f533
SHA256

d509a1aac6989c651953416b29ee6c949eba0be53df193b29e2e95e5b9e4635e
SHA512

9e5724f58bc1da17358903d4a3d7436881dba63f430ce2b4b7e015709473e48552fde778efe2b0e1ee9877d0e1d2f311855961bd6c100ed1f2683240f87b94f7

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2128-126-0x0000000010410000-0x00000000107F4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Nuevo documento de confirmación de solicitud..exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dvnvxx = "C:\\Users\\Public\\Libraries\\xxvnvD.url"	Nuevo documento de confirmación de solicitud..exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

mobsync.exe

pid process

2128 mobsync.exe
2128 mobsync.exe
2128 mobsync.exe
2128 mobsync.exe
2128 mobsync.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

mobsync.exe

description pid process

Token: SeShutdownPrivilege 2128 mobsync.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mobsync.exe

pid process

2128 mobsync.exe
2128 mobsync.exe

pid	process
2128	mobsync.exe
2128	mobsync.exe
2128	mobsync.exe
2128	mobsync.exe
2128	mobsync.exe

description	pid	process
Token: SeShutdownPrivilege	2128	mobsync.exe

pid	process
2128	mobsync.exe
2128	mobsync.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Nuevo documento de confirmación de solicitud..exe

description	pid	process	target process
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe
PID 3904 wrote to memory of 2128	3904	Nuevo documento de confirmación de solicitud..exe	mobsync.exe

C:\Users\Admin\AppData\Local\Temp\Nuevo documento de confirmación de solicitud..exe
"C:\Users\Admin\AppData\Local\Temp\Nuevo documento de confirmación de solicitud..exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\mobsync.exe
C:\Windows\System32\mobsync.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2128-119-0x0000000000000000-mapping.dmp

Download
memory/2128-121-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/2128-120-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2128-126-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download
memory/2128-125-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/3904-114-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/3904-116-0x0000000002760000-0x000000000277A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads