368e9e3d450bae08f20e5ab0937dcd47a03835daabe900ddf87c746fb99a50fb

General

Target

comparendopicoycedula365215999runtcomco.exe
Size

2.3MB
MD5

44bc0732e9c6deb1f912ddbd055efac3
SHA1

99f1c521d68f068c735c842504f01f5678ddb157
SHA256

368e9e3d450bae08f20e5ab0937dcd47a03835daabe900ddf87c746fb99a50fb
SHA512

a4a7077d06b2c1059c48abb2ea9ce1c669214e4621e3bf9cfc35b67a4411a22d60d4019588c47e0b9a2b3d2d5e06a427417598cd5183a9a8be0bb33a227d7d2a

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1324-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1324-68-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

comparendopicoycedula365215999runtcomco.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\antimalawareserviceexecutablee = "C:\\Users\\Admin\\AppData\\Local\\windowsdefenderlogsini\\antimalawareserviceexecutablee.exe"	comparendopicoycedula365215999runtcomco.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

comparendopicoycedula365215999runtcomco.exe

pid	process
1324	comparendopicoycedula365215999runtcomco.exe
1324	comparendopicoycedula365215999runtcomco.exe
1324	comparendopicoycedula365215999runtcomco.exe
1324	comparendopicoycedula365215999runtcomco.exe
1324	comparendopicoycedula365215999runtcomco.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

comparendopicoycedula365215999runtcomco.exe

description	pid	process	target process
PID 756 set thread context of 1324	756	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

comparendopicoycedula365215999runtcomco.exe

pid process

756 comparendopicoycedula365215999runtcomco.exe
756 comparendopicoycedula365215999runtcomco.exe

pid	process
756	comparendopicoycedula365215999runtcomco.exe
756	comparendopicoycedula365215999runtcomco.exe

Suspicious behavior: RenamesItself 7 IoCs

Processes:

comparendopicoycedula365215999runtcomco.exe

pid	process
1324	comparendopicoycedula365215999runtcomco.exe
1324	comparendopicoycedula365215999runtcomco.exe
1324	comparendopicoycedula365215999runtcomco.exe
1324	comparendopicoycedula365215999runtcomco.exe
1324	comparendopicoycedula365215999runtcomco.exe
1324	comparendopicoycedula365215999runtcomco.exe
1324	comparendopicoycedula365215999runtcomco.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

comparendopicoycedula365215999runtcomco.execomparendopicoycedula365215999runtcomco.exe

description	pid	process
Token: SeDebugPrivilege	756	comparendopicoycedula365215999runtcomco.exe
Token: SeDebugPrivilege	1324	comparendopicoycedula365215999runtcomco.exe
Token: SeShutdownPrivilege	1324	comparendopicoycedula365215999runtcomco.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

comparendopicoycedula365215999runtcomco.exe

pid process

1324 comparendopicoycedula365215999runtcomco.exe
1324 comparendopicoycedula365215999runtcomco.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

comparendopicoycedula365215999runtcomco.exe

description	pid	process	target process
PID 756 wrote to memory of 1324	756	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 756 wrote to memory of 1324	756	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 756 wrote to memory of 1324	756	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 756 wrote to memory of 1324	756	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 756 wrote to memory of 1324	756	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 756 wrote to memory of 1324	756	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 756 wrote to memory of 1324	756	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 756 wrote to memory of 1324	756	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe

C:\Users\Admin\AppData\Local\Temp\comparendopicoycedula365215999runtcomco.exe
"C:\Users\Admin\AppData\Local\Temp\comparendopicoycedula365215999runtcomco.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\comparendopicoycedula365215999runtcomco.exe
  "C:\Users\Admin\AppData\Local\Temp\comparendopicoycedula365215999runtcomco.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-59-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/756-61-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/756-62-0x0000000000490000-0x0000000000499000-memory.dmp

Filesize
36KB

Download
memory/756-63-0x0000000005B80000-0x0000000005D56000-memory.dmp

Filesize
1.8MB

Download
memory/756-64-0x00000000058C0000-0x0000000005A49000-memory.dmp

Filesize
1.5MB

Download
memory/1324-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1324-66-0x00000000007E23C0-mapping.dmp

Download
memory/1324-67-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1324-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads