Analysis
-
max time kernel
152s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-04-2021 21:01
Static task
static1
Behavioral task
behavioral1
Sample
confirmación de solicitud de documento DOC.ex.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
confirmación de solicitud de documento DOC.ex.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
confirmación de solicitud de documento DOC.ex.exe
-
Size
628KB
-
MD5
f92cfccc787573ad96e73fe5df999ebc
-
SHA1
8213016a7c85c3ca70f30b9afdc60d3d6e4c82cc
-
SHA256
6c2ca93949c6c8463079056deb121abcaea9934dcd860024624a4b0d53093204
-
SHA512
631163c9150eb79d001859d46df7b8df184c98c2ead25332a179642a681f5bea890094d935fb4299d2691b2fc82188e180bd96a89767cf68c3dd08b95257385f
Score
8/10
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/388-73-0x0000000010410000-0x00000000107F4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
confirmación de solicitud de documento DOC.ex.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bpwzer = "C:\\Users\\Public\\Libraries\\rezwpB.url" confirmación de solicitud de documento DOC.ex.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
dialer.exepid process 388 dialer.exe 388 dialer.exe 388 dialer.exe 388 dialer.exe 388 dialer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dialer.exedescription pid process Token: SeDebugPrivilege 388 dialer.exe Token: SeShutdownPrivilege 388 dialer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
dialer.exepid process 388 dialer.exe 388 dialer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
confirmación de solicitud de documento DOC.ex.exedescription pid process target process PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe PID 864 wrote to memory of 388 864 confirmación de solicitud de documento DOC.ex.exe dialer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\confirmación de solicitud de documento DOC.ex.exe"C:\Users\Admin\AppData\Local\Temp\confirmación de solicitud de documento DOC.ex.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/388-66-0x0000000000000000-mapping.dmp
-
memory/388-68-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/388-72-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/388-73-0x0000000010410000-0x00000000107F4000-memory.dmpFilesize
3.9MB
-
memory/388-74-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/864-60-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/864-61-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/864-63-0x0000000000260000-0x000000000027A000-memory.dmpFilesize
104KB