Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 21:01
Static task
static1
Behavioral task
behavioral1
Sample
confirmación de solicitud de documento DOC.ex.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
confirmación de solicitud de documento DOC.ex.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
confirmación de solicitud de documento DOC.ex.exe
-
Size
628KB
-
MD5
f92cfccc787573ad96e73fe5df999ebc
-
SHA1
8213016a7c85c3ca70f30b9afdc60d3d6e4c82cc
-
SHA256
6c2ca93949c6c8463079056deb121abcaea9934dcd860024624a4b0d53093204
-
SHA512
631163c9150eb79d001859d46df7b8df184c98c2ead25332a179642a681f5bea890094d935fb4299d2691b2fc82188e180bd96a89767cf68c3dd08b95257385f
Score
8/10
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1276-126-0x0000000010410000-0x00000000107F4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
confirmación de solicitud de documento DOC.ex.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bpwzer = "C:\\Users\\Public\\Libraries\\rezwpB.url" confirmación de solicitud de documento DOC.ex.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
mobsync.exepid process 1276 mobsync.exe 1276 mobsync.exe 1276 mobsync.exe 1276 mobsync.exe 1276 mobsync.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
mobsync.exedescription pid process Token: SeShutdownPrivilege 1276 mobsync.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mobsync.exepid process 1276 mobsync.exe 1276 mobsync.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
confirmación de solicitud de documento DOC.ex.exedescription pid process target process PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe PID 3224 wrote to memory of 1276 3224 confirmación de solicitud de documento DOC.ex.exe mobsync.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\confirmación de solicitud de documento DOC.ex.exe"C:\Users\Admin\AppData\Local\Temp\confirmación de solicitud de documento DOC.ex.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mobsync.exeC:\Windows\System32\mobsync.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1276-119-0x0000000000000000-mapping.dmp
-
memory/1276-121-0x00000000030F0000-0x00000000030F1000-memory.dmpFilesize
4KB
-
memory/1276-120-0x0000000003030000-0x0000000003031000-memory.dmpFilesize
4KB
-
memory/1276-125-0x0000000003150000-0x0000000003151000-memory.dmpFilesize
4KB
-
memory/1276-126-0x0000000010410000-0x00000000107F4000-memory.dmpFilesize
3.9MB
-
memory/3224-114-0x00000000005E0000-0x000000000072A000-memory.dmpFilesize
1.3MB
-
memory/3224-117-0x0000000000630000-0x000000000064A000-memory.dmpFilesize
104KB