Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-07-2021 17:50
Static task
static1
Behavioral task
behavioral1
Sample
Gerador De Cash 2020 PB.exe
Resource
win7v20210410
General
-
Target
Gerador De Cash 2020 PB.exe
-
Size
562KB
-
MD5
02d37ed4bc3422b573fce8265a434d1b
-
SHA1
57c2ff77566afcfbf5d75c5912a22a19656afa29
-
SHA256
571a708504cf085b54eaed702a6c95b3189426dc20c78e42a3f1e1096d6bf044
-
SHA512
cb33ce0df6ce4dcc093f821e08cbd4307540c03cf239e89934e267457705d8ae911004d411555ff95189413f93f9b09105f800e86a74d3bf9e06462133651cc1
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
Gerador De Cash 2020 PB.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Gerador De Cash 2020 PB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\System\\explorer.exe" Gerador De Cash 2020 PB.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Gerador De Cash 2020 PB.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\System\\explorer.exe" Gerador De Cash 2020 PB.exe -
Executes dropped EXE 3 IoCs
Processes:
AutoXP [PBBR] -.exeGerador de Cash 2016.exeexplorer.exepid process 1336 AutoXP [PBBR] -.exe 3508 Gerador de Cash 2016.exe 3832 explorer.exe -
Modifies Installed Components in the registry 2 TTPs
-
Processes:
resource yara_rule behavioral2/memory/3756-121-0x0000000024080000-0x00000000240E2000-memory.dmp upx C:\Windows\System\explorer.exe upx behavioral2/memory/788-127-0x0000000024160000-0x00000000241C2000-memory.dmp upx C:\Windows\System\explorer.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Gerador De Cash 2020 PB.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation Gerador De Cash 2020 PB.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Gerador De Cash 2020 PB.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Gerador De Cash 2020 PB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Windows\\System\\explorer.exe" Gerador De Cash 2020 PB.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run Gerador De Cash 2020 PB.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sistema Operacional 64x = "C:\\Windows\\System\\explorer.exe" Gerador De Cash 2020 PB.exe -
Drops file in Windows directory 4 IoCs
Processes:
Gerador De Cash 2020 PB.exeGerador De Cash 2020 PB.exedescription ioc process File created C:\Windows\System\explorer.exe Gerador De Cash 2020 PB.exe File opened for modification C:\Windows\System\explorer.exe Gerador De Cash 2020 PB.exe File opened for modification C:\Windows\System\explorer.exe Gerador De Cash 2020 PB.exe File opened for modification C:\Windows\System\ Gerador De Cash 2020 PB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1352 788 WerFault.exe Gerador De Cash 2020 PB.exe 720 3832 WerFault.exe explorer.exe -
Modifies registry class 1 IoCs
Processes:
Gerador De Cash 2020 PB.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance Gerador De Cash 2020 PB.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
Gerador De Cash 2020 PB.exeWerFault.exeWerFault.exepid process 664 Gerador De Cash 2020 PB.exe 664 Gerador De Cash 2020 PB.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Gerador De Cash 2020 PB.exepid process 788 Gerador De Cash 2020 PB.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Gerador De Cash 2020 PB.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 788 Gerador De Cash 2020 PB.exe Token: SeDebugPrivilege 788 Gerador De Cash 2020 PB.exe Token: SeRestorePrivilege 1352 WerFault.exe Token: SeBackupPrivilege 1352 WerFault.exe Token: SeDebugPrivilege 1352 WerFault.exe Token: SeDebugPrivilege 720 WerFault.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Gerador De Cash 2020 PB.exepid process 664 Gerador De Cash 2020 PB.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Gerador De Cash 2020 PB.exedescription pid process target process PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE PID 664 wrote to memory of 2568 664 Gerador De Cash 2020 PB.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Gerador De Cash 2020 PB.exe"C:\Users\Admin\AppData\Local\Temp\Gerador De Cash 2020 PB.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Gerador De Cash 2020 PB.exe"C:\Users\Admin\AppData\Local\Temp\Gerador De Cash 2020 PB.exe"3⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AutoXP [PBBR] -.exe"C:\Users\Admin\AppData\Local\Temp\AutoXP [PBBR] -.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Gerador de Cash 2016.exe"C:\Users\Admin\AppData\Local\Temp\Gerador de Cash 2016.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 16684⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System\explorer.exe"C:\Windows\System\explorer.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 6525⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AutoXP [PBBR] -.exeMD5
bf29f3a4bdbee79c0da3717aa44338ef
SHA1ca7f07e95e428d3f46c5fddff15b3caeb03eea30
SHA2568af5ba7c1318cf44c818238137109ef7cea0be0853853614168d2f1ce514798d
SHA5121b8f565304c501abe5c6c71cc8ea4226b4ab445d02bda73ff8d53722ecf68cdb0307f45ffe1f857e73d2d1b5f255903cbef3b18e321ec2de5abb605fb83f4b9e
-
C:\Users\Admin\AppData\Local\Temp\AutoXP [PBBR] -.exeMD5
bf29f3a4bdbee79c0da3717aa44338ef
SHA1ca7f07e95e428d3f46c5fddff15b3caeb03eea30
SHA2568af5ba7c1318cf44c818238137109ef7cea0be0853853614168d2f1ce514798d
SHA5121b8f565304c501abe5c6c71cc8ea4226b4ab445d02bda73ff8d53722ecf68cdb0307f45ffe1f857e73d2d1b5f255903cbef3b18e321ec2de5abb605fb83f4b9e
-
C:\Users\Admin\AppData\Local\Temp\Gerador de Cash 2016.exeMD5
d4cd3008892010115bf02ce8b9f06347
SHA1c7ddf6c6b5ffb32d62b057039e0a0e5700ca1fe6
SHA2560500d89f67d7f34d582a8a4bdf8f0e4a31c20095cc289c40830dd60873348624
SHA512e7c188b4989b5c3cc5bf03dd5a2eac251fbe640294672238ec2f11f228ebee0c949b62325cf44a9f77b8402de4e0bab0c9ba8b37991ac93d4386aaf05aee2635
-
C:\Users\Admin\AppData\Local\Temp\Gerador de Cash 2016.exeMD5
d4cd3008892010115bf02ce8b9f06347
SHA1c7ddf6c6b5ffb32d62b057039e0a0e5700ca1fe6
SHA2560500d89f67d7f34d582a8a4bdf8f0e4a31c20095cc289c40830dd60873348624
SHA512e7c188b4989b5c3cc5bf03dd5a2eac251fbe640294672238ec2f11f228ebee0c949b62325cf44a9f77b8402de4e0bab0c9ba8b37991ac93d4386aaf05aee2635
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtMD5
4df7d5b3c2840b162dc18042218653ec
SHA135ab3b9ed92ccdaae81d2ffa856dc1de5ae4a541
SHA25694540b9d0a7e7ab41dc3175f3da6ecae5d30864cee6c33831365b8c9348e6c56
SHA5123828f941213da69e9ff677007cc64b826fa5cc0d81756d61d84cbe4baf20573abeabb290a1d60203a6afcde61d1566a42fc451280a7d267ca8f73d25d589e059
-
C:\Windows\System\explorer.exeMD5
02d37ed4bc3422b573fce8265a434d1b
SHA157c2ff77566afcfbf5d75c5912a22a19656afa29
SHA256571a708504cf085b54eaed702a6c95b3189426dc20c78e42a3f1e1096d6bf044
SHA512cb33ce0df6ce4dcc093f821e08cbd4307540c03cf239e89934e267457705d8ae911004d411555ff95189413f93f9b09105f800e86a74d3bf9e06462133651cc1
-
C:\Windows\System\explorer.exeMD5
02d37ed4bc3422b573fce8265a434d1b
SHA157c2ff77566afcfbf5d75c5912a22a19656afa29
SHA256571a708504cf085b54eaed702a6c95b3189426dc20c78e42a3f1e1096d6bf044
SHA512cb33ce0df6ce4dcc093f821e08cbd4307540c03cf239e89934e267457705d8ae911004d411555ff95189413f93f9b09105f800e86a74d3bf9e06462133651cc1
-
memory/788-127-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/788-126-0x0000000000000000-mapping.dmp
-
memory/1336-134-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/1336-143-0x0000000004DE0000-0x0000000004DE1000-memory.dmpFilesize
4KB
-
memory/1336-128-0x0000000000000000-mapping.dmp
-
memory/1336-145-0x0000000004D90000-0x0000000004E2C000-memory.dmpFilesize
624KB
-
memory/1336-144-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/1336-136-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/1336-137-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/1336-139-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/1336-142-0x0000000004D90000-0x0000000004E2C000-memory.dmpFilesize
624KB
-
memory/3508-147-0x0000000002894000-0x0000000002895000-memory.dmpFilesize
4KB
-
memory/3508-130-0x0000000000000000-mapping.dmp
-
memory/3508-146-0x0000000002892000-0x0000000002894000-memory.dmpFilesize
8KB
-
memory/3508-138-0x0000000002890000-0x0000000002892000-memory.dmpFilesize
8KB
-
memory/3756-117-0x0000000003120000-0x0000000003121000-memory.dmpFilesize
4KB
-
memory/3756-116-0x0000000000000000-mapping.dmp
-
memory/3756-121-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/3756-118-0x00000000031E0000-0x00000000031E1000-memory.dmpFilesize
4KB
-
memory/3756-119-0x0000000003620000-0x0000000003756000-memory.dmpFilesize
1.2MB
-
memory/3756-120-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/3832-140-0x0000000000000000-mapping.dmp