878dbdcd93fa8a501ad8ff5e798ca60e004f89af453346a09b37a0d5146bc37a

General

Target

Pagos-133, 195 & 285/Documento de Pago/Pago-195.exe
Size

467KB
MD5

fd8c8b6a75beb812171a759eb586a9cd
SHA1

3803aaa0d31603efa2ae699c19131c46d0b1edd3
SHA256

453f04cce9aec338600473b9b81fc009ca69e899e2c5e9c4778cb5fa9caf36bc
SHA512

b12c0b63fc50d3693c9a4ad50492279850c8e1ba96ac5013ac8fe04da8a0f4a1e7de3ad3909d57fa66e4ac25f4efc8800d75287ae461242f098b05bce09489d4

Score

10^/10

Credentials

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 checkip.dyndns.org
8 freegeoip.app
9 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

Pago-195.exe

description pid process target process

PID 1652 set thread context of 1268 1652 Pago-195.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

1268 MSBuild.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSBuild.exe

pid process

1268 MSBuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Pago-195.exe

pid process

1652 Pago-195.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1268 MSBuild.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

1268 MSBuild.exe

description	pid	process	target process
PID 1652 set thread context of 1268	1652	Pago-195.exe	MSBuild.exe

pid	process
1268	MSBuild.exe

pid	process
1268	MSBuild.exe

pid	process
1652	Pago-195.exe

description	pid	process
Token: SeDebugPrivilege	1268	MSBuild.exe

pid	process
1268	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Pago-195.exeMSBuild.exe

description	pid	process	target process
PID 1652 wrote to memory of 1268	1652	Pago-195.exe	MSBuild.exe
PID 1652 wrote to memory of 1268	1652	Pago-195.exe	MSBuild.exe
PID 1652 wrote to memory of 1268	1652	Pago-195.exe	MSBuild.exe
PID 1652 wrote to memory of 1268	1652	Pago-195.exe	MSBuild.exe
PID 1652 wrote to memory of 1268	1652	Pago-195.exe	MSBuild.exe
PID 1268 wrote to memory of 876	1268	MSBuild.exe	netsh.exe
PID 1268 wrote to memory of 876	1268	MSBuild.exe	netsh.exe
PID 1268 wrote to memory of 876	1268	MSBuild.exe	netsh.exe
PID 1268 wrote to memory of 876	1268	MSBuild.exe	netsh.exe

memory/876-64-0x0000000000000000-mapping.dmp

Download
memory/1268-61-0x0000000000443BDE-mapping.dmp

Download
memory/1268-62-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1268-63-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1268-66-0x0000000000D71000-0x0000000000D72000-memory.dmp

Filesize
4KB

Download
memory/1268-67-0x0000000000D76000-0x0000000000D87000-memory.dmp

Filesize
68KB

Download
memory/1652-60-0x0000000000350000-0x0000000000352000-memory.dmp

Filesize
8KB

Download