Analysis
-
max time kernel
125s -
max time network
120s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 12:42
Static task
static1
Behavioral task
behavioral1
Sample
Pagos-133, 195 & 285/Documento de Pago/Pago-133.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Pagos-133, 195 & 285/Documento de Pago/Pago-195.exe
Resource
win7v20210408
General
-
Target
Pagos-133, 195 & 285/Documento de Pago/Pago-195.exe
-
Size
467KB
-
MD5
fd8c8b6a75beb812171a759eb586a9cd
-
SHA1
3803aaa0d31603efa2ae699c19131c46d0b1edd3
-
SHA256
453f04cce9aec338600473b9b81fc009ca69e899e2c5e9c4778cb5fa9caf36bc
-
SHA512
b12c0b63fc50d3693c9a4ad50492279850c8e1ba96ac5013ac8fe04da8a0f4a1e7de3ad3909d57fa66e4ac25f4efc8800d75287ae461242f098b05bce09489d4
Malware Config
Extracted
Protocol: smtp- Host:
smtp.azebal.com - Port:
587 - Username:
kimone@azebal.com - Password:
#*ehEFidm0
Signatures
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.dyndns.org 8 freegeoip.app 9 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Pago-195.exedescription pid process target process PID 1652 set thread context of 1268 1652 Pago-195.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MSBuild.exepid process 1268 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 1268 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Pago-195.exepid process 1652 Pago-195.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1268 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1268 MSBuild.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Pago-195.exeMSBuild.exedescription pid process target process PID 1652 wrote to memory of 1268 1652 Pago-195.exe MSBuild.exe PID 1652 wrote to memory of 1268 1652 Pago-195.exe MSBuild.exe PID 1652 wrote to memory of 1268 1652 Pago-195.exe MSBuild.exe PID 1652 wrote to memory of 1268 1652 Pago-195.exe MSBuild.exe PID 1652 wrote to memory of 1268 1652 Pago-195.exe MSBuild.exe PID 1268 wrote to memory of 876 1268 MSBuild.exe netsh.exe PID 1268 wrote to memory of 876 1268 MSBuild.exe netsh.exe PID 1268 wrote to memory of 876 1268 MSBuild.exe netsh.exe PID 1268 wrote to memory of 876 1268 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pagos-133, 195 & 285\Documento de Pago\Pago-195.exe"C:\Users\Admin\AppData\Local\Temp\Pagos-133, 195 & 285\Documento de Pago\Pago-195.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\Pagos-133, 195 & 285\Documento de Pago\Pago-195.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/876-64-0x0000000000000000-mapping.dmp
-
memory/1268-61-0x0000000000443BDE-mapping.dmp
-
memory/1268-62-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/1268-63-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/1268-66-0x0000000000D71000-0x0000000000D72000-memory.dmpFilesize
4KB
-
memory/1268-67-0x0000000000D76000-0x0000000000D87000-memory.dmpFilesize
68KB
-
memory/1652-60-0x0000000000350000-0x0000000000352000-memory.dmpFilesize
8KB