Resubmissions
27-01-2022 14:39
220127-r1k8xaegf7 8Analysis
-
max time kernel
281s -
max time network
273s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-01-2022 14:39
Behavioral task
behavioral1
Sample
PAGO DE FACTURA PENDIENTE.pdf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
PAGO DE FACTURA PENDIENTE.pdf
Resource
win10-en-20211208
General
-
Target
PAGO DE FACTURA PENDIENTE.pdf
-
Size
49KB
-
MD5
450cad786cba5ecf19705b1c11668ee0
-
SHA1
a4d7551be2cfa235cc9bc849636434058093edf4
-
SHA256
3e9ff0a001dbac60cacebbbe62ab2bc2021e52fe774286be3f925f7fde87c032
-
SHA512
c99e9d91860d87de2d2b3f0abf45cba275d2c7f35985a2be2ed44876b497528ece75c9821eda92a352519ac6ddc68f2c34f63de938550f57b4a3267fa20b3346
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
FACTURA DE COBRO PENDIENTE.26D5.exepid process 336 FACTURA DE COBRO PENDIENTE.26D5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = f0ad50719413d801 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E5F7FB1-7F87-11EC-8657-C64E4713EE09} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000f00300005a020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Modifies registry class 12 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\.text rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\.text\ = "text_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\text_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\text_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\text_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\text_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\text_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\text_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\text_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\text_auto_file\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\text_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1916 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
AUDIODG.EXE7zG.exe7zG.exedescription pid process Token: 33 1484 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1484 AUDIODG.EXE Token: 33 1484 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1484 AUDIODG.EXE Token: SeRestorePrivilege 808 7zG.exe Token: 35 808 7zG.exe Token: SeSecurityPrivilege 808 7zG.exe Token: SeSecurityPrivilege 808 7zG.exe Token: SeRestorePrivilege 620 7zG.exe Token: 35 620 7zG.exe Token: SeSecurityPrivilege 620 7zG.exe Token: SeSecurityPrivilege 620 7zG.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
iexplore.exe7zG.exe7zG.exepid process 1628 iexplore.exe 1628 iexplore.exe 1628 iexplore.exe 808 7zG.exe 620 7zG.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
AcroRd32.exeiexplore.exeIEXPLORE.EXEpid process 1916 AcroRd32.exe 1916 AcroRd32.exe 1916 AcroRd32.exe 1916 AcroRd32.exe 1628 iexplore.exe 1628 iexplore.exe 1416 IEXPLORE.EXE 1416 IEXPLORE.EXE 1416 IEXPLORE.EXE 1416 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
AcroRd32.exeiexplore.exerundll32.exedescription pid process target process PID 1916 wrote to memory of 1628 1916 AcroRd32.exe iexplore.exe PID 1916 wrote to memory of 1628 1916 AcroRd32.exe iexplore.exe PID 1916 wrote to memory of 1628 1916 AcroRd32.exe iexplore.exe PID 1916 wrote to memory of 1628 1916 AcroRd32.exe iexplore.exe PID 1628 wrote to memory of 1416 1628 iexplore.exe IEXPLORE.EXE PID 1628 wrote to memory of 1416 1628 iexplore.exe IEXPLORE.EXE PID 1628 wrote to memory of 1416 1628 iexplore.exe IEXPLORE.EXE PID 1628 wrote to memory of 1416 1628 iexplore.exe IEXPLORE.EXE PID 1288 wrote to memory of 1584 1288 rundll32.exe NOTEPAD.EXE PID 1288 wrote to memory of 1584 1288 rundll32.exe NOTEPAD.EXE PID 1288 wrote to memory of 1584 1288 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PAGO DE FACTURA PENDIENTE.pdf"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/u5_fac_tu_cobr_pendite0032⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1628 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5101⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap26226:124:7zEvent160041⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\FACTURA DE COBRO PENDIENTE.26D5.exe"C:\Users\Admin\Downloads\FACTURA DE COBRO PENDIENTE.26D5.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap17508:124:7zEvent285961⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\.text1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\.text2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Downloads\.textMD5
87b328027be7a92618664053f0a0ffc3
SHA1c7b44ed6625de2399243f5d795c74cb11475470e
SHA256f9952f44905931be9220838e2f67865f457b61feafd36c6bf04c3437a5761bb7
SHA5129b9b9abc9ce69854b7c8f2108789c0c6e67447e3d0d0544172cc1e8b38df884b058dcb66ea8adae0ee14410ada90618963e1d06df27db8d8ea1e4d9ac0f79208
-
C:\Users\Admin\Downloads\FACTURA DE COBRO PENDIENTE.26D5.exeMD5
0452fd58463ca15ed6ca32a57c756f0f
SHA171b17e8db6256b1b4bd925d81c683a3013f188d5
SHA2566eddc22c76f55fbe87cf36b29e54a5b260c7738b1dd8aa5310cb58a02cacf88e
SHA512c5975a149622c73413532a07b5113f94819ebc02dec0080034b8c9e3744233598d0b7c039d6be1c271eae3d65eff191f0b5b73751b8acd0c883c51aad18443b3
-
C:\Users\Admin\Downloads\FACTURA DE COBRO PENDIENTE.26D5.exeMD5
0452fd58463ca15ed6ca32a57c756f0f
SHA171b17e8db6256b1b4bd925d81c683a3013f188d5
SHA2566eddc22c76f55fbe87cf36b29e54a5b260c7738b1dd8aa5310cb58a02cacf88e
SHA512c5975a149622c73413532a07b5113f94819ebc02dec0080034b8c9e3744233598d0b7c039d6be1c271eae3d65eff191f0b5b73751b8acd0c883c51aad18443b3
-
C:\Users\Admin\Downloads\FACTURA DE COBRO PENDIENTE.26D5.rar.k0tycnl.partialMD5
0d9dbb0fee5b7c02879886bcdc2b3997
SHA1760a0c05a76180ecbf7f893fbdf21545ba6564f0
SHA25693d498cbe5e429bedb3f78d8578ddf581bc28e90e7268933c73073d1033dcdcb
SHA5126148ae63d1051f05717c8517f05b84ab81d41ac5cbdc92b06f961b4062efa434eb686f90ac85dcc525856fb63f7a5815b2b31f11d2a8f52f9ba13d7449bc923e
-
memory/336-61-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1600-57-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmpFilesize
8KB
-
memory/1916-55-0x0000000075321000-0x0000000075323000-memory.dmpFilesize
8KB