Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-04-2022 14:43
Behavioral task
behavioral1
Sample
NOTIFICACION DE TRANSFERENCIA.pdf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NOTIFICACION DE TRANSFERENCIA.pdf
Resource
win10v2004-20220414-en
General
-
Target
NOTIFICACION DE TRANSFERENCIA.pdf
-
Size
27KB
-
MD5
3beab282bacd77f411e71edd1ee7fad3
-
SHA1
061dcd99c124ddc93262c3e18a8fa1bfcc9f0412
-
SHA256
89694b9f2f390337f9a8a2dbb7a5fe10182b2a81e9beee9d35605dd130f4dc46
-
SHA512
e96f27b9f4e9e9dceb15d46527de687a08ec0296cc7b9d34ec30b594c8a3c743fad9412179c6bd45c23e5a7a5a5e2188e93d408c892f64dc5a0499260cf80017
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 60a38028565ad801 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{54899DE1-C649-11EC-A45D-66E616BC8074} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "357842868" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 1132 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
vlc.exeAcroRd32.exepid process 1132 vlc.exe 1556 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
Processes:
iexplore.exevlc.exepid process 1480 iexplore.exe 1480 iexplore.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
vlc.exepid process 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe 1132 vlc.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
AcroRd32.exeiexplore.exeIEXPLORE.EXEvlc.exepid process 1556 AcroRd32.exe 1556 AcroRd32.exe 1556 AcroRd32.exe 1556 AcroRd32.exe 1480 iexplore.exe 1480 iexplore.exe 1780 IEXPLORE.EXE 1780 IEXPLORE.EXE 1780 IEXPLORE.EXE 1780 IEXPLORE.EXE 1132 vlc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
AcroRd32.exeiexplore.exerundll32.exedescription pid process target process PID 1556 wrote to memory of 1480 1556 AcroRd32.exe iexplore.exe PID 1556 wrote to memory of 1480 1556 AcroRd32.exe iexplore.exe PID 1556 wrote to memory of 1480 1556 AcroRd32.exe iexplore.exe PID 1556 wrote to memory of 1480 1556 AcroRd32.exe iexplore.exe PID 1480 wrote to memory of 1780 1480 iexplore.exe IEXPLORE.EXE PID 1480 wrote to memory of 1780 1480 iexplore.exe IEXPLORE.EXE PID 1480 wrote to memory of 1780 1480 iexplore.exe IEXPLORE.EXE PID 1480 wrote to memory of 1780 1480 iexplore.exe IEXPLORE.EXE PID 1480 wrote to memory of 1504 1480 iexplore.exe rundll32.exe PID 1480 wrote to memory of 1504 1480 iexplore.exe rundll32.exe PID 1480 wrote to memory of 1504 1480 iexplore.exe rundll32.exe PID 1504 wrote to memory of 1132 1504 rundll32.exe vlc.exe PID 1504 wrote to memory of 1132 1504 rundll32.exe vlc.exe PID 1504 wrote to memory of 1132 1504 rundll32.exe vlc.exe
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DE TRANSFERENCIA.pdf"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/u5_trans_fer_noti_ficatio_00552⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1480 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM59SHP3\NOTIFICACION DE TRANSFERENCIA_27D5.rar3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM59SHP3\NOTIFICACION DE TRANSFERENCIA_27D5.rar"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5fbf0c960193ee798db32b4058ba0be82
SHA12eea6239dd5dd15309e5b3ff47adad471fc0af03
SHA25605a57f628f3a807b465d64460e9c5567ed0e4e7dd48175ad5bdbaa3c6637d71b
SHA51268190c7c5f0e082b561a3d6ceae80ede6cac337770a647128472cf3c367b3768f357d9167b67cf4fb21810d1647bd239522039657c9826cae8729ac9d7cda188
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM59SHP3\NOTIFICACION DE TRANSFERENCIA_27D5.rar.p6weeyt.partialFilesize
4.7MB
MD52e963d92bddf62381811770c4ed33e1a
SHA14ec83d0436ad8e47cafaed56756ad3e0ada59b68
SHA256b3dd9f3d0c64eaa8c9714eeb95a8d3cd4bbfe1ea5777d5589c5a8936a37a051f
SHA5123af721f76778cf104c2e1447cb54c250ae2480ff5f2ee126d88c6cf36ab95d45ceebfc7937c00cdc6f9267bc78432e37cee083aa0a55e155388e902430a85d01
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8HGH5BMA.txtFilesize
600B
MD5213ec9f4c19931d383887f373dc6b3e3
SHA1f9d59526b1f19f0f629c44eab7e9f39e7f635540
SHA25628fb17ae572717f533976b536fe4cc21304a4f845c30ca5a355c91b9e118701e
SHA51234cd1a0c5ee9d6433bc5663becec431b616362ddaff2025dbccd6a644befd023fd2c4b6a5313f9dc0ef7025c02f93faa75cbf5f26a3d3f0d42c0f72e67a6890a
-
memory/1132-58-0x0000000000000000-mapping.dmp
-
memory/1504-56-0x0000000000000000-mapping.dmp
-
memory/1504-57-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmpFilesize
8KB
-
memory/1556-54-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB