6f628448d414787ca2ee26eed975b02ae71a9ab61d2d8eb58f3de9f8d285c7e5

Analysis

Target

DOMUMENTO DE TRANSACCION REALIZADA.exe
Size

126KB
MD5

8c52bf0ad28692c8e274874606c362dd
SHA1

ebcda75002db41d1a7f3597ca9467aab625439f7
SHA256

ac6da2e8ec05b1e8e562c15745997b48c0f51aeb823d4858445123060f40bb57
SHA512

62dc35a98757814ceaec1f5ff41d97641e5ceabb3e5511ad79be3db272d63fbd001bb62ea9f019a773dd5293dd4993a87d775825dda827b5dd9c1a05d274bf24

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1876 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DOMUMENTO DE TRANSACCION REALIZADA.exe

description pid process

Token: SeDebugPrivilege 872 DOMUMENTO DE TRANSACCION REALIZADA.exe

pid	process
1876	timeout.exe

description	pid	process
Token: SeDebugPrivilege	872	DOMUMENTO DE TRANSACCION REALIZADA.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DOMUMENTO DE TRANSACCION REALIZADA.execmd.exe

description	pid	process	target process
PID 872 wrote to memory of 1324	872	DOMUMENTO DE TRANSACCION REALIZADA.exe	cmd.exe
PID 872 wrote to memory of 1324	872	DOMUMENTO DE TRANSACCION REALIZADA.exe	cmd.exe
PID 872 wrote to memory of 1324	872	DOMUMENTO DE TRANSACCION REALIZADA.exe	cmd.exe
PID 872 wrote to memory of 1324	872	DOMUMENTO DE TRANSACCION REALIZADA.exe	cmd.exe
PID 872 wrote to memory of 108	872	DOMUMENTO DE TRANSACCION REALIZADA.exe	cmd.exe
PID 872 wrote to memory of 108	872	DOMUMENTO DE TRANSACCION REALIZADA.exe	cmd.exe
PID 872 wrote to memory of 108	872	DOMUMENTO DE TRANSACCION REALIZADA.exe	cmd.exe
PID 872 wrote to memory of 108	872	DOMUMENTO DE TRANSACCION REALIZADA.exe	cmd.exe
PID 108 wrote to memory of 1876	108	cmd.exe	timeout.exe
PID 108 wrote to memory of 1876	108	cmd.exe	timeout.exe
PID 108 wrote to memory of 1876	108	cmd.exe	timeout.exe
PID 108 wrote to memory of 1876	108	cmd.exe	timeout.exe

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 20
2⤵
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\timeout.exe
timeout 20
3⤵
- Delays execution with timeout.exe
PID:1876

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/108-59-0x0000000000000000-mapping.dmp

Download
memory/872-54-0x0000000000A60000-0x0000000000A84000-memory.dmp

Filesize
144KB

Download
memory/872-55-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/872-57-0x00000000061C0000-0x00000000063D2000-memory.dmp

Filesize
2.1MB

Download
memory/872-58-0x0000000004F00000-0x0000000004F4C000-memory.dmp

Filesize
304KB

Download
memory/1324-56-0x0000000000000000-mapping.dmp

Download
memory/1876-60-0x0000000000000000-mapping.dmp

Download