Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    127s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2022, 05:13

General

  • Target

    Ficha_Reembolso_1.cmd

  • Size

    1.3MB

  • MD5

    eb604400d1341437d72c331613455a76

  • SHA1

    137a312c8ab7389afb5af0d3980ffb7c6a7dd5e1

  • SHA256

    46fd4d7d232ec606f235a8c6929ad959ae5fea1509ba4575a280513401b5f41b

  • SHA512

    d2dfef736e73d3d0a25a2b707b92c3f57e4a5673198fac3de20bf5119d92d012824d2ab33a23a499be5a10b5018ff418e4c3dc48fa4d31785588eb4970c26a4b

  • SSDEEP

    24576:631wpEXwOOCWVkSnz3R/sOfRQEZZjEg6GEaeJu47fnpdRgaCQIAYhrz:NpzNCWBDBsA5Z4lLD0H9z

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Delays execution with timeout.exe 1 IoCs
  • NTFS ADS 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Windows\system32\certutil.exe
        certutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe"
        3⤵
          PID:1744
        • C:\Windows\system32\certutil.exe
          certutil -decode -f C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd "C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x"
          3⤵
            PID:2348
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic process call create '"C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1684
          • C:\Windows\system32\timeout.exe
            timeout /T 5
            3⤵
            • Delays execution with timeout.exe
            PID:4444
      • C:\Windows\system32\more.com
        more +5 C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd
        1⤵
          PID:2368
        • C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe
          "C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x" ""
          1⤵
          • Executes dropped EXE
          • NTFS ADS
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1464

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\~~

          Filesize

          1.3MB

          MD5

          62e5e023b0f490aa238a07dba9af6242

          SHA1

          13854398ef5458dd3b8461d258ba97b27c5da9e8

          SHA256

          cec5ffe842dc5a5e319a462778b41cd3fdc56b1aed7bed4541d696e307ba7b54

          SHA512

          0157b08c11b1baa12b74772a6e2bfb5cd4c94ea6c063126a612a281fc87ee53588eb3f45def4bc1c6b5185076a86d9d0784f3df658bc8a8cd81f626465e5db8e

        • C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x

          Filesize

          111KB

          MD5

          3094bf86168cddd1a32ec29a281290c1

          SHA1

          a82b2a8c0b9c50e4a4130c87c903fdcf85adddee

          SHA256

          26a2cb17bf0e6ffb1be481aedc1e1ac0fc5f2f8a74df881b815c8a1d490eba41

          SHA512

          c1e2a8c45127a87fc767b0bb0344379dead170d7a42b38f1fc1c44b95fa8fe88102d4c71ea1acf91013b82c26afd820cd56e4aaf72e07327c9f479460ba3a725

        • C:\Users\Admin\AppData\Roaming\pekulev\exe\V3314~1.5_2\AutoIt3.exe

          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        • C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe

          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c