46fd4d7d232ec606f235a8c6929ad959ae5fea1509ba4575a280513401b5f41b

Analysis

max time kernel
127s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2022, 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ficha_Reembolso_1.cmd
Size

1.3MB
MD5

eb604400d1341437d72c331613455a76
SHA1

137a312c8ab7389afb5af0d3980ffb7c6a7dd5e1
SHA256

46fd4d7d232ec606f235a8c6929ad959ae5fea1509ba4575a280513401b5f41b
SHA512

d2dfef736e73d3d0a25a2b707b92c3f57e4a5673198fac3de20bf5119d92d012824d2ab33a23a499be5a10b5018ff418e4c3dc48fa4d31785588eb4970c26a4b
SSDEEP

24576:631wpEXwOOCWVkSnz3R/sOfRQEZZjEg6GEaeJu47fnpdRgaCQIAYhrz:NpzNCWBDBsA5Z4lLD0H9z

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1464	AutoIt3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4444	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2	AutoIt3.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	42	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: 36	1684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: 36	1684	WMIC.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1464	AutoIt3.exe
1464	AutoIt3.exe
1464	AutoIt3.exe
1464	AutoIt3.exe
1464	AutoIt3.exe
1464	AutoIt3.exe
1464	AutoIt3.exe
1464	AutoIt3.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1464	AutoIt3.exe
1464	AutoIt3.exe
1464	AutoIt3.exe
1464	AutoIt3.exe
1464	AutoIt3.exe
1464	AutoIt3.exe
1464	AutoIt3.exe
1464	AutoIt3.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 4964	2380	cmd.exe	23
PID 2380 wrote to memory of 4964	2380	cmd.exe	23
PID 4964 wrote to memory of 2368	4964	cmd.exe	22
PID 4964 wrote to memory of 2368	4964	cmd.exe	22
PID 4964 wrote to memory of 1744	4964	cmd.exe	41
PID 4964 wrote to memory of 1744	4964	cmd.exe	41
PID 4964 wrote to memory of 2348	4964	cmd.exe	44
PID 4964 wrote to memory of 2348	4964	cmd.exe	44
PID 4964 wrote to memory of 1684	4964	cmd.exe	45
PID 4964 wrote to memory of 1684	4964	cmd.exe	45
PID 4964 wrote to memory of 4444	4964	cmd.exe	54
PID 4964 wrote to memory of 4444	4964	cmd.exe	54

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\system32\certutil.exe
    certutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe"
    3⤵
    PID:1744
- - C:\Windows\system32\certutil.exe
    certutil -decode -f C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd "C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x"
    3⤵
    PID:2348
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process call create '"C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\system32\timeout.exe
    timeout /T 5
    3⤵
    - Delays execution with timeout.exe
    PID:4444

C:\Windows\system32\more.com
more +5 C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd
1⤵
PID:2368

C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe
"C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x" ""
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~~

Filesize
1.3MB

MD5
62e5e023b0f490aa238a07dba9af6242

SHA1
13854398ef5458dd3b8461d258ba97b27c5da9e8

SHA256
cec5ffe842dc5a5e319a462778b41cd3fdc56b1aed7bed4541d696e307ba7b54

SHA512
0157b08c11b1baa12b74772a6e2bfb5cd4c94ea6c063126a612a281fc87ee53588eb3f45def4bc1c6b5185076a86d9d0784f3df658bc8a8cd81f626465e5db8e

Download Submit
C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x

Filesize
111KB

MD5
3094bf86168cddd1a32ec29a281290c1

SHA1
a82b2a8c0b9c50e4a4130c87c903fdcf85adddee

SHA256
26a2cb17bf0e6ffb1be481aedc1e1ac0fc5f2f8a74df881b815c8a1d490eba41

SHA512
c1e2a8c45127a87fc767b0bb0344379dead170d7a42b38f1fc1c44b95fa8fe88102d4c71ea1acf91013b82c26afd820cd56e4aaf72e07327c9f479460ba3a725

Download Submit
C:\Users\Admin\AppData\Roaming\pekulev\exe\V3314~1.5_2\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit