Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 13:04
Static task
static1
Behavioral task
behavioral1
Sample
Fluxo de Caixa.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Fluxo de Caixa.exe
Resource
win10v2004-20220812-en
General
-
Target
Fluxo de Caixa.exe
-
Size
371KB
-
MD5
01b936cf783fe182a628c65e70dfebd9
-
SHA1
273ca25fc53e1e07aa2e398bb5850c1c75863bc5
-
SHA256
9d3a6225b5afb12815d37e34f88cf8d33d366c401bb53ae23a75599361e33bde
-
SHA512
dd3134c70d933ff9dffc280d2992776776b5e257846884dacd6fbb077a455ebeb5158e27da6b5dd0c0083d82f3c5399abb6e7a6da91daeff4f73d0b7cb148bc3
-
SSDEEP
6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/a02zubNdw0I:lToPWBv/cpGrU3y8tGgubNd6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
fnnegxcnfza.exepid process 1372 fnnegxcnfza.exe -
Loads dropped DLL 7 IoCs
Processes:
Fluxo de Caixa.exefnnegxcnfza.exefnnegxcnfza.exepid process 1920 Fluxo de Caixa.exe 1920 Fluxo de Caixa.exe 1920 Fluxo de Caixa.exe 1920 Fluxo de Caixa.exe 1920 Fluxo de Caixa.exe 1372 fnnegxcnfza.exe 1772 fnnegxcnfza.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
fnnegxcnfza.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook fnnegxcnfza.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook fnnegxcnfza.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook fnnegxcnfza.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fnnegxcnfza.exedescription pid process target process PID 1372 set thread context of 1772 1372 fnnegxcnfza.exe fnnegxcnfza.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fnnegxcnfza.exedescription pid process Token: SeDebugPrivilege 1772 fnnegxcnfza.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Fluxo de Caixa.exefnnegxcnfza.exedescription pid process target process PID 1920 wrote to memory of 1372 1920 Fluxo de Caixa.exe fnnegxcnfza.exe PID 1920 wrote to memory of 1372 1920 Fluxo de Caixa.exe fnnegxcnfza.exe PID 1920 wrote to memory of 1372 1920 Fluxo de Caixa.exe fnnegxcnfza.exe PID 1920 wrote to memory of 1372 1920 Fluxo de Caixa.exe fnnegxcnfza.exe PID 1372 wrote to memory of 1772 1372 fnnegxcnfza.exe fnnegxcnfza.exe PID 1372 wrote to memory of 1772 1372 fnnegxcnfza.exe fnnegxcnfza.exe PID 1372 wrote to memory of 1772 1372 fnnegxcnfza.exe fnnegxcnfza.exe PID 1372 wrote to memory of 1772 1372 fnnegxcnfza.exe fnnegxcnfza.exe PID 1372 wrote to memory of 1772 1372 fnnegxcnfza.exe fnnegxcnfza.exe -
outlook_office_path 1 IoCs
Processes:
fnnegxcnfza.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook fnnegxcnfza.exe -
outlook_win_path 1 IoCs
Processes:
fnnegxcnfza.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook fnnegxcnfza.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fluxo de Caixa.exe"C:\Users\Admin\AppData\Local\Temp\Fluxo de Caixa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe"C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe"C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe"3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exeFilesize
6KB
MD57cf4ea82535ade82b1c712d20fc29b7e
SHA112aec20e69d3128d79af90f080cab507c2a39cf5
SHA2568256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469
SHA512dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682
-
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exeFilesize
6KB
MD57cf4ea82535ade82b1c712d20fc29b7e
SHA112aec20e69d3128d79af90f080cab507c2a39cf5
SHA2568256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469
SHA512dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682
-
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exeFilesize
6KB
MD57cf4ea82535ade82b1c712d20fc29b7e
SHA112aec20e69d3128d79af90f080cab507c2a39cf5
SHA2568256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469
SHA512dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682
-
C:\Users\Admin\AppData\Local\Temp\lsvkvrvdfb.poFilesize
104KB
MD5c55695b69f3e38ad70a2c6fbb3518a97
SHA142b20c90103af7176b7549adfab8d3c3fcf1f5d8
SHA256e7d12a75068e15a01a48e08bd11527396fa9445a761ddc4530d72e9089267011
SHA512ccc9aebd70218b34066f2194fca2af40426023302799dd08cd155efb818023a61ec79d5445e803ade067ac6506c424be3dc93dc7fb1148797572a268ec3197a8
-
C:\Users\Admin\AppData\Local\Temp\shaelzmn.wrFilesize
4KB
MD5f31d1ffd7c8559e89cf35e1d87ef8d97
SHA16851155ae1d3920aadaa440dc54fe46935ad2d0c
SHA25697c3725a2759814ad8e67c1c08f53e2bfacd6e66c0a97aa881549641e8b8ff06
SHA512c22c66570d12617b0dcd7f49eb5e2433ba209a6fbf136a14d9ec51d7ab840ef51791de69c2f778a653116e6773c678c0dde80c834c0ea11abe6b410bd85c6e22
-
\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exeFilesize
6KB
MD57cf4ea82535ade82b1c712d20fc29b7e
SHA112aec20e69d3128d79af90f080cab507c2a39cf5
SHA2568256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469
SHA512dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682
-
\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exeFilesize
6KB
MD57cf4ea82535ade82b1c712d20fc29b7e
SHA112aec20e69d3128d79af90f080cab507c2a39cf5
SHA2568256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469
SHA512dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682
-
\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exeFilesize
6KB
MD57cf4ea82535ade82b1c712d20fc29b7e
SHA112aec20e69d3128d79af90f080cab507c2a39cf5
SHA2568256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469
SHA512dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682
-
\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exeFilesize
6KB
MD57cf4ea82535ade82b1c712d20fc29b7e
SHA112aec20e69d3128d79af90f080cab507c2a39cf5
SHA2568256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469
SHA512dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682
-
\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exeFilesize
6KB
MD57cf4ea82535ade82b1c712d20fc29b7e
SHA112aec20e69d3128d79af90f080cab507c2a39cf5
SHA2568256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469
SHA512dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682
-
\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exeFilesize
6KB
MD57cf4ea82535ade82b1c712d20fc29b7e
SHA112aec20e69d3128d79af90f080cab507c2a39cf5
SHA2568256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469
SHA512dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682
-
memory/1372-60-0x0000000000000000-mapping.dmp
-
memory/1772-67-0x00000000004139DE-mapping.dmp
-
memory/1920-54-0x00000000763F1000-0x00000000763F3000-memory.dmpFilesize
8KB