Analysis
-
max time kernel
149s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 13:04
Static task
static1
Behavioral task
behavioral1
Sample
Fluxo de Caixa.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Fluxo de Caixa.exe
Resource
win10v2004-20220812-en
General
-
Target
Fluxo de Caixa.exe
-
Size
371KB
-
MD5
01b936cf783fe182a628c65e70dfebd9
-
SHA1
273ca25fc53e1e07aa2e398bb5850c1c75863bc5
-
SHA256
9d3a6225b5afb12815d37e34f88cf8d33d366c401bb53ae23a75599361e33bde
-
SHA512
dd3134c70d933ff9dffc280d2992776776b5e257846884dacd6fbb077a455ebeb5158e27da6b5dd0c0083d82f3c5399abb6e7a6da91daeff4f73d0b7cb148bc3
-
SSDEEP
6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/a02zubNdw0I:lToPWBv/cpGrU3y8tGgubNd6
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
fnnegxcnfza.exefnnegxcnfza.exepid process 3160 fnnegxcnfza.exe 2168 fnnegxcnfza.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Fluxo de Caixa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Fluxo de Caixa.exe -
Loads dropped DLL 1 IoCs
Processes:
fnnegxcnfza.exepid process 4356 fnnegxcnfza.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
fnnegxcnfza.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook fnnegxcnfza.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook fnnegxcnfza.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook fnnegxcnfza.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fnnegxcnfza.exedescription pid process target process PID 3160 set thread context of 4356 3160 fnnegxcnfza.exe fnnegxcnfza.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fnnegxcnfza.exedescription pid process Token: SeDebugPrivilege 4356 fnnegxcnfza.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Fluxo de Caixa.exefnnegxcnfza.exedescription pid process target process PID 4944 wrote to memory of 3160 4944 Fluxo de Caixa.exe fnnegxcnfza.exe PID 4944 wrote to memory of 3160 4944 Fluxo de Caixa.exe fnnegxcnfza.exe PID 4944 wrote to memory of 3160 4944 Fluxo de Caixa.exe fnnegxcnfza.exe PID 3160 wrote to memory of 2168 3160 fnnegxcnfza.exe fnnegxcnfza.exe PID 3160 wrote to memory of 2168 3160 fnnegxcnfza.exe fnnegxcnfza.exe PID 3160 wrote to memory of 2168 3160 fnnegxcnfza.exe fnnegxcnfza.exe PID 3160 wrote to memory of 4356 3160 fnnegxcnfza.exe fnnegxcnfza.exe PID 3160 wrote to memory of 4356 3160 fnnegxcnfza.exe fnnegxcnfza.exe PID 3160 wrote to memory of 4356 3160 fnnegxcnfza.exe fnnegxcnfza.exe PID 3160 wrote to memory of 4356 3160 fnnegxcnfza.exe fnnegxcnfza.exe -
outlook_office_path 1 IoCs
Processes:
fnnegxcnfza.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook fnnegxcnfza.exe -
outlook_win_path 1 IoCs
Processes:
fnnegxcnfza.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook fnnegxcnfza.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fluxo de Caixa.exe"C:\Users\Admin\AppData\Local\Temp\Fluxo de Caixa.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe"C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe"C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe"C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe"3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exeFilesize
6KB
MD57cf4ea82535ade82b1c712d20fc29b7e
SHA112aec20e69d3128d79af90f080cab507c2a39cf5
SHA2568256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469
SHA512dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682
-
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exeFilesize
6KB
MD57cf4ea82535ade82b1c712d20fc29b7e
SHA112aec20e69d3128d79af90f080cab507c2a39cf5
SHA2568256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469
SHA512dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682
-
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exeFilesize
6KB
MD57cf4ea82535ade82b1c712d20fc29b7e
SHA112aec20e69d3128d79af90f080cab507c2a39cf5
SHA2568256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469
SHA512dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682
-
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exeFilesize
6KB
MD57cf4ea82535ade82b1c712d20fc29b7e
SHA112aec20e69d3128d79af90f080cab507c2a39cf5
SHA2568256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469
SHA512dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682
-
C:\Users\Admin\AppData\Local\Temp\lsvkvrvdfb.poFilesize
104KB
MD5c55695b69f3e38ad70a2c6fbb3518a97
SHA142b20c90103af7176b7549adfab8d3c3fcf1f5d8
SHA256e7d12a75068e15a01a48e08bd11527396fa9445a761ddc4530d72e9089267011
SHA512ccc9aebd70218b34066f2194fca2af40426023302799dd08cd155efb818023a61ec79d5445e803ade067ac6506c424be3dc93dc7fb1148797572a268ec3197a8
-
C:\Users\Admin\AppData\Local\Temp\shaelzmn.wrFilesize
4KB
MD5f31d1ffd7c8559e89cf35e1d87ef8d97
SHA16851155ae1d3920aadaa440dc54fe46935ad2d0c
SHA25697c3725a2759814ad8e67c1c08f53e2bfacd6e66c0a97aa881549641e8b8ff06
SHA512c22c66570d12617b0dcd7f49eb5e2433ba209a6fbf136a14d9ec51d7ab840ef51791de69c2f778a653116e6773c678c0dde80c834c0ea11abe6b410bd85c6e22
-
memory/3160-132-0x0000000000000000-mapping.dmp
-
memory/4356-138-0x0000000000000000-mapping.dmp