56d7c75bb3d775e948c10dfa3fd83d9b1a08dcd73147bb2ff67341176cd3c6e4

Analysis

max time kernel
599s
max time network
416s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CFDI sat.mx.cmd
Size

1.6MB
MD5

5d510d0ab982f934afabd402219db19c
SHA1

f6ae8ecb42f5bdc0a54c2dc8392049580f3085d5
SHA256

56d7c75bb3d775e948c10dfa3fd83d9b1a08dcd73147bb2ff67341176cd3c6e4
SHA512

bec68e72a70e5bdf129667621670a15a1a55d13190807cc6514babc51315225bc40ceed334eaff7e8a5bb4a41b8209d653f2dd0d487dc673b51e404bb96d7d57
SSDEEP

24576:EotxQMlJva9Ya7MLkx7dWpAECJvaz35lCK1CjMzGbfJFQ9w9DI5Jb5ruQ3duLD:xQCiTldNtad10bQFhcLD

Score

8^/10

collection spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1364	gallegos.exe

Deletes itself 1 IoCs

pid	Process
1784	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1364	gallegos.exe
1364	gallegos.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gallegos.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gallegos.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gallegos.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1020	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2	gallegos.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1548	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1364	gallegos.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeIncreaseQuotaPrivilege	1768	WMIC.exe
Token: SeSecurityPrivilege	1768	WMIC.exe
Token: SeTakeOwnershipPrivilege	1768	WMIC.exe
Token: SeLoadDriverPrivilege	1768	WMIC.exe
Token: SeSystemProfilePrivilege	1768	WMIC.exe
Token: SeSystemtimePrivilege	1768	WMIC.exe
Token: SeProfSingleProcessPrivilege	1768	WMIC.exe
Token: SeIncBasePriorityPrivilege	1768	WMIC.exe
Token: SeCreatePagefilePrivilege	1768	WMIC.exe
Token: SeBackupPrivilege	1768	WMIC.exe
Token: SeRestorePrivilege	1768	WMIC.exe
Token: SeShutdownPrivilege	1768	WMIC.exe
Token: SeDebugPrivilege	1768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1768	WMIC.exe
Token: SeRemoteShutdownPrivilege	1768	WMIC.exe
Token: SeUndockPrivilege	1768	WMIC.exe
Token: SeManageVolumePrivilege	1768	WMIC.exe
Token: 33	1768	WMIC.exe
Token: 34	1768	WMIC.exe
Token: 35	1768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1768	WMIC.exe
Token: SeSecurityPrivilege	1768	WMIC.exe
Token: SeTakeOwnershipPrivilege	1768	WMIC.exe
Token: SeLoadDriverPrivilege	1768	WMIC.exe
Token: SeSystemProfilePrivilege	1768	WMIC.exe
Token: SeSystemtimePrivilege	1768	WMIC.exe
Token: SeProfSingleProcessPrivilege	1768	WMIC.exe
Token: SeIncBasePriorityPrivilege	1768	WMIC.exe
Token: SeCreatePagefilePrivilege	1768	WMIC.exe
Token: SeBackupPrivilege	1768	WMIC.exe
Token: SeRestorePrivilege	1768	WMIC.exe
Token: SeShutdownPrivilege	1768	WMIC.exe
Token: SeDebugPrivilege	1768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1768	WMIC.exe
Token: SeRemoteShutdownPrivilege	1768	WMIC.exe
Token: SeUndockPrivilege	1768	WMIC.exe
Token: SeManageVolumePrivilege	1768	WMIC.exe
Token: 33	1768	WMIC.exe
Token: 34	1768	WMIC.exe
Token: 35	1768	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe
1364	gallegos.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1784	1948	cmd.exe	29
PID 1948 wrote to memory of 1784	1948	cmd.exe	29
PID 1948 wrote to memory of 1784	1948	cmd.exe	29
PID 1784 wrote to memory of 2012	1784	cmd.exe	31
PID 1784 wrote to memory of 2012	1784	cmd.exe	31
PID 1784 wrote to memory of 2012	1784	cmd.exe	31
PID 1784 wrote to memory of 1548	1784	cmd.exe	32
PID 1784 wrote to memory of 1548	1784	cmd.exe	32
PID 1784 wrote to memory of 1548	1784	cmd.exe	32
PID 1784 wrote to memory of 972	1784	cmd.exe	33
PID 1784 wrote to memory of 972	1784	cmd.exe	33
PID 1784 wrote to memory of 972	1784	cmd.exe	33
PID 1784 wrote to memory of 1724	1784	cmd.exe	34
PID 1784 wrote to memory of 1724	1784	cmd.exe	34
PID 1784 wrote to memory of 1724	1784	cmd.exe	34
PID 1784 wrote to memory of 1768	1784	cmd.exe	35
PID 1784 wrote to memory of 1768	1784	cmd.exe	35
PID 1784 wrote to memory of 1768	1784	cmd.exe	35
PID 1784 wrote to memory of 1020	1784	cmd.exe	38
PID 1784 wrote to memory of 1020	1784	cmd.exe	38
PID 1784 wrote to memory of 1020	1784	cmd.exe	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gallegos.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gallegos.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CFDI sat.mx.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\CFDI sat.mx.cmd"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\system32\more.com
    more +5 "C:\Users\Admin\AppData\Local\Temp\CFDI sat.mx.cmd"
    3⤵
    PID:2012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(gc ~~) -replace '}', '' | Out-File -encoding ASCII ~~"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- - C:\Windows\system32\certutil.exe
    certutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\weber\exe\vshepherd\gallegos.exe"
    3⤵
    PID:972
- - C:\Windows\system32\certutil.exe
    certutil -decode -f "C:\Users\Admin\AppData\Local\Temp\CFDI sat.mx.cmd" "C:\Users\Admin\AppData\Roaming\weber\a3x\heller\CFDI sat.mx.a3x"
    3⤵
    PID:1724
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process call create '"C:\Users\Admin\AppData\Roaming\weber\exe\vshepherd\gallegos.exe" "C:\Users\Admin\AppData\Roaming\weber\a3x\heller\CFDI sat.mx.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\system32\timeout.exe
    timeout /T 5
    3⤵
    - Delays execution with timeout.exe
    PID:1020

C:\Users\Admin\AppData\Roaming\weber\exe\vshepherd\gallegos.exe
"C:\Users\Admin\AppData\Roaming\weber\exe\vshepherd\gallegos.exe" "C:\Users\Admin\AppData\Roaming\weber\a3x\heller\CFDI sat.mx.a3x" ""
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- outlook_office_path
- outlook_win_path
PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~~

Filesize
1.6MB

MD5
294916a128b91a25737bd56c6b0e3d0d

SHA1
dd5025c2617f25bd949c8517110b57aa615d6cef

SHA256
a6fc75ac1d1c645032d2e91905949955bfaf72c492e5b4ce97c2511fbd53eabd

SHA512
250ee066d1af2460431004e705204eaaaae0edb259adc594d9c40e16852b0e832196e75a9dce9a4dc4e30f8f9c76e3df2f5462645845679d5b469c54ca537d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~

Filesize
1.6MB

MD5
e50dfa2335fe8e3ec417e6d70e0890aa

SHA1
0836ba2585dd0df7940ae572c13ecb070be12506

SHA256
9ae5b8f6d041624389f5c6969004de52cb7e11baf42323aa140539b8c21bb573

SHA512
518104ab14400e3b79b257dfb1ba78a9840ae5bcbcbc66f0591f6cc4ca9ed0a884e3b6b8c5a28b2bc5fa0e04601aa337925fc2b894a497981096cea1b0d9a557

Download Submit
C:\Users\Admin\AppData\Roaming\weber\a3x\heller\CFDI sat.mx.a3x

Filesize
310KB

MD5
136361f9b9ee446dfa628c6311a60187

SHA1
75c7cc39f034a0b7afd93d41115a33eb87b00100

SHA256
cc7e6adc1693a2e652d83b872228067aea2938782ebbea808f20d5296f0b7625

SHA512
fad384c4fccafa079def438595e44a1bc6b840ce6c860113bb5f35cfd8cc615125fa3b0f472b49f36e61724f76ba4aef492b518ccdbf1e5494e56b040938ff3f

Download Submit
C:\Users\Admin\AppData\Roaming\weber\exe\VSHEPH~1\gallegos.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\weber\exe\vshepherd\gallegos.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
858KB

MD5
c7719f774bb859240eb6dfa91a1f10be

SHA1
be1461e770333eb13e0fe66d378e3fac4f1112b5

SHA256
b3ce811fb696b94f9117ee7fe725ae6b907d695636beceeb1672d5d5eeb81df4

SHA512
8a561e927a7a65f5211c76b488bed2a3cc0525ecd9775d25e1863b52ff532349c125b76a51eb63ea2e4479a567e8fac6b8ae38b7fd1970bad2556befe9e3b529

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
858KB

MD5
c7719f774bb859240eb6dfa91a1f10be

SHA1
be1461e770333eb13e0fe66d378e3fac4f1112b5

SHA256
b3ce811fb696b94f9117ee7fe725ae6b907d695636beceeb1672d5d5eeb81df4

SHA512
8a561e927a7a65f5211c76b488bed2a3cc0525ecd9775d25e1863b52ff532349c125b76a51eb63ea2e4479a567e8fac6b8ae38b7fd1970bad2556befe9e3b529

Download Submit
memory/972-67-0x00000000FF7D1000-0x00000000FF7D3000-memory.dmp

Filesize
8KB

Download
memory/1364-74-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1548-63-0x0000000002A1B000-0x0000000002A3A000-memory.dmp

Filesize
124KB

Download
memory/1548-64-0x0000000002A14000-0x0000000002A17000-memory.dmp

Filesize
12KB

Download
memory/1548-65-0x0000000002A1B000-0x0000000002A3A000-memory.dmp

Filesize
124KB

Download
memory/1548-59-0x000007FEF37B0000-0x000007FEF430D000-memory.dmp

Filesize
11.4MB

Download
memory/1548-57-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

Filesize
8KB

Download
memory/1548-61-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1548-58-0x000007FEF4310000-0x000007FEF4D33000-memory.dmp

Filesize
10.1MB

Download
memory/1548-60-0x0000000002A14000-0x0000000002A17000-memory.dmp

Filesize
12KB

Download
memory/1724-70-0x00000000FFF41000-0x00000000FFF43000-memory.dmp

Filesize
8KB

Download