56d7c75bb3d775e948c10dfa3fd83d9b1a08dcd73147bb2ff67341176cd3c6e4

Analysis

max time kernel
599s
max time network
492s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2022 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CFDI sat.mx.cmd
Size

1.6MB
MD5

5d510d0ab982f934afabd402219db19c
SHA1

f6ae8ecb42f5bdc0a54c2dc8392049580f3085d5
SHA256

56d7c75bb3d775e948c10dfa3fd83d9b1a08dcd73147bb2ff67341176cd3c6e4
SHA512

bec68e72a70e5bdf129667621670a15a1a55d13190807cc6514babc51315225bc40ceed334eaff7e8a5bb4a41b8209d653f2dd0d487dc673b51e404bb96d7d57
SSDEEP

24576:EotxQMlJva9Ya7MLkx7dWpAECJvaz35lCK1CjMzGbfJFQ9w9DI5Jb5ruQ3duLD:xQCiTldNtad10bQFhcLD

Score

8^/10

collection spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3712	gallegos.exe

Loads dropped DLL 2 IoCs

pid	Process
3712	gallegos.exe
3712	gallegos.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gallegos.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gallegos.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gallegos.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4576	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2	gallegos.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4836	powershell.exe
4836	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3712	gallegos.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeIncreaseQuotaPrivilege	4680	WMIC.exe
Token: SeSecurityPrivilege	4680	WMIC.exe
Token: SeTakeOwnershipPrivilege	4680	WMIC.exe
Token: SeLoadDriverPrivilege	4680	WMIC.exe
Token: SeSystemProfilePrivilege	4680	WMIC.exe
Token: SeSystemtimePrivilege	4680	WMIC.exe
Token: SeProfSingleProcessPrivilege	4680	WMIC.exe
Token: SeIncBasePriorityPrivilege	4680	WMIC.exe
Token: SeCreatePagefilePrivilege	4680	WMIC.exe
Token: SeBackupPrivilege	4680	WMIC.exe
Token: SeRestorePrivilege	4680	WMIC.exe
Token: SeShutdownPrivilege	4680	WMIC.exe
Token: SeDebugPrivilege	4680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4680	WMIC.exe
Token: SeRemoteShutdownPrivilege	4680	WMIC.exe
Token: SeUndockPrivilege	4680	WMIC.exe
Token: SeManageVolumePrivilege	4680	WMIC.exe
Token: 33	4680	WMIC.exe
Token: 34	4680	WMIC.exe
Token: 35	4680	WMIC.exe
Token: 36	4680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4680	WMIC.exe
Token: SeSecurityPrivilege	4680	WMIC.exe
Token: SeTakeOwnershipPrivilege	4680	WMIC.exe
Token: SeLoadDriverPrivilege	4680	WMIC.exe
Token: SeSystemProfilePrivilege	4680	WMIC.exe
Token: SeSystemtimePrivilege	4680	WMIC.exe
Token: SeProfSingleProcessPrivilege	4680	WMIC.exe
Token: SeIncBasePriorityPrivilege	4680	WMIC.exe
Token: SeCreatePagefilePrivilege	4680	WMIC.exe
Token: SeBackupPrivilege	4680	WMIC.exe
Token: SeRestorePrivilege	4680	WMIC.exe
Token: SeShutdownPrivilege	4680	WMIC.exe
Token: SeDebugPrivilege	4680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4680	WMIC.exe
Token: SeRemoteShutdownPrivilege	4680	WMIC.exe
Token: SeUndockPrivilege	4680	WMIC.exe
Token: SeManageVolumePrivilege	4680	WMIC.exe
Token: 33	4680	WMIC.exe
Token: 34	4680	WMIC.exe
Token: 35	4680	WMIC.exe
Token: 36	4680	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe
3712	gallegos.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2348	1612	cmd.exe	85
PID 1612 wrote to memory of 2348	1612	cmd.exe	85
PID 2348 wrote to memory of 664	2348	cmd.exe	87
PID 2348 wrote to memory of 664	2348	cmd.exe	87
PID 2348 wrote to memory of 4836	2348	cmd.exe	88
PID 2348 wrote to memory of 4836	2348	cmd.exe	88
PID 2348 wrote to memory of 2224	2348	cmd.exe	91
PID 2348 wrote to memory of 2224	2348	cmd.exe	91
PID 2348 wrote to memory of 4636	2348	cmd.exe	93
PID 2348 wrote to memory of 4636	2348	cmd.exe	93
PID 2348 wrote to memory of 4680	2348	cmd.exe	94
PID 2348 wrote to memory of 4680	2348	cmd.exe	94
PID 2348 wrote to memory of 4576	2348	cmd.exe	96
PID 2348 wrote to memory of 4576	2348	cmd.exe	96

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gallegos.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gallegos.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CFDI sat.mx.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\CFDI sat.mx.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\system32\more.com
    more +5 "C:\Users\Admin\AppData\Local\Temp\CFDI sat.mx.cmd"
    3⤵
    PID:664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(gc ~~) -replace '}', '' | Out-File -encoding ASCII ~~"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4836
- - C:\Windows\system32\certutil.exe
    certutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\weber\exe\vshepherd\gallegos.exe"
    3⤵
    PID:2224
- - C:\Windows\system32\certutil.exe
    certutil -decode -f "C:\Users\Admin\AppData\Local\Temp\CFDI sat.mx.cmd" "C:\Users\Admin\AppData\Roaming\weber\a3x\heller\CFDI sat.mx.a3x"
    3⤵
    PID:4636
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process call create '"C:\Users\Admin\AppData\Roaming\weber\exe\vshepherd\gallegos.exe" "C:\Users\Admin\AppData\Roaming\weber\a3x\heller\CFDI sat.mx.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4680
- - C:\Windows\system32\timeout.exe
    timeout /T 5
    3⤵
    - Delays execution with timeout.exe
    PID:4576

C:\Users\Admin\AppData\Roaming\weber\exe\vshepherd\gallegos.exe
"C:\Users\Admin\AppData\Roaming\weber\exe\vshepherd\gallegos.exe" "C:\Users\Admin\AppData\Roaming\weber\a3x\heller\CFDI sat.mx.a3x" ""
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- outlook_office_path
- outlook_win_path
PID:3712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
858KB

MD5
c7719f774bb859240eb6dfa91a1f10be

SHA1
be1461e770333eb13e0fe66d378e3fac4f1112b5

SHA256
b3ce811fb696b94f9117ee7fe725ae6b907d695636beceeb1672d5d5eeb81df4

SHA512
8a561e927a7a65f5211c76b488bed2a3cc0525ecd9775d25e1863b52ff532349c125b76a51eb63ea2e4479a567e8fac6b8ae38b7fd1970bad2556befe9e3b529

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
858KB

MD5
c7719f774bb859240eb6dfa91a1f10be

SHA1
be1461e770333eb13e0fe66d378e3fac4f1112b5

SHA256
b3ce811fb696b94f9117ee7fe725ae6b907d695636beceeb1672d5d5eeb81df4

SHA512
8a561e927a7a65f5211c76b488bed2a3cc0525ecd9775d25e1863b52ff532349c125b76a51eb63ea2e4479a567e8fac6b8ae38b7fd1970bad2556befe9e3b529

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~

Filesize
1.6MB

MD5
294916a128b91a25737bd56c6b0e3d0d

SHA1
dd5025c2617f25bd949c8517110b57aa615d6cef

SHA256
a6fc75ac1d1c645032d2e91905949955bfaf72c492e5b4ce97c2511fbd53eabd

SHA512
250ee066d1af2460431004e705204eaaaae0edb259adc594d9c40e16852b0e832196e75a9dce9a4dc4e30f8f9c76e3df2f5462645845679d5b469c54ca537d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~

Filesize
1.6MB

MD5
e50dfa2335fe8e3ec417e6d70e0890aa

SHA1
0836ba2585dd0df7940ae572c13ecb070be12506

SHA256
9ae5b8f6d041624389f5c6969004de52cb7e11baf42323aa140539b8c21bb573

SHA512
518104ab14400e3b79b257dfb1ba78a9840ae5bcbcbc66f0591f6cc4ca9ed0a884e3b6b8c5a28b2bc5fa0e04601aa337925fc2b894a497981096cea1b0d9a557

Download Submit
C:\Users\Admin\AppData\Roaming\weber\a3x\heller\CFDI sat.mx.a3x

Filesize
310KB

MD5
136361f9b9ee446dfa628c6311a60187

SHA1
75c7cc39f034a0b7afd93d41115a33eb87b00100

SHA256
cc7e6adc1693a2e652d83b872228067aea2938782ebbea808f20d5296f0b7625

SHA512
fad384c4fccafa079def438595e44a1bc6b840ce6c860113bb5f35cfd8cc615125fa3b0f472b49f36e61724f76ba4aef492b518ccdbf1e5494e56b040938ff3f

Download Submit
C:\Users\Admin\AppData\Roaming\weber\exe\VSHEPH~1\gallegos.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\weber\exe\vshepherd\gallegos.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/4836-135-0x0000020B92E60000-0x0000020B92E82000-memory.dmp

Filesize
136KB

Download
memory/4836-138-0x00007FF9840C0000-0x00007FF984B81000-memory.dmp

Filesize
10.8MB

Download
memory/4836-137-0x00007FF9840C0000-0x00007FF984B81000-memory.dmp

Filesize
10.8MB

Download