Overview

overview

8

Static

static

clave para...Is.txt

windows7-x64

1

clave para...Is.txt

windows10-2004-x64

1

factura.20...Is.cmd

windows7-x64

8

factura.20...Is.cmd

windows10-2004-x64

8

Analysis

  • max time kernel
    158s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    factura.20003802.YIs.cmd

  • Size

    7KB

  • MD5

    9e2ec64b4b72b2a179f09e8983cab503

  • SHA1

    8ac596246584e5326c3f5512157c825c04321cde

  • SHA256

    c3e8f8902c9ea831eaf28fd536f989f73fb7961a7bcd863801796102d9583b30

  • SHA512

    9c3a987d0b17f096a69369e5d9c06618b0b03c453b6a9e89ac7486e1579ebcbdbd0a501173e79d6346e2835884c58dccf737d1d87fca0cbfa53991c8390c63bb

  • SSDEEP

    96:e4bS5yNfoIZqAfrXfrXk+AfrX/jh0UXQR/sv4+zdHG+An9eQkVxRsUlSxWgd6wzh:6lQOHEn9dkVxRsp6wYmKm

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\factura.20003802.YIs.cmd"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TaWuWUrHsalEDrXHBzzO.vbs"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3968
      • C:\QLHDRiKJ\trist.exe
        "C:\QLHDRiKJ\trist.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:320

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\QLHDRiKJ\CBSCreateVC.dll
    Filesize

    274.9MB

    MD5

    8fed02dff0d226a9eb5b290939f89a31

    SHA1

    c17944428ab1de67e761d9733866fc608dca7c72

    SHA256

    fcf4bd8094a80ec880e00ab79b0f0e63773c410f27cdadb91152e6afa800bfcb

    SHA512

    d61314c82bc819c2f837a5b2efcca72d043143b346856fff63416b41b91fe1bb918d1f5c3d142a1040d4a12d0393dc51e159e8a33645fa0673604818eaf157e5

    Download Submit

  • C:\QLHDRiKJ\CBSCreateVC.dll
    Filesize

    274.9MB

    MD5

    8fed02dff0d226a9eb5b290939f89a31

    SHA1

    c17944428ab1de67e761d9733866fc608dca7c72

    SHA256

    fcf4bd8094a80ec880e00ab79b0f0e63773c410f27cdadb91152e6afa800bfcb

    SHA512

    d61314c82bc819c2f837a5b2efcca72d043143b346856fff63416b41b91fe1bb918d1f5c3d142a1040d4a12d0393dc51e159e8a33645fa0673604818eaf157e5

    Download Submit

  • C:\QLHDRiKJ\CBSCreateVC.dll
    Filesize

    274.9MB

    MD5

    8fed02dff0d226a9eb5b290939f89a31

    SHA1

    c17944428ab1de67e761d9733866fc608dca7c72

    SHA256

    fcf4bd8094a80ec880e00ab79b0f0e63773c410f27cdadb91152e6afa800bfcb

    SHA512

    d61314c82bc819c2f837a5b2efcca72d043143b346856fff63416b41b91fe1bb918d1f5c3d142a1040d4a12d0393dc51e159e8a33645fa0673604818eaf157e5

    Download Submit

  • C:\QLHDRiKJ\CBSCreateVC.dll
    Filesize

    274.9MB

    MD5

    8fed02dff0d226a9eb5b290939f89a31

    SHA1

    c17944428ab1de67e761d9733866fc608dca7c72

    SHA256

    fcf4bd8094a80ec880e00ab79b0f0e63773c410f27cdadb91152e6afa800bfcb

    SHA512

    d61314c82bc819c2f837a5b2efcca72d043143b346856fff63416b41b91fe1bb918d1f5c3d142a1040d4a12d0393dc51e159e8a33645fa0673604818eaf157e5

    Download Submit

  • C:\QLHDRiKJ\CBSProducstInfo.dll
    Filesize

    692KB

    MD5

    6cd81e6343ab21a1d118243af54833a8

    SHA1

    bbe1a06bd85af7099fb111ac13d19df5f7f22cc0

    SHA256

    306970a9d265a45abbd2efaf61002980695b2de7961504cf71e2833f415e82a9

    SHA512

    295446e3732281b3afb6b06684e2642a79e6b284608305291cc01967c45d2ba5892ef687de084dbc9a22180233f1602a8c2236ec969ddda34c25d4f4e6691328

    Download Submit

  • C:\QLHDRiKJ\CBSProducstInfo.dll
    Filesize

    692KB

    MD5

    6cd81e6343ab21a1d118243af54833a8

    SHA1

    bbe1a06bd85af7099fb111ac13d19df5f7f22cc0

    SHA256

    306970a9d265a45abbd2efaf61002980695b2de7961504cf71e2833f415e82a9

    SHA512

    295446e3732281b3afb6b06684e2642a79e6b284608305291cc01967c45d2ba5892ef687de084dbc9a22180233f1602a8c2236ec969ddda34c25d4f4e6691328

    Download Submit

  • C:\QLHDRiKJ\CBSProducstInfo.dll
    Filesize

    692KB

    MD5

    6cd81e6343ab21a1d118243af54833a8

    SHA1

    bbe1a06bd85af7099fb111ac13d19df5f7f22cc0

    SHA256

    306970a9d265a45abbd2efaf61002980695b2de7961504cf71e2833f415e82a9

    SHA512

    295446e3732281b3afb6b06684e2642a79e6b284608305291cc01967c45d2ba5892ef687de084dbc9a22180233f1602a8c2236ec969ddda34c25d4f4e6691328

    Download Submit

  • C:\QLHDRiKJ\CBSProducstInfo.dll
    Filesize

    692KB

    MD5

    6cd81e6343ab21a1d118243af54833a8

    SHA1

    bbe1a06bd85af7099fb111ac13d19df5f7f22cc0

    SHA256

    306970a9d265a45abbd2efaf61002980695b2de7961504cf71e2833f415e82a9

    SHA512

    295446e3732281b3afb6b06684e2642a79e6b284608305291cc01967c45d2ba5892ef687de084dbc9a22180233f1602a8c2236ec969ddda34c25d4f4e6691328

    Download Submit

  • C:\QLHDRiKJ\DAQExp.dll
    Filesize

    1.4MB

    MD5

    b16ad0dd6c69c0c117c9d3647517786c

    SHA1

    825a54040c8e8dfe9ffb243796df806ee5b05708

    SHA256

    e8eace4e643ba86e5c4d1b966037a47e53836b5d328f2295713184613a72020f

    SHA512

    23512007a593d62c446923c446b07d64476cecf9f7ea22dbdbe48965daa482517c7f3f50a55b7b6ed3989be3df2f96004cafe3bb2204bcde401aae00ffd44632

    Download Submit

  • C:\QLHDRiKJ\DAQExp.dll
    Filesize

    1.4MB

    MD5

    b16ad0dd6c69c0c117c9d3647517786c

    SHA1

    825a54040c8e8dfe9ffb243796df806ee5b05708

    SHA256

    e8eace4e643ba86e5c4d1b966037a47e53836b5d328f2295713184613a72020f

    SHA512

    23512007a593d62c446923c446b07d64476cecf9f7ea22dbdbe48965daa482517c7f3f50a55b7b6ed3989be3df2f96004cafe3bb2204bcde401aae00ffd44632

    Download Submit

  • C:\QLHDRiKJ\trist.exe
    Filesize

    2.0MB

    MD5

    db67e9196605d61d8278e5278777c71f

    SHA1

    6fe39b3ace96505269745ed2b81975abb5aea647

    SHA256

    9b5f85fb164d177a24a521df6a9515f1dfb502d1b83581d37dae8ac3f1ad9010

    SHA512

    d2a77d6c1c7771e714f5a19db82823a8a4dd0f0402aca0751d17e7b4d66219049aa33eab3f3841de251f7393f0d01e3c7664ef0aa17f5593ba0f569d2bfe7022

    Download Submit

  • C:\QLHDRiKJ\trist.exe
    Filesize

    2.0MB

    MD5

    db67e9196605d61d8278e5278777c71f

    SHA1

    6fe39b3ace96505269745ed2b81975abb5aea647

    SHA256

    9b5f85fb164d177a24a521df6a9515f1dfb502d1b83581d37dae8ac3f1ad9010

    SHA512

    d2a77d6c1c7771e714f5a19db82823a8a4dd0f0402aca0751d17e7b4d66219049aa33eab3f3841de251f7393f0d01e3c7664ef0aa17f5593ba0f569d2bfe7022

    Download Submit

  • C:\QLHDRiKJ\trist.ini
    Filesize

    4KB

    MD5

    3e7d1bf85c27b185a920dc26b776758e

    SHA1

    3623ff4e4d244d951426647b5f765dec5bbdd99a

    SHA256

    d5be03e38f60722dca24be527e5e97b60e383dbb6c88452964c9ce4683dcd6f5

    SHA512

    e744594e22afbdc8482cdcad8540ebfe8444e9e4fc093fbfe785421cb77d8543f7525327e3b5ba299194944bf45afb896f7d5688ea44f840c57e2c2460b77869

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TaWuWUrHsalEDrXHBzzO.vbs
    Filesize

    6KB

    MD5

    b8ee6b36f59e39b05a6163208cf84bda

    SHA1

    160267dc9270881c4725d4a647f4f1510753e7a0

    SHA256

    70e35afbfb7460aa337eae5b669df347efd61604d5fc5ce746b8723a97ff6138

    SHA512

    2ceb4209570e9ee1b2c80b8de71bc413a24ec588ec11e1d1fd54c014c3f3574b1af972fddd8bb9d231ceb32e30ba1cca7538263cfcdb213bfabb968c0197c8eb

    Download Submit

  • memory/320-146-0x0000000000C11000-0x0000000000C9E000-memory.dmp

    Filesize

    564KB

    Download

  • memory/320-134-0x0000000000000000-mapping.dmp

    Download

  • memory/320-150-0x0000000011F10000-0x0000000012F10000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/320-151-0x0000000011F10000-0x0000000012F10000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3968-132-0x0000000000000000-mapping.dmp

    Download