Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 09:02
Static task
static1
Behavioral task
behavioral1
Sample
Fiscal_Eletronico.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Fiscal_Eletronico.exe
Resource
win10v2004-20220812-en
General
-
Target
Fiscal_Eletronico.exe
-
Size
37KB
-
MD5
79d4353d76a1e90e44cecfe752411da4
-
SHA1
3a2d58473740dcafb2d5fc9d24ebaa608534eba0
-
SHA256
bc5195bb7590b14935ccdcf2ca8d85c225ccd0c2f3822e65ebe90e9b011fe94e
-
SHA512
f61fbb233a9a4bf4b878e72464aded2bad44cbc8110e1010a958a02de952ee20c8b057c385cd605ba45ed23a4b2a75f8374140a620ba0bd833abc45b5f5aed6c
-
SSDEEP
384:XQzz1QFgyNn8pXDLf45TQfeyh8yF9Ur6J9djOA71PHy2bLf45sf6Qfz7NF8Fww8E:XQzzcgyN8pX3lB5J9xO6TflbtX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
RYNKSFQE.exepid process 268 RYNKSFQE.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Fiscal_Eletronico.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\RYNKSFQE = "C:\\Users\\Admin\\AppData\\Roaming\\RYNKSFQE.exe" Fiscal_Eletronico.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Fiscal_Eletronico.exedescription pid process target process PID 1324 wrote to memory of 268 1324 Fiscal_Eletronico.exe RYNKSFQE.exe PID 1324 wrote to memory of 268 1324 Fiscal_Eletronico.exe RYNKSFQE.exe PID 1324 wrote to memory of 268 1324 Fiscal_Eletronico.exe RYNKSFQE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fiscal_Eletronico.exe"C:\Users\Admin\AppData\Local\Temp\Fiscal_Eletronico.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Roaming\RYNKSFQE.exeC:\Users\Admin\AppData\Roaming\RYNKSFQE.exe2⤵
- Executes dropped EXE
PID:268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\RYNKSFQE.exeFilesize
17KB
MD519b8859e8a4251aa0815e747481034b9
SHA1c15405d5951baa266b576eddab0fca1870d1e2d3
SHA2568effa1bc2b177a9088bf61f25e955e1d91586d8753b6cda33be1ac197fcfaf91
SHA512940a5b4d9dd573ea1bbfa75ac55bfeaa33d9ffa719d0bd5f4359063eb76d5aecaf2fa46ee2a198fdf145e6e840402476d2ce5270d81830d3d0ce5649bebef5c4
-
C:\Users\Admin\AppData\Roaming\RYNKSFQE.exeFilesize
17KB
MD519b8859e8a4251aa0815e747481034b9
SHA1c15405d5951baa266b576eddab0fca1870d1e2d3
SHA2568effa1bc2b177a9088bf61f25e955e1d91586d8753b6cda33be1ac197fcfaf91
SHA512940a5b4d9dd573ea1bbfa75ac55bfeaa33d9ffa719d0bd5f4359063eb76d5aecaf2fa46ee2a198fdf145e6e840402476d2ce5270d81830d3d0ce5649bebef5c4
-
memory/268-56-0x0000000000000000-mapping.dmp
-
memory/268-59-0x000007FEF37E0000-0x000007FEF4203000-memory.dmpFilesize
10.1MB
-
memory/268-60-0x000007FEF2740000-0x000007FEF37D6000-memory.dmpFilesize
16.6MB
-
memory/268-62-0x000000001B9A0000-0x000000001BC9F000-memory.dmpFilesize
3.0MB
-
memory/268-64-0x00000000008D6000-0x00000000008F5000-memory.dmpFilesize
124KB
-
memory/268-65-0x00000000008D6000-0x00000000008F5000-memory.dmpFilesize
124KB
-
memory/1324-54-0x000007FEF37E0000-0x000007FEF4203000-memory.dmpFilesize
10.1MB
-
memory/1324-55-0x000007FEF2740000-0x000007FEF37D6000-memory.dmpFilesize
16.6MB
-
memory/1324-61-0x0000000000B06000-0x0000000000B25000-memory.dmpFilesize
124KB
-
memory/1324-63-0x0000000000B06000-0x0000000000B25000-memory.dmpFilesize
124KB