Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 07:21
Behavioral task
behavioral1
Sample
219c1d87426d8ed8b3e62176d1291f80.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
219c1d87426d8ed8b3e62176d1291f80.exe
Resource
win10v2004-20220812-en
General
-
Target
219c1d87426d8ed8b3e62176d1291f80.exe
-
Size
8.9MB
-
MD5
219c1d87426d8ed8b3e62176d1291f80
-
SHA1
105af4d6ca9510c99657145ff0ebf4db71238a32
-
SHA256
67014237713d167e0676ed58d8aa095cbfef04cbc834c0dc512fd5c3df6285ea
-
SHA512
0bcfb390bd234bd313ea4335faae2011e297f7d9012b14457a011c883b171b99c08e8c43a6f4502ea260a2138521c006e0e78365cbcfb74cb7a417e8e9b56dd6
-
SSDEEP
196608:FquoUUOSW7GeGIr1reEs+sqgwC1UODDjai0fyxrAWk:00EkbGIrZbbsPUODZY
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
-
payload_urls
http://167.88.170.23/w993.exe
http://167.88.170.23/s101.exe,http://167.88.170.23/101.exe,http://167.88.170.23/R101.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 4 IoCs
Processes:
Catalogo2019.exeCatalogo2019.exeCatalogo2019.exeCatalogo2019.exepid process 3408 Catalogo2019.exe 4948 Catalogo2019.exe 2456 Catalogo2019.exe 4048 Catalogo2019.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
219c1d87426d8ed8b3e62176d1291f80.exeCatalogo2019.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 219c1d87426d8ed8b3e62176d1291f80.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Catalogo2019.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Catalogo2019.exedescription pid process target process PID 3408 set thread context of 4948 3408 Catalogo2019.exe Catalogo2019.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
219c1d87426d8ed8b3e62176d1291f80.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 219c1d87426d8ed8b3e62176d1291f80.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
AcroRd32.exepid process 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 2240 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
219c1d87426d8ed8b3e62176d1291f80.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 764 wrote to memory of 2240 764 219c1d87426d8ed8b3e62176d1291f80.exe AcroRd32.exe PID 764 wrote to memory of 2240 764 219c1d87426d8ed8b3e62176d1291f80.exe AcroRd32.exe PID 764 wrote to memory of 2240 764 219c1d87426d8ed8b3e62176d1291f80.exe AcroRd32.exe PID 764 wrote to memory of 3408 764 219c1d87426d8ed8b3e62176d1291f80.exe Catalogo2019.exe PID 764 wrote to memory of 3408 764 219c1d87426d8ed8b3e62176d1291f80.exe Catalogo2019.exe PID 764 wrote to memory of 3408 764 219c1d87426d8ed8b3e62176d1291f80.exe Catalogo2019.exe PID 2240 wrote to memory of 4916 2240 AcroRd32.exe RdrCEF.exe PID 2240 wrote to memory of 4916 2240 AcroRd32.exe RdrCEF.exe PID 2240 wrote to memory of 4916 2240 AcroRd32.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 1520 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 240 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 240 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 240 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 240 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 240 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 240 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 240 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 240 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 240 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 240 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 240 4916 RdrCEF.exe RdrCEF.exe PID 4916 wrote to memory of 240 4916 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\219c1d87426d8ed8b3e62176d1291f80.exe"C:\Users\Admin\AppData\Local\Temp\219c1d87426d8ed8b3e62176d1291f80.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Catalogo2019.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F75942E21761538BE004F19EA1B84969 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F75942E21761538BE004F19EA1B84969 --renderer-client-id=2 --mojo-platform-channel-handle=1700 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0935864CE6408BEA13586B4CCA3587A3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0935864CE6408BEA13586B4CCA3587A3 --renderer-client-id=3 --mojo-platform-channel-handle=2012 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D67B073A3FBF97803E6E60F289097D00 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BAF26209D526BEEBD72BE83B7E814B9A --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=943318D0486DF8949538A2FB1D3E3084 --mojo-platform-channel-handle=2700 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0C7D9B5D63FB24033307C6CD1D091A41 --mojo-platform-channel-handle=2628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe"C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe"{path}"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Catalogo2019" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe"4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Catalogo2019" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe"C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exeC:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Catalogo2019.exe.logFilesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.pdfFilesize
6.9MB
MD5860c783b07be69a39bcc9ffd3037c26e
SHA1aecdf16bd194f061a9a61e43e6572e5cc207721c
SHA256cc61f690953749f79783f8001b7e450709e74d54a13857806bc4bda1603bcb4e
SHA512f01840127856ae37167de832b67d8361452365d452c58a753a4f9c1692dde44f1b1c6d2f1083e3e9999fc4642e03a08bf6e5c3ade2b3e3a3cf21ca4996b6e3a8
-
memory/240-150-0x0000000000000000-mapping.dmp
-
memory/384-161-0x0000000000000000-mapping.dmp
-
memory/764-132-0x0000000000700000-0x0000000000FF0000-memory.dmpFilesize
8.9MB
-
memory/856-164-0x0000000000000000-mapping.dmp
-
memory/1520-145-0x0000000000000000-mapping.dmp
-
memory/1928-158-0x0000000000000000-mapping.dmp
-
memory/2240-133-0x0000000000000000-mapping.dmp
-
memory/2456-174-0x0000000000000000-mapping.dmp
-
memory/2612-172-0x0000000000000000-mapping.dmp
-
memory/2712-155-0x0000000000000000-mapping.dmp
-
memory/2916-173-0x0000000000000000-mapping.dmp
-
memory/3176-171-0x0000000000000000-mapping.dmp
-
memory/3408-139-0x0000000005560000-0x0000000005B04000-memory.dmpFilesize
5.6MB
-
memory/3408-142-0x0000000005090000-0x000000000509A000-memory.dmpFilesize
40KB
-
memory/3408-141-0x00000000050F0000-0x000000000518C000-memory.dmpFilesize
624KB
-
memory/3408-140-0x0000000004FB0000-0x0000000005042000-memory.dmpFilesize
584KB
-
memory/3408-138-0x0000000000540000-0x000000000071E000-memory.dmpFilesize
1.9MB
-
memory/3408-135-0x0000000000000000-mapping.dmp
-
memory/3796-169-0x0000000000000000-mapping.dmp
-
memory/4916-143-0x0000000000000000-mapping.dmp
-
memory/4948-167-0x0000000000400000-0x0000000000552000-memory.dmpFilesize
1.3MB
-
memory/4948-166-0x0000000000000000-mapping.dmp