Analysis
-
max time kernel
45s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 12:57
Static task
static1
Behavioral task
behavioral1
Sample
doc_Factura.cmd
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
doc_Factura.cmd
Resource
win10v2004-20221111-en
General
-
Target
doc_Factura.cmd
-
Size
1.3MB
-
MD5
c4cdec52d55e23afe4ef8eb489a3f606
-
SHA1
b702aaa5ad698ff53bf78888bb7b091d98744dc2
-
SHA256
8139c3fe860410dee6c76c9bc1ababc163043f9d4784ed468fe8a25a7c0eae41
-
SHA512
ce170ac5758ab384e7973fceaa7911d2e0f74f74c4f552e665b3d0d96a63663f732384d0238da37d71feca028b605e134e58a673a855fa6d539b5761926586c8
-
SSDEEP
24576:botxQMlJvK+rvgp20/sNerYDfUizKFfUsmldic5sgFaT0hA06t8:cQCi+klmDMkEVYmi
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
reyna.exepid process 1484 reyna.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1016 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
reyna.exepid process 1484 reyna.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
reyna.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 reyna.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 reyna.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 reyna.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1132 timeout.exe -
NTFS ADS 1 IoCs
Processes:
reyna.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2 reyna.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 592 powershell.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
powershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 592 powershell.exe Token: SeIncreaseQuotaPrivilege 612 WMIC.exe Token: SeSecurityPrivilege 612 WMIC.exe Token: SeTakeOwnershipPrivilege 612 WMIC.exe Token: SeLoadDriverPrivilege 612 WMIC.exe Token: SeSystemProfilePrivilege 612 WMIC.exe Token: SeSystemtimePrivilege 612 WMIC.exe Token: SeProfSingleProcessPrivilege 612 WMIC.exe Token: SeIncBasePriorityPrivilege 612 WMIC.exe Token: SeCreatePagefilePrivilege 612 WMIC.exe Token: SeBackupPrivilege 612 WMIC.exe Token: SeRestorePrivilege 612 WMIC.exe Token: SeShutdownPrivilege 612 WMIC.exe Token: SeDebugPrivilege 612 WMIC.exe Token: SeSystemEnvironmentPrivilege 612 WMIC.exe Token: SeRemoteShutdownPrivilege 612 WMIC.exe Token: SeUndockPrivilege 612 WMIC.exe Token: SeManageVolumePrivilege 612 WMIC.exe Token: 33 612 WMIC.exe Token: 34 612 WMIC.exe Token: 35 612 WMIC.exe Token: SeIncreaseQuotaPrivilege 612 WMIC.exe Token: SeSecurityPrivilege 612 WMIC.exe Token: SeTakeOwnershipPrivilege 612 WMIC.exe Token: SeLoadDriverPrivilege 612 WMIC.exe Token: SeSystemProfilePrivilege 612 WMIC.exe Token: SeSystemtimePrivilege 612 WMIC.exe Token: SeProfSingleProcessPrivilege 612 WMIC.exe Token: SeIncBasePriorityPrivilege 612 WMIC.exe Token: SeCreatePagefilePrivilege 612 WMIC.exe Token: SeBackupPrivilege 612 WMIC.exe Token: SeRestorePrivilege 612 WMIC.exe Token: SeShutdownPrivilege 612 WMIC.exe Token: SeDebugPrivilege 612 WMIC.exe Token: SeSystemEnvironmentPrivilege 612 WMIC.exe Token: SeRemoteShutdownPrivilege 612 WMIC.exe Token: SeUndockPrivilege 612 WMIC.exe Token: SeManageVolumePrivilege 612 WMIC.exe Token: 33 612 WMIC.exe Token: 34 612 WMIC.exe Token: 35 612 WMIC.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
reyna.exepid process 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
reyna.exepid process 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe 1484 reyna.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
cmd.execmd.exereyna.execmd.execmd.exedescription pid process target process PID 2020 wrote to memory of 1016 2020 cmd.exe cmd.exe PID 2020 wrote to memory of 1016 2020 cmd.exe cmd.exe PID 2020 wrote to memory of 1016 2020 cmd.exe cmd.exe PID 1016 wrote to memory of 740 1016 cmd.exe more.com PID 1016 wrote to memory of 740 1016 cmd.exe more.com PID 1016 wrote to memory of 740 1016 cmd.exe more.com PID 1016 wrote to memory of 592 1016 cmd.exe powershell.exe PID 1016 wrote to memory of 592 1016 cmd.exe powershell.exe PID 1016 wrote to memory of 592 1016 cmd.exe powershell.exe PID 1016 wrote to memory of 928 1016 cmd.exe certutil.exe PID 1016 wrote to memory of 928 1016 cmd.exe certutil.exe PID 1016 wrote to memory of 928 1016 cmd.exe certutil.exe PID 1016 wrote to memory of 1312 1016 cmd.exe certutil.exe PID 1016 wrote to memory of 1312 1016 cmd.exe certutil.exe PID 1016 wrote to memory of 1312 1016 cmd.exe certutil.exe PID 1016 wrote to memory of 612 1016 cmd.exe WMIC.exe PID 1016 wrote to memory of 612 1016 cmd.exe WMIC.exe PID 1016 wrote to memory of 612 1016 cmd.exe WMIC.exe PID 1016 wrote to memory of 1132 1016 cmd.exe timeout.exe PID 1016 wrote to memory of 1132 1016 cmd.exe timeout.exe PID 1016 wrote to memory of 1132 1016 cmd.exe timeout.exe PID 1484 wrote to memory of 1632 1484 reyna.exe cmd.exe PID 1484 wrote to memory of 1632 1484 reyna.exe cmd.exe PID 1484 wrote to memory of 1632 1484 reyna.exe cmd.exe PID 1484 wrote to memory of 1632 1484 reyna.exe cmd.exe PID 1484 wrote to memory of 1620 1484 reyna.exe cmd.exe PID 1484 wrote to memory of 1620 1484 reyna.exe cmd.exe PID 1484 wrote to memory of 1620 1484 reyna.exe cmd.exe PID 1484 wrote to memory of 1620 1484 reyna.exe cmd.exe PID 1620 wrote to memory of 852 1620 cmd.exe choice.exe PID 1620 wrote to memory of 852 1620 cmd.exe choice.exe PID 1620 wrote to memory of 852 1620 cmd.exe choice.exe PID 1620 wrote to memory of 852 1620 cmd.exe choice.exe PID 1632 wrote to memory of 880 1632 cmd.exe choice.exe PID 1632 wrote to memory of 880 1632 cmd.exe choice.exe PID 1632 wrote to memory of 880 1632 cmd.exe choice.exe PID 1632 wrote to memory of 880 1632 cmd.exe choice.exe -
outlook_office_path 1 IoCs
Processes:
reyna.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 reyna.exe -
outlook_win_path 1 IoCs
Processes:
reyna.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 reyna.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\more.commore +5 C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd3⤵PID:740
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(gc ~~) -replace '>', '' | Out-File -encoding ASCII ~~"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592 -
C:\Windows\system32\certutil.execertutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe"3⤵PID:928
-
C:\Windows\system32\certutil.execertutil -decode -f C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd "C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x"3⤵PID:1312
-
C:\Windows\System32\Wbem\WMIC.exewmic process call create '"C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe" "C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\3⤵
- Suspicious use of AdjustPrivilegeToken
PID:612 -
C:\Windows\system32\timeout.exetimeout /T 53⤵
- Delays execution with timeout.exe
PID:1132
-
C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe"C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe" "C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x" ""1⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1484 -
C:\Windows\SysWOW64\cmd.execmd.exe /C choice /C Y /N /D Y /T 3 & RMDIR "C:\Users\Admin\AppData\Roaming\huiotu" /S /Q2⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵PID:880
-
C:\Windows\SysWOW64\cmd.execmd.exe /C choice /C Y /N /D Y /T 3 & DEL "C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x2⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵PID:852
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~~Filesize
1.3MB
MD5de84720f1079ee0be621edcda1f1a00d
SHA1a5c6694a4864956668b485d52501d4642210ef6a
SHA2564dc59c4e6f73f6c9c17a40fe2fe0a74670b6a0b712b73a002ec497848894dd5d
SHA51240f2415e9aa4ef2cdf343672ee74a545b08ecdf7f05f52cd29d54ba8051042720c36e2daa11b38d99fd18f6e18c0296b9a922ab4b8b89ed6b1a8a6524986d739
-
C:\Users\Admin\AppData\Local\Temp\~~Filesize
1.3MB
MD5c7029bbb900d2ff0a555700d1603c370
SHA109c97464d3c902bc7bdfe1c8a0b75930c4b84949
SHA2567fa404fbe12b55165ee044df040321bb8d94cabe89be5b74fa1374f0b057449c
SHA512327d3da769aeb50ffc95aeb90bbf8537d5024a58aaaf020cb537997152f3905329346184819755a46c6d682c669624a03ac8ba1c8cc6d0fc1bddb22df376f619
-
C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3xFilesize
113KB
MD5dee4abb50d026cb3973fb6c48b9c623d
SHA14631c5decca463bdd19d397b526d690ed981bf5a
SHA256005e51bcc1decf20239bb92a0411f669c2ad26c86839754ee34a43a2d020afa7
SHA512eabca61c8d335bb7e96cb48be1c241fc09cab6cf402e78e007ced51883b587a02915b694b8b180edd6c119455a43f91db52e6f111e7cbc7f6e4431cecd28da56
-
C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
858KB
MD5c7719f774bb859240eb6dfa91a1f10be
SHA1be1461e770333eb13e0fe66d378e3fac4f1112b5
SHA256b3ce811fb696b94f9117ee7fe725ae6b907d695636beceeb1672d5d5eeb81df4
SHA5128a561e927a7a65f5211c76b488bed2a3cc0525ecd9775d25e1863b52ff532349c125b76a51eb63ea2e4479a567e8fac6b8ae38b7fd1970bad2556befe9e3b529
-
memory/592-58-0x000007FEF3410000-0x000007FEF3E33000-memory.dmpFilesize
10.1MB
-
memory/592-56-0x0000000000000000-mapping.dmp
-
memory/592-63-0x000000000285B000-0x000000000287A000-memory.dmpFilesize
124KB
-
memory/592-64-0x0000000002854000-0x0000000002857000-memory.dmpFilesize
12KB
-
memory/592-65-0x000000000285B000-0x000000000287A000-memory.dmpFilesize
124KB
-
memory/592-61-0x000000001B870000-0x000000001BB6F000-memory.dmpFilesize
3.0MB
-
memory/592-57-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmpFilesize
8KB
-
memory/592-59-0x000007FEF28B0000-0x000007FEF340D000-memory.dmpFilesize
11.4MB
-
memory/592-60-0x0000000002854000-0x0000000002857000-memory.dmpFilesize
12KB
-
memory/612-71-0x0000000000000000-mapping.dmp
-
memory/740-55-0x0000000000000000-mapping.dmp
-
memory/852-80-0x0000000000000000-mapping.dmp
-
memory/880-81-0x0000000000000000-mapping.dmp
-
memory/928-66-0x0000000000000000-mapping.dmp
-
memory/928-67-0x00000000FF361000-0x00000000FF363000-memory.dmpFilesize
8KB
-
memory/1016-54-0x0000000000000000-mapping.dmp
-
memory/1132-73-0x0000000000000000-mapping.dmp
-
memory/1312-70-0x00000000FF6B1000-0x00000000FF6B3000-memory.dmpFilesize
8KB
-
memory/1312-69-0x0000000000000000-mapping.dmp
-
memory/1484-74-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/1620-79-0x0000000000000000-mapping.dmp
-
memory/1632-78-0x0000000000000000-mapping.dmp