Overview

overview

8

Static

static

doc_Factura.cmd

windows7-x64

8

doc_Factura.cmd

windows10-2004-x64

8

Resubmissions

29-11-2022 12:57

221129-p7blyadg5y 8

29-11-2022 12:51

221129-p3txqadd7z 8

Analysis

  • max time kernel
    45s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    doc_Factura.cmd

  • Size

    1.3MB

  • MD5

    c4cdec52d55e23afe4ef8eb489a3f606

  • SHA1

    b702aaa5ad698ff53bf78888bb7b091d98744dc2

  • SHA256

    8139c3fe860410dee6c76c9bc1ababc163043f9d4784ed468fe8a25a7c0eae41

  • SHA512

    ce170ac5758ab384e7973fceaa7911d2e0f74f74c4f552e665b3d0d96a63663f732384d0238da37d71feca028b605e134e58a673a855fa6d539b5761926586c8

  • SSDEEP

    24576:botxQMlJvK+rvgp20/sNerYDfUizKFfUsmldic5sgFaT0hA06t8:cQCi+klmDMkEVYmi

Score
8/10
collectionspywarestealer

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • NTFS ADS 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Windows\system32\more.com
        more +5 C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd
        3⤵
          PID:740
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "(gc ~~) -replace '>', '' | Out-File -encoding ASCII ~~"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:592
        • C:\Windows\system32\certutil.exe
          certutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe"
          3⤵
            PID:928
          • C:\Windows\system32\certutil.exe
            certutil -decode -f C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd "C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x"
            3⤵
              PID:1312
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic process call create '"C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe" "C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:612
            • C:\Windows\system32\timeout.exe
              timeout /T 5
              3⤵
              • Delays execution with timeout.exe
              PID:1132
        • C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe
          "C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe" "C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x" ""
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Accesses Microsoft Outlook profiles
          • NTFS ADS
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:1484
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C choice /C Y /N /D Y /T 3 & RMDIR "C:\Users\Admin\AppData\Roaming\huiotu" /S /Q
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\SysWOW64\choice.exe
              choice /C Y /N /D Y /T 3
              3⤵
                PID:880
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C choice /C Y /N /D Y /T 3 & DEL "C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1620
              • C:\Windows\SysWOW64\choice.exe
                choice /C Y /N /D Y /T 3
                3⤵
                  PID:852

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Email Collection

            1
            T1114

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\~~
              Filesize

              1.3MB

              MD5

              de84720f1079ee0be621edcda1f1a00d

              SHA1

              a5c6694a4864956668b485d52501d4642210ef6a

              SHA256

              4dc59c4e6f73f6c9c17a40fe2fe0a74670b6a0b712b73a002ec497848894dd5d

              SHA512

              40f2415e9aa4ef2cdf343672ee74a545b08ecdf7f05f52cd29d54ba8051042720c36e2daa11b38d99fd18f6e18c0296b9a922ab4b8b89ed6b1a8a6524986d739

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\~~
              Filesize

              1.3MB

              MD5

              c7029bbb900d2ff0a555700d1603c370

              SHA1

              09c97464d3c902bc7bdfe1c8a0b75930c4b84949

              SHA256

              7fa404fbe12b55165ee044df040321bb8d94cabe89be5b74fa1374f0b057449c

              SHA512

              327d3da769aeb50ffc95aeb90bbf8537d5024a58aaaf020cb537997152f3905329346184819755a46c6d682c669624a03ac8ba1c8cc6d0fc1bddb22df376f619

              Download Submit
            • C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x
              Filesize

              113KB

              MD5

              dee4abb50d026cb3973fb6c48b9c623d

              SHA1

              4631c5decca463bdd19d397b526d690ed981bf5a

              SHA256

              005e51bcc1decf20239bb92a0411f669c2ad26c86839754ee34a43a2d020afa7

              SHA512

              eabca61c8d335bb7e96cb48be1c241fc09cab6cf402e78e007ced51883b587a02915b694b8b180edd6c119455a43f91db52e6f111e7cbc7f6e4431cecd28da56

              Download Submit
            • C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe
              Filesize

              872KB

              MD5

              c56b5f0201a3b3de53e561fe76912bfd

              SHA1

              2a4062e10a5de813f5688221dbeb3f3ff33eb417

              SHA256

              237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

              SHA512

              195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

              Download Submit
            • C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe
              Filesize

              872KB

              MD5

              c56b5f0201a3b3de53e561fe76912bfd

              SHA1

              2a4062e10a5de813f5688221dbeb3f3ff33eb417

              SHA256

              237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

              SHA512

              195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

              Download Submit
            • \Users\Admin\AppData\Local\Temp\sqlite3.dll
              Filesize

              858KB

              MD5

              c7719f774bb859240eb6dfa91a1f10be

              SHA1

              be1461e770333eb13e0fe66d378e3fac4f1112b5

              SHA256

              b3ce811fb696b94f9117ee7fe725ae6b907d695636beceeb1672d5d5eeb81df4

              SHA512

              8a561e927a7a65f5211c76b488bed2a3cc0525ecd9775d25e1863b52ff532349c125b76a51eb63ea2e4479a567e8fac6b8ae38b7fd1970bad2556befe9e3b529

              Download Submit
            • memory/592-58-0x000007FEF3410000-0x000007FEF3E33000-memory.dmp
              Filesize

              10.1MB

              Download
            • memory/592-56-0x0000000000000000-mapping.dmp
              Download
            • memory/592-63-0x000000000285B000-0x000000000287A000-memory.dmp
              Filesize

              124KB

              Download
            • memory/592-64-0x0000000002854000-0x0000000002857000-memory.dmp
              Filesize

              12KB

              Download
            • memory/592-65-0x000000000285B000-0x000000000287A000-memory.dmp
              Filesize

              124KB

              Download
            • memory/592-61-0x000000001B870000-0x000000001BB6F000-memory.dmp
              Filesize

              3.0MB

              Download
            • memory/592-57-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp
              Filesize

              8KB

              Download
            • memory/592-59-0x000007FEF28B0000-0x000007FEF340D000-memory.dmp
              Filesize

              11.4MB

              Download
            • memory/592-60-0x0000000002854000-0x0000000002857000-memory.dmp
              Filesize

              12KB

              Download
            • memory/612-71-0x0000000000000000-mapping.dmp
              Download
            • memory/740-55-0x0000000000000000-mapping.dmp
              Download
            • memory/852-80-0x0000000000000000-mapping.dmp
              Download
            • memory/880-81-0x0000000000000000-mapping.dmp
              Download
            • memory/928-66-0x0000000000000000-mapping.dmp
              Download
            • memory/928-67-0x00000000FF361000-0x00000000FF363000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1016-54-0x0000000000000000-mapping.dmp
              Download
            • memory/1132-73-0x0000000000000000-mapping.dmp
              Download
            • memory/1312-70-0x00000000FF6B1000-0x00000000FF6B3000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1312-69-0x0000000000000000-mapping.dmp
              Download
            • memory/1484-74-0x0000000075451000-0x0000000075453000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1620-79-0x0000000000000000-mapping.dmp
              Download
            • memory/1632-78-0x0000000000000000-mapping.dmp
              Download