Overview

overview

8

Static

static

doc_Factura.cmd

windows7-x64

8

doc_Factura.cmd

windows10-2004-x64

8

Resubmissions

29-11-2022 12:57

221129-p7blyadg5y 8

29-11-2022 12:51

221129-p3txqadd7z 8

Analysis

  • max time kernel
    186s
  • max time network
    209s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    doc_Factura.cmd

  • Size

    1.3MB

  • MD5

    c4cdec52d55e23afe4ef8eb489a3f606

  • SHA1

    b702aaa5ad698ff53bf78888bb7b091d98744dc2

  • SHA256

    8139c3fe860410dee6c76c9bc1ababc163043f9d4784ed468fe8a25a7c0eae41

  • SHA512

    ce170ac5758ab384e7973fceaa7911d2e0f74f74c4f552e665b3d0d96a63663f732384d0238da37d71feca028b605e134e58a673a855fa6d539b5761926586c8

  • SSDEEP

    24576:botxQMlJvK+rvgp20/sNerYDfUizKFfUsmldic5sgFaT0hA06t8:cQCi+klmDMkEVYmi

Score
8/10
collection

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\system32\more.com
        more +5 C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd
        3⤵
          PID:4304
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "(gc ~~) -replace '>', '' | Out-File -encoding ASCII ~~"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3164
        • C:\Windows\system32\certutil.exe
          certutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe"
          3⤵
            PID:1788
          • C:\Windows\system32\certutil.exe
            certutil -decode -f C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd "C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x"
            3⤵
              PID:5108
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic process call create '"C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe" "C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1284
            • C:\Windows\system32\timeout.exe
              timeout /T 5
              3⤵
              • Delays execution with timeout.exe
              PID:2208
        • C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe
          "C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe" "C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x" ""
          1⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • NTFS ADS
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • outlook_office_path
          • outlook_win_path
          PID:3556

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Email Collection

        1
        T1114

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\~~
          Filesize

          1.3MB

          MD5

          de84720f1079ee0be621edcda1f1a00d

          SHA1

          a5c6694a4864956668b485d52501d4642210ef6a

          SHA256

          4dc59c4e6f73f6c9c17a40fe2fe0a74670b6a0b712b73a002ec497848894dd5d

          SHA512

          40f2415e9aa4ef2cdf343672ee74a545b08ecdf7f05f52cd29d54ba8051042720c36e2daa11b38d99fd18f6e18c0296b9a922ab4b8b89ed6b1a8a6524986d739

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\~~
          Filesize

          1.3MB

          MD5

          c7029bbb900d2ff0a555700d1603c370

          SHA1

          09c97464d3c902bc7bdfe1c8a0b75930c4b84949

          SHA256

          7fa404fbe12b55165ee044df040321bb8d94cabe89be5b74fa1374f0b057449c

          SHA512

          327d3da769aeb50ffc95aeb90bbf8537d5024a58aaaf020cb537997152f3905329346184819755a46c6d682c669624a03ac8ba1c8cc6d0fc1bddb22df376f619

          Download Submit
        • C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x
          Filesize

          113KB

          MD5

          dee4abb50d026cb3973fb6c48b9c623d

          SHA1

          4631c5decca463bdd19d397b526d690ed981bf5a

          SHA256

          005e51bcc1decf20239bb92a0411f669c2ad26c86839754ee34a43a2d020afa7

          SHA512

          eabca61c8d335bb7e96cb48be1c241fc09cab6cf402e78e007ced51883b587a02915b694b8b180edd6c119455a43f91db52e6f111e7cbc7f6e4431cecd28da56

          Download Submit
        • C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe
          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          Download Submit
        • C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe
          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          Download Submit
        • memory/1284-142-0x0000000000000000-mapping.dmp
          Download
        • memory/1788-139-0x0000000000000000-mapping.dmp
          Download
        • memory/2044-132-0x0000000000000000-mapping.dmp
          Download
        • memory/2208-144-0x0000000000000000-mapping.dmp
          Download
        • memory/3164-138-0x00007FF99DD00000-0x00007FF99E7C1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/3164-137-0x00007FF99DD00000-0x00007FF99E7C1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/3164-135-0x0000023464B10000-0x0000023464B32000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3164-134-0x0000000000000000-mapping.dmp
          Download
        • memory/4304-133-0x0000000000000000-mapping.dmp
          Download
        • memory/5108-141-0x0000000000000000-mapping.dmp
          Download