Analysis
-
max time kernel
186s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 12:57
Static task
static1
Behavioral task
behavioral1
Sample
doc_Factura.cmd
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
doc_Factura.cmd
Resource
win10v2004-20221111-en
General
-
Target
doc_Factura.cmd
-
Size
1.3MB
-
MD5
c4cdec52d55e23afe4ef8eb489a3f606
-
SHA1
b702aaa5ad698ff53bf78888bb7b091d98744dc2
-
SHA256
8139c3fe860410dee6c76c9bc1ababc163043f9d4784ed468fe8a25a7c0eae41
-
SHA512
ce170ac5758ab384e7973fceaa7911d2e0f74f74c4f552e665b3d0d96a63663f732384d0238da37d71feca028b605e134e58a673a855fa6d539b5761926586c8
-
SSDEEP
24576:botxQMlJvK+rvgp20/sNerYDfUizKFfUsmldic5sgFaT0hA06t8:cQCi+klmDMkEVYmi
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
reyna.exepid process 3556 reyna.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
reyna.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 reyna.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 reyna.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 reyna.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2208 timeout.exe -
NTFS ADS 1 IoCs
Processes:
reyna.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2 reyna.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3164 powershell.exe 3164 powershell.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
powershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3164 powershell.exe Token: SeIncreaseQuotaPrivilege 1284 WMIC.exe Token: SeSecurityPrivilege 1284 WMIC.exe Token: SeTakeOwnershipPrivilege 1284 WMIC.exe Token: SeLoadDriverPrivilege 1284 WMIC.exe Token: SeSystemProfilePrivilege 1284 WMIC.exe Token: SeSystemtimePrivilege 1284 WMIC.exe Token: SeProfSingleProcessPrivilege 1284 WMIC.exe Token: SeIncBasePriorityPrivilege 1284 WMIC.exe Token: SeCreatePagefilePrivilege 1284 WMIC.exe Token: SeBackupPrivilege 1284 WMIC.exe Token: SeRestorePrivilege 1284 WMIC.exe Token: SeShutdownPrivilege 1284 WMIC.exe Token: SeDebugPrivilege 1284 WMIC.exe Token: SeSystemEnvironmentPrivilege 1284 WMIC.exe Token: SeRemoteShutdownPrivilege 1284 WMIC.exe Token: SeUndockPrivilege 1284 WMIC.exe Token: SeManageVolumePrivilege 1284 WMIC.exe Token: 33 1284 WMIC.exe Token: 34 1284 WMIC.exe Token: 35 1284 WMIC.exe Token: 36 1284 WMIC.exe Token: SeIncreaseQuotaPrivilege 1284 WMIC.exe Token: SeSecurityPrivilege 1284 WMIC.exe Token: SeTakeOwnershipPrivilege 1284 WMIC.exe Token: SeLoadDriverPrivilege 1284 WMIC.exe Token: SeSystemProfilePrivilege 1284 WMIC.exe Token: SeSystemtimePrivilege 1284 WMIC.exe Token: SeProfSingleProcessPrivilege 1284 WMIC.exe Token: SeIncBasePriorityPrivilege 1284 WMIC.exe Token: SeCreatePagefilePrivilege 1284 WMIC.exe Token: SeBackupPrivilege 1284 WMIC.exe Token: SeRestorePrivilege 1284 WMIC.exe Token: SeShutdownPrivilege 1284 WMIC.exe Token: SeDebugPrivilege 1284 WMIC.exe Token: SeSystemEnvironmentPrivilege 1284 WMIC.exe Token: SeRemoteShutdownPrivilege 1284 WMIC.exe Token: SeUndockPrivilege 1284 WMIC.exe Token: SeManageVolumePrivilege 1284 WMIC.exe Token: 33 1284 WMIC.exe Token: 34 1284 WMIC.exe Token: 35 1284 WMIC.exe Token: 36 1284 WMIC.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
reyna.exepid process 3556 reyna.exe 3556 reyna.exe 3556 reyna.exe 3556 reyna.exe 3556 reyna.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
reyna.exepid process 3556 reyna.exe 3556 reyna.exe 3556 reyna.exe 3556 reyna.exe 3556 reyna.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1072 wrote to memory of 2044 1072 cmd.exe cmd.exe PID 1072 wrote to memory of 2044 1072 cmd.exe cmd.exe PID 2044 wrote to memory of 4304 2044 cmd.exe more.com PID 2044 wrote to memory of 4304 2044 cmd.exe more.com PID 2044 wrote to memory of 3164 2044 cmd.exe powershell.exe PID 2044 wrote to memory of 3164 2044 cmd.exe powershell.exe PID 2044 wrote to memory of 1788 2044 cmd.exe certutil.exe PID 2044 wrote to memory of 1788 2044 cmd.exe certutil.exe PID 2044 wrote to memory of 5108 2044 cmd.exe certutil.exe PID 2044 wrote to memory of 5108 2044 cmd.exe certutil.exe PID 2044 wrote to memory of 1284 2044 cmd.exe WMIC.exe PID 2044 wrote to memory of 1284 2044 cmd.exe WMIC.exe PID 2044 wrote to memory of 2208 2044 cmd.exe timeout.exe PID 2044 wrote to memory of 2208 2044 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
reyna.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 reyna.exe -
outlook_win_path 1 IoCs
Processes:
reyna.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 reyna.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\more.commore +5 C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(gc ~~) -replace '>', '' | Out-File -encoding ASCII ~~"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\certutil.execertutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe"3⤵
-
C:\Windows\system32\certutil.execertutil -decode -f C:\Users\Admin\AppData\Local\Temp\doc_Factura.cmd "C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process call create '"C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe" "C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exetimeout /T 53⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe"C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exe" "C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3x" ""1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~~Filesize
1.3MB
MD5de84720f1079ee0be621edcda1f1a00d
SHA1a5c6694a4864956668b485d52501d4642210ef6a
SHA2564dc59c4e6f73f6c9c17a40fe2fe0a74670b6a0b712b73a002ec497848894dd5d
SHA51240f2415e9aa4ef2cdf343672ee74a545b08ecdf7f05f52cd29d54ba8051042720c36e2daa11b38d99fd18f6e18c0296b9a922ab4b8b89ed6b1a8a6524986d739
-
C:\Users\Admin\AppData\Local\Temp\~~Filesize
1.3MB
MD5c7029bbb900d2ff0a555700d1603c370
SHA109c97464d3c902bc7bdfe1c8a0b75930c4b84949
SHA2567fa404fbe12b55165ee044df040321bb8d94cabe89be5b74fa1374f0b057449c
SHA512327d3da769aeb50ffc95aeb90bbf8537d5024a58aaaf020cb537997152f3905329346184819755a46c6d682c669624a03ac8ba1c8cc6d0fc1bddb22df376f619
-
C:\Users\Admin\AppData\Roaming\peele\a3x\gallery\doc_Factura.a3xFilesize
113KB
MD5dee4abb50d026cb3973fb6c48b9c623d
SHA14631c5decca463bdd19d397b526d690ed981bf5a
SHA256005e51bcc1decf20239bb92a0411f669c2ad26c86839754ee34a43a2d020afa7
SHA512eabca61c8d335bb7e96cb48be1c241fc09cab6cf402e78e007ced51883b587a02915b694b8b180edd6c119455a43f91db52e6f111e7cbc7f6e4431cecd28da56
-
C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Roaming\peele\exe\vshepard\reyna.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/1284-142-0x0000000000000000-mapping.dmp
-
memory/1788-139-0x0000000000000000-mapping.dmp
-
memory/2044-132-0x0000000000000000-mapping.dmp
-
memory/2208-144-0x0000000000000000-mapping.dmp
-
memory/3164-138-0x00007FF99DD00000-0x00007FF99E7C1000-memory.dmpFilesize
10.8MB
-
memory/3164-137-0x00007FF99DD00000-0x00007FF99E7C1000-memory.dmpFilesize
10.8MB
-
memory/3164-135-0x0000023464B10000-0x0000023464B32000-memory.dmpFilesize
136KB
-
memory/3164-134-0x0000000000000000-mapping.dmp
-
memory/4304-133-0x0000000000000000-mapping.dmp
-
memory/5108-141-0x0000000000000000-mapping.dmp