Analysis
-
max time kernel
314s -
max time network
335s -
platform
windows7_x64 -
resource
win7-20221111-es -
resource tags
arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows -
submitted
07-12-2022 18:14
Static task
static1
Behavioral task
behavioral1
Sample
Recibo Pago_01.rar
Resource
win7-20221111-es
Behavioral task
behavioral2
Sample
Recibo Pago_01.rar
Resource
win10v2004-20221111-es
Behavioral task
behavioral3
Sample
Recibo Pago_01.exe
Resource
win7-20221111-es
General
-
Target
Recibo Pago_01.rar
-
Size
1.9MB
-
MD5
7b5849e491b7ae753c555293447a2d17
-
SHA1
475f3108b25dc099ecdcfdbb37a831ed148845a8
-
SHA256
df98652a71de6673d479e851062625876b214b4a2d13c3ff75390bab9a342fc6
-
SHA512
68209f03d63e9b2259f722a366fe63aa6d7288ed479f1e52a308c45b6ccbaa8c103e3c2bdfea4c2b406d634e9829a0dfdf69dc98b0d8b98ec1ffba3038d2e28f
-
SSDEEP
24576:3APtR/YLe9W3yfagBqG0cBuuduaY12U3hvVY6fqPvyPDrj2fcAVmftbjJr8Vkhh:aRo3CVBq9cBKb12sXCPvJ/wftbjRb
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 1740 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2040 wrote to memory of 1740 2040 cmd.exe rundll32.exe PID 2040 wrote to memory of 1740 2040 cmd.exe rundll32.exe PID 2040 wrote to memory of 1740 2040 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Recibo Pago_01.rar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Recibo Pago_01.rar2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam