Analysis Overview
SHA256
29d212f84a154cdc5f3d9427f03113e9681dee943963a9779f466ecadab0ed40
Threat Level: Known bad
The file CaixaBank_ Documento de Pago_Pdf.iso was found to be: Known bad.
Malicious Activity Summary
Purecrypter family
PureCrypter
AgentTesla
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks computer location settings
Reads user/profile data of local email clients
Adds Run key to start application
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Suspicious use of WriteProcessMemory
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-10 10:50
Signatures
Purecrypter family
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-10 10:50
Reported
2023-02-10 10:53
Platform
win7-20220812-es
Max time kernel
152s
Max time network
154s
Command Line
Signatures
AgentTesla
PureCrypter
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ryjtppsu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ulrfeummho\\Ryjtppsu.exe\"" | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 832 set thread context of 1792 | N/A | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
"C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | superbtanzaniasafaris.com | udp |
| US | 198.54.116.34:80 | superbtanzaniasafaris.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.237.62.211:443 | api.ipify.org | tcp |
Files
memory/832-54-0x0000000000EC0000-0x0000000000ED8000-memory.dmp
memory/832-55-0x0000000076CE1000-0x0000000076CE3000-memory.dmp
memory/832-56-0x0000000005BE0000-0x0000000005C94000-memory.dmp
memory/832-57-0x00000000009B0000-0x00000000009CA000-memory.dmp
memory/1248-58-0x0000000000000000-mapping.dmp
memory/1248-60-0x000000006ECD0000-0x000000006F27B000-memory.dmp
memory/1248-61-0x000000006ECD0000-0x000000006F27B000-memory.dmp
memory/1248-62-0x000000006ECD0000-0x000000006F27B000-memory.dmp
memory/1792-63-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1792-64-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1792-66-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1792-67-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1792-69-0x000000000042A56E-mapping.dmp
memory/1792-68-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1792-71-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1792-73-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-10 10:50
Reported
2023-02-10 10:53
Platform
win10v2004-20221111-es
Max time kernel
149s
Max time network
161s
Command Line
Signatures
AgentTesla
PureCrypter
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ryjtppsu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ulrfeummho\\Ryjtppsu.exe\"" | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4872 set thread context of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
"C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | superbtanzaniasafaris.com | udp |
| US | 198.54.116.34:80 | superbtanzaniasafaris.com | tcp |
| NL | 8.238.20.126:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 20.42.72.131:443 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| NL | 8.238.21.126:80 | tcp | |
| US | 52.109.13.62:443 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.155:443 | api.ipify.org | tcp |
| US | 40.77.2.164:443 | tcp | |
| US | 67.26.109.254:80 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| US | 52.109.13.62:443 | tcp | |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
Files
memory/4872-132-0x0000000000DC0000-0x0000000000DD8000-memory.dmp
memory/4872-133-0x0000000005DF0000-0x0000000006394000-memory.dmp
memory/4872-134-0x0000000005840000-0x00000000058D2000-memory.dmp
memory/4872-135-0x00000000067B0000-0x00000000067F0000-memory.dmp
memory/4872-136-0x0000000007480000-0x00000000074A2000-memory.dmp
memory/1944-137-0x0000000000000000-mapping.dmp
memory/1944-138-0x0000000002560000-0x0000000002596000-memory.dmp
memory/1944-139-0x0000000005150000-0x0000000005778000-memory.dmp
memory/1944-140-0x0000000004E00000-0x0000000004E82000-memory.dmp
memory/1944-141-0x0000000005850000-0x00000000058B6000-memory.dmp
memory/1944-142-0x00000000058C0000-0x0000000005926000-memory.dmp
memory/1944-143-0x0000000005830000-0x0000000005840000-memory.dmp
memory/1944-144-0x0000000005EE0000-0x0000000005FE2000-memory.dmp
memory/1944-145-0x0000000006070000-0x000000000608E000-memory.dmp
memory/1944-146-0x00000000078B0000-0x0000000007F2A000-memory.dmp
memory/1944-147-0x0000000006570000-0x000000000658A000-memory.dmp
memory/1660-148-0x0000000000000000-mapping.dmp
memory/1660-149-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CAIXABAN.exe.log
| MD5 | fa566c9cc0cdfc2479d186ed2a7d2078 |
| SHA1 | a4f5bc2d5d055a766b19f095f0a670eeda57c24b |
| SHA256 | bccaf63847951e065e8af3714593cdd2f8ecb76b384c1f7c71e3cd89df314960 |
| SHA512 | ab3efa28f6f90dddde1472a474e26874e21248cc26603acb582ceb419e81165f4dc1044551755635dc6fd89600cbe0f1daec2ccb185fe77c68df16622e53396f |
memory/1660-151-0x0000000006B70000-0x0000000006B7A000-memory.dmp
memory/1660-152-0x0000000006B80000-0x0000000006BD0000-memory.dmp