5d6deb056a1b40dee972a4515d89afe16c5ef76a045ac2c6220cd1085ab6b88a

Analysis

max time kernel
51s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16/03/2023, 16:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Agentes_Seguridad.exe
Size

88KB
MD5

1fc5329c18b6347c1636bf6740228bc5
SHA1

e2845fcedbb2e8e45c902fa70a6976d0687fa662
SHA256

5d6deb056a1b40dee972a4515d89afe16c5ef76a045ac2c6220cd1085ab6b88a
SHA512

43f143ac477f77acb2123631aad43729eecf116cd5a18b1a4f6cf87578a69fdcaebd1c4eb6c0950ba7ad0b2d5187e2d7bfe1bc9bab827acb98be30cf59bd08c2
SSDEEP

1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfOxDH1:Hq6+ouCpk2mpcWJ0r+QNTBfOZ1

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
1868	timeout.exe
1608	timeout.exe
1932	timeout.exe
1320	timeout.exe
1688	timeout.exe
1992	timeout.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1048	msiexec.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1048	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	1472	msiexec.exe
Token: SeCreateTokenPrivilege	1048	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1048	msiexec.exe
Token: SeLockMemoryPrivilege	1048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1048	msiexec.exe
Token: SeMachineAccountPrivilege	1048	msiexec.exe
Token: SeTcbPrivilege	1048	msiexec.exe
Token: SeSecurityPrivilege	1048	msiexec.exe
Token: SeTakeOwnershipPrivilege	1048	msiexec.exe
Token: SeLoadDriverPrivilege	1048	msiexec.exe
Token: SeSystemProfilePrivilege	1048	msiexec.exe
Token: SeSystemtimePrivilege	1048	msiexec.exe
Token: SeProfSingleProcessPrivilege	1048	msiexec.exe
Token: SeIncBasePriorityPrivilege	1048	msiexec.exe
Token: SeCreatePagefilePrivilege	1048	msiexec.exe
Token: SeCreatePermanentPrivilege	1048	msiexec.exe
Token: SeBackupPrivilege	1048	msiexec.exe
Token: SeRestorePrivilege	1048	msiexec.exe
Token: SeShutdownPrivilege	1048	msiexec.exe
Token: SeDebugPrivilege	1048	msiexec.exe
Token: SeAuditPrivilege	1048	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1048	msiexec.exe
Token: SeChangeNotifyPrivilege	1048	msiexec.exe
Token: SeRemoteShutdownPrivilege	1048	msiexec.exe
Token: SeUndockPrivilege	1048	msiexec.exe
Token: SeSyncAgentPrivilege	1048	msiexec.exe
Token: SeEnableDelegationPrivilege	1048	msiexec.exe
Token: SeManageVolumePrivilege	1048	msiexec.exe
Token: SeImpersonatePrivilege	1048	msiexec.exe
Token: SeCreateGlobalPrivilege	1048	msiexec.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1120	1304	Agentes_Seguridad.exe	27
PID 1304 wrote to memory of 1120	1304	Agentes_Seguridad.exe	27
PID 1304 wrote to memory of 1120	1304	Agentes_Seguridad.exe	27
PID 1304 wrote to memory of 1120	1304	Agentes_Seguridad.exe	27
PID 1120 wrote to memory of 1932	1120	cmd.exe	29
PID 1120 wrote to memory of 1932	1120	cmd.exe	29
PID 1120 wrote to memory of 1932	1120	cmd.exe	29
PID 1120 wrote to memory of 1320	1120	cmd.exe	30
PID 1120 wrote to memory of 1320	1120	cmd.exe	30
PID 1120 wrote to memory of 1320	1120	cmd.exe	30
PID 1120 wrote to memory of 1048	1120	cmd.exe	31
PID 1120 wrote to memory of 1048	1120	cmd.exe	31
PID 1120 wrote to memory of 1048	1120	cmd.exe	31
PID 1120 wrote to memory of 1048	1120	cmd.exe	31
PID 1120 wrote to memory of 1048	1120	cmd.exe	31
PID 1120 wrote to memory of 1688	1120	cmd.exe	33
PID 1120 wrote to memory of 1688	1120	cmd.exe	33
PID 1120 wrote to memory of 1688	1120	cmd.exe	33
PID 1120 wrote to memory of 1992	1120	cmd.exe	34
PID 1120 wrote to memory of 1992	1120	cmd.exe	34
PID 1120 wrote to memory of 1992	1120	cmd.exe	34
PID 1120 wrote to memory of 1868	1120	cmd.exe	35
PID 1120 wrote to memory of 1868	1120	cmd.exe	35
PID 1120 wrote to memory of 1868	1120	cmd.exe	35
PID 1120 wrote to memory of 1892	1120	cmd.exe	36
PID 1120 wrote to memory of 1892	1120	cmd.exe	36
PID 1120 wrote to memory of 1892	1120	cmd.exe	36
PID 1120 wrote to memory of 1608	1120	cmd.exe	38
PID 1120 wrote to memory of 1608	1120	cmd.exe	38
PID 1120 wrote to memory of 1608	1120	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\Agentes_Seguridad.exe
"C:\Users\Admin\AppData\Local\Temp\Agentes_Seguridad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\465.tmp\466.tmp\467.bat C:\Users\Admin\AppData\Local\Temp\Agentes_Seguridad.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\system32\timeout.exe
    timeout /t 9 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1932
- - C:\Windows\system32\timeout.exe
    timeout /t 9 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1320
- - C:\Windows\system32\msiexec.exe
    msiexec /I C:\Instaladores\Qualys_Netskope\NSClient_84.2.2.576.msi /qn token=kL2RDKffsNqc637CG94L host=addon-davivienda-co.goskope.com mode=peruserconfig autoupdate=on
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Windows\system32\timeout.exe
    timeout /t 9 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1688
- - C:\Windows\system32\timeout.exe
    timeout /t 9 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1992
- - C:\Windows\system32\timeout.exe
    timeout /t 9 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1868
- - C:\Windows\system32\cscript.exe
    cscript //B "C:\Windows\system32\slmgr.vbs" /ipk GGFFH-WGNB4-CXXDQ-WTB8B-WHV3B
    3⤵
    PID:1892
- - C:\Windows\system32\timeout.exe
    timeout /t 9 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1608

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\465.tmp\466.tmp\467.bat

Filesize
1KB

MD5
9426ea177514706ca2b92b10dc6a2036

SHA1
e9101b85e53e9563884f768b743e72bd4e058773

SHA256
72a9b68f780ffd5025891881248902e784ba556cc9e431dd8beba445a731a77c

SHA512
459cd8215ba0d6ed822d2f4e7cafa3221547233b52fd5b5dcd33ebcf2cb894c07f9dd5b2fc731241d1a9444bec5a82cc772fa4993b6fc7022cb2543db3eb974d

Download Submit