Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2023 08:09
Static task
static1
Behavioral task
behavioral1
Sample
Perfil de empresa y solicitud de pedido-pdf.exe
Resource
win7-20230220-en
General
-
Target
Perfil de empresa y solicitud de pedido-pdf.exe
-
Size
817KB
-
MD5
934b4aa04d107f3f1e4df18c1f4602c0
-
SHA1
78fd7a3ff4d72fc10dc2580ed51107d378a3917b
-
SHA256
be2d13c0a69ec836fb9e404b03dbfa04d7adb067ff00bda1375182dcc6bffa6f
-
SHA512
3071bea94409178dfc0a4d2107f435403bd1842ad6d899e933fbd8642aaa6f65d03fd6d4c0b0263b8c95ab4a42c594e9e5c4e1f72c26855529dd89feb4ebdc04
-
SSDEEP
24576:NuxnYfyuqYOEzbPDzse2IWZDNjpg2IRezTZ:Qh+yuOI0z9lNjp8RkZ
Malware Config
Extracted
formbook
4.1
il23
woodlandwoodworking.net
kitchen-deals-69155.com
hiddendia.xyz
xelaxaste.uk
sproutstrive.com
avlulu124.xyz
g-starnetwork.com
a-avdeeva.com
filmart.top
bustime411.com
besyor.xyz
joulex.live
christmastempjobsfinder.life
cxrh-official.com
themuzzy.co.uk
joshisarena.africa
dental4family.com
dietsandsixpacks.co.uk
innovativedigest.com
flyingphoenix.club
millenniumtutors.africa
ctsiholdings.com
1wincasino-online.gives
ficc2china.com
fodtt.africa
kx1339.com
duron.bet
credit-cards-52245.com
bbqdoner.ru
discovrbookings.com
guangoffical.buzz
newmanarts.africa
glamdupspasalon.com
dindaa.online
6n981.com
dovelyshop.com
20gaokk.com
dldlu.xyz
foruna-coachy.net
drsnowden.net
1wzzrr.top
signbyjot.net
bestmein23.com
cd00hui.shop
pasaportenica.net
electrolyte-drinks.site
healthyremedies.africa
creativedesigncompany.online
fhglobal-zhs.com
glasswashbasin.com
browyum.com
bet33080.com
aliceblomst.com
americanpressreleas.com
die-mietbar.com
kiahinternational.com
veganlifetony.com
ityrou.com
bnpbchain.cyou
fastandtrader.com
nerroir.com
galeritoto.com
adaptivetrading.solutions
chumeihome.net
aljaydeguzman.com
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4356-146-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/3968-157-0x00000000012A0000-0x00000000012CF000-memory.dmp formbook behavioral2/memory/4356-158-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/3968-160-0x00000000012A0000-0x00000000012CF000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
Perfil de empresa y solicitud de pedido-pdf.exePerfil de empresa y solicitud de pedido-pdf.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Perfil de empresa y solicitud de pedido-pdf.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Perfil de empresa y solicitud de pedido-pdf.exe -
Loads dropped DLL 1 IoCs
Processes:
Perfil de empresa y solicitud de pedido-pdf.exepid process 3848 Perfil de empresa y solicitud de pedido-pdf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Perfil de empresa y solicitud de pedido-pdf.exepid process 4356 Perfil de empresa y solicitud de pedido-pdf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Perfil de empresa y solicitud de pedido-pdf.exePerfil de empresa y solicitud de pedido-pdf.exepid process 3848 Perfil de empresa y solicitud de pedido-pdf.exe 4356 Perfil de empresa y solicitud de pedido-pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Perfil de empresa y solicitud de pedido-pdf.exePerfil de empresa y solicitud de pedido-pdf.exesvchost.exedescription pid process target process PID 3848 set thread context of 4356 3848 Perfil de empresa y solicitud de pedido-pdf.exe Perfil de empresa y solicitud de pedido-pdf.exe PID 4356 set thread context of 3132 4356 Perfil de empresa y solicitud de pedido-pdf.exe Explorer.EXE PID 3968 set thread context of 3132 3968 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Perfil de empresa y solicitud de pedido-pdf.exesvchost.exepid process 4356 Perfil de empresa y solicitud de pedido-pdf.exe 4356 Perfil de empresa y solicitud de pedido-pdf.exe 4356 Perfil de empresa y solicitud de pedido-pdf.exe 4356 Perfil de empresa y solicitud de pedido-pdf.exe 3968 svchost.exe 3968 svchost.exe 3968 svchost.exe 3968 svchost.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Perfil de empresa y solicitud de pedido-pdf.exePerfil de empresa y solicitud de pedido-pdf.exesvchost.exepid process 3848 Perfil de empresa y solicitud de pedido-pdf.exe 4356 Perfil de empresa y solicitud de pedido-pdf.exe 4356 Perfil de empresa y solicitud de pedido-pdf.exe 4356 Perfil de empresa y solicitud de pedido-pdf.exe 3968 svchost.exe 3968 svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Perfil de empresa y solicitud de pedido-pdf.exeExplorer.EXEsvchost.exedescription pid process Token: SeDebugPrivilege 4356 Perfil de empresa y solicitud de pedido-pdf.exe Token: SeShutdownPrivilege 3132 Explorer.EXE Token: SeCreatePagefilePrivilege 3132 Explorer.EXE Token: SeShutdownPrivilege 3132 Explorer.EXE Token: SeCreatePagefilePrivilege 3132 Explorer.EXE Token: SeDebugPrivilege 3968 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Perfil de empresa y solicitud de pedido-pdf.exeExplorer.EXEsvchost.exedescription pid process target process PID 3848 wrote to memory of 4356 3848 Perfil de empresa y solicitud de pedido-pdf.exe Perfil de empresa y solicitud de pedido-pdf.exe PID 3848 wrote to memory of 4356 3848 Perfil de empresa y solicitud de pedido-pdf.exe Perfil de empresa y solicitud de pedido-pdf.exe PID 3848 wrote to memory of 4356 3848 Perfil de empresa y solicitud de pedido-pdf.exe Perfil de empresa y solicitud de pedido-pdf.exe PID 3848 wrote to memory of 4356 3848 Perfil de empresa y solicitud de pedido-pdf.exe Perfil de empresa y solicitud de pedido-pdf.exe PID 3132 wrote to memory of 3968 3132 Explorer.EXE svchost.exe PID 3132 wrote to memory of 3968 3132 Explorer.EXE svchost.exe PID 3132 wrote to memory of 3968 3132 Explorer.EXE svchost.exe PID 3968 wrote to memory of 2632 3968 svchost.exe cmd.exe PID 3968 wrote to memory of 2632 3968 svchost.exe cmd.exe PID 3968 wrote to memory of 2632 3968 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4356 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe"3⤵PID:2632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsiE9C9.tmp\System.dllFilesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
memory/3132-152-0x0000000008650000-0x000000000873D000-memory.dmpFilesize
948KB
-
memory/3848-142-0x00000000041A0000-0x000000000636D000-memory.dmpFilesize
33.8MB
-
memory/3848-143-0x00000000041A0000-0x000000000636D000-memory.dmpFilesize
33.8MB
-
memory/3968-160-0x00000000012A0000-0x00000000012CF000-memory.dmpFilesize
188KB
-
memory/3968-159-0x0000000001D00000-0x000000000204A000-memory.dmpFilesize
3.3MB
-
memory/3968-157-0x00000000012A0000-0x00000000012CF000-memory.dmpFilesize
188KB
-
memory/3968-156-0x0000000000290000-0x000000000029E000-memory.dmpFilesize
56KB
-
memory/3968-153-0x0000000000290000-0x000000000029E000-memory.dmpFilesize
56KB
-
memory/4356-145-0x0000000001660000-0x000000000382D000-memory.dmpFilesize
33.8MB
-
memory/4356-151-0x0000000033A70000-0x0000000033A84000-memory.dmpFilesize
80KB
-
memory/4356-150-0x0000000001660000-0x000000000382D000-memory.dmpFilesize
33.8MB
-
memory/4356-149-0x0000000033C70000-0x0000000033FBA000-memory.dmpFilesize
3.3MB
-
memory/4356-147-0x0000000001660000-0x000000000382D000-memory.dmpFilesize
33.8MB
-
memory/4356-155-0x0000000001660000-0x000000000382D000-memory.dmpFilesize
33.8MB
-
memory/4356-158-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/4356-146-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/4356-144-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB