Analysis
-
max time kernel
467s -
max time network
410s -
platform
windows7_x64 -
resource
win7-20230220-es -
resource tags
-
submitted
09-05-2023 22:19
General
-
Target
muestra.txt
-
Size
1.5MB
-
MD5
9188e0af38883f23df89ea2cbc64e6eb
-
SHA1
f4ff29d7d99f81eae2676091a8f6cdf37116476d
-
SHA256
1f985f1f9f3208c1d08509fabd9aefad93dea9e47026e6d289667d9c3d931656
-
SHA512
88901a05c2bb67e20e8a3a7bae3fc6f7668cc479fff1205e9a0f4781161af6013007dab62e3d114cc2145f3e5ba71fbbe655c27d4e6177a8529d3d70969e2fab
-
SSDEEP
24576:sBShIymxlhKpQSpyVa2NYMJXTXVnyjBc/CZQYr8hiFaVmlAbKkMK+2lhL:ed/NYM87CtRV
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops startup file 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry class 33 IoCs
-
NTFS ADS 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\muestra.txt1⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5201⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Documents\muestra.cmd" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\Documents\muestra.cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\more.commore +5 C:\Users\Admin\Documents\muestra.cmd3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(gc ~~) -replace '<', '' | Out-File -encoding ASCII ~~"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\certutil.execertutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\o'neill\exe\vsigmon\mcnamara.exe"3⤵
-
-
C:\Windows\system32\certutil.execertutil -decode -f C:\Users\Admin\Documents\muestra.cmd "C:\Users\Admin\AppData\Roaming\o'neill\a3x\benitez\muestra.a3x"3⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process call create '"C:\Users\Admin\AppData\Roaming\o'neill\exe\vsigmon\mcnamara.exe" "C:\Users\Admin\AppData\Roaming\o'neill\a3x\benitez\muestra.a3x" ""' ,C:\Users\Admin\Documents\3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout /T 53⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Roaming\o'neill\exe\vsigmon\mcnamara.exe"C:\Users\Admin\AppData\Roaming\o'neill\exe\vsigmon\mcnamara.exe" "C:\Users\Admin\AppData\Roaming\o'neill\a3x\benitez\muestra.a3x" ""1⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Roaming\o'neill\exe\vsigmon\mcnamara.exe"C:\Users\Admin\AppData\Roaming\o'neill\exe\vsigmon\mcnamara.exe" C:\Users\Admin\AppData\Roaming\o'neill\exe\vsigmon\g2lz72g.jpg2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\o'neill\exe\vsigmon\mcnamara.exeC:\Users\Admin\AppData\Roaming\o'neill\exe\vsigmon\mcnamara.exe /AutoIt3ExecuteLine "MsgBox(262144, 'Error de emision', 'Este e-mail ha sido enviado por error y ha sido revocado por su emisor. Por favor haga caso omiso a este e-mail.')"2⤵
- Executes dropped EXE
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\awc5drm0\awc5drm0.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES53FB.tmp" "c:\Users\Admin\AppData\Local\Temp\awc5drm0\CSCEC96984BFE144C1586B0E24991987B8.TMP"3⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\~~1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\~~2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD501d02c22856b2a43f1ede3f73c39f0c3
SHA116bf956cc24e523a699d812e96d97f23365f79fc
SHA25691bd880e1b01e22e019238621a9c3cf042f05bb719b4c05565957fd5495048a6
SHA512f5b28490fe1938d76f406b4ce699f60ac8a2587088d1400a8a91c976ef358965ec12a6c7d1d3d0eff9e7a9fb0747c5d55ca968d25a721f75f0ae5a44f2c848dc
-
Filesize
21KB
MD5f0283b67ce0c9ea27e20656b0cae272f
SHA142fb6e47b8cf1b75b83701c1e15ca5e0bcc1ce0f
SHA256a207c8a60b4dbb76f09daff86954046278b23a39b354e5c47f2dd8f603f5a8be
SHA51251a13074ce38b6de07a9b6550ac7779011a98ec0002fd03aec8a41bb8a60b326f8fdad64d609e45ca1af549ac319bd044a305b5c8d671b0d44c382511dc4d030
-
Filesize
21KB
MD5aaffc8296ad80a06bccfd79f4e4d44fe
SHA108fb808317da2f1a1003fa5c9320f2259e30311d
SHA2566120456ff144620518e6a0c4019db5c9ba5e9780b6ac6df8d7884dc3255409ea
SHA512157907cec34cb00a3787766a961c261849c5f611dae3e746fe8e67229fa9c424506a421711c75950ee8d99657587477011c14d59849890acc46c6514011d88ed
-
Filesize
321B
MD51fe96da97eeedc7b4f3fe331f068e5f1
SHA143c1a99587e10802da4f9a4122e7640d555a264b
SHA256d969529c165c01641e89a0230f935be4b4394bb5987d8b4c399cc7d597b880a1
SHA512578352fdcda509dfc6e13f0fd40a322b2e14ee4188be30e60598c747b8e4a7d4c7e4f4cf6765b91417fae54014377761bb669ee5c05c639f25104c9e4f13fb6d
-
Filesize
7KB
MD5fdee8f50196535141dbc46df92152652
SHA1944b1127501770da3f3dc83b4075bde253327018
SHA25618678f877b1b2f69e4c70338dbbcbadc84cf8973a74b6440b9742f987952ca5a
SHA51293855b00b9fc691e96febdf657f78552882f07dd14f133cd61e28bdf8e4ad7235c5e23bf79f7e4ee29a02d3c6f7293771f3fb0a5cfebf928f5aa42077ca4411a
-
Filesize
146KB
MD5b48040f3c14694b4f605222c1f333599
SHA1f76e6ea02058f3a32a4f14445aa6d0bc586a4007
SHA256673b032db9749fc1ee0cff3d051b60e320a39b9a9b83c454c4c6c1bcc9e9dfee
SHA5122a0a9309ceaa9cbea27a058431745ff83e707cb6a38fac7bd944cd612b95704b33d3004e48596a330ac038298b03934ca92ba59b40801c82f4071f1474d6eb65
-
Filesize
7KB
MD5fdee8f50196535141dbc46df92152652
SHA1944b1127501770da3f3dc83b4075bde253327018
SHA25618678f877b1b2f69e4c70338dbbcbadc84cf8973a74b6440b9742f987952ca5a
SHA51293855b00b9fc691e96febdf657f78552882f07dd14f133cd61e28bdf8e4ad7235c5e23bf79f7e4ee29a02d3c6f7293771f3fb0a5cfebf928f5aa42077ca4411a
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
1.5MB
MD59188e0af38883f23df89ea2cbc64e6eb
SHA1f4ff29d7d99f81eae2676091a8f6cdf37116476d
SHA2561f985f1f9f3208c1d08509fabd9aefad93dea9e47026e6d289667d9c3d931656
SHA51288901a05c2bb67e20e8a3a7bae3fc6f7668cc479fff1205e9a0f4781161af6013007dab62e3d114cc2145f3e5ba71fbbe655c27d4e6177a8529d3d70969e2fab
-
Filesize
1.5MB
MD5b3393405c57b2e0a93b3d39ef776a51b
SHA13b854feca62952c263ae8ffd0ceacfc277f0c954
SHA256c0bc90ba536d5ecb2bdc9336a1a57baf32bdb326d2e2ea3b8ee5cf43be38eb23
SHA512b815cc4eac14c2d40bb003ba758ae790d8263a138492ee8a369ac3db6d3d4f9aabc123a96a0a7de40e9c2af8e29b554190e10ec05fb275820ce56a76debc3229
-
Filesize
1.4MB
MD59be676e0b1383e7b1607f98b8f53ae6f
SHA1eba3d44cc81c23748333ef1beb159cb26cf96d66
SHA2563f7aeef2fcba3b2d2d449fc17b8d4e30e95358d0493e2f72b55ba40c730918e8
SHA5121563fa455a7e0146b59e59d428ec6e61c265c8261f5284a397e91a842acb18769a17aba08f7dd4d00bf3f4159f08cd6c5b7c461858dc96b6392958218209aeed
-
Filesize
652B
MD523ca20cf22b6547a86b255a3a85df7f4
SHA1567ff399eb196551c26bf7410ae4e547301e6719
SHA2563a4ca6a2042022d626946ff3250570933e339ad9cb48b24d2fe03d2a0d17f430
SHA5127f0e0f2463956849ac9cbd34702abce5aee288fcd3ed3639969a8c710fd0bd1ed85449fee34e6f35dc7cedcb5963e8204c44bc1dbbe983f140f564cd82dfebd3
-
Filesize
11KB
MD5685047822d8b050f66f3bd3993c316c8
SHA1b5f87885c70a8eb5528decf7e2e45309be402bff
SHA2565079f2ec267a6d413bfb8e26c7adfe1358a3c4f8448b75b8a8de8df5d94c885d
SHA5122cee08f1ea3d87fe5346608dab1db674668ece501b767d2de4fe4ed13aa5dea1704a99819d976bf5160d36b1035c05f4ed9c0077c630c728c1102f845826ddac
-
Filesize
454B
MD5d169400551767f2f31d47b61b3888a92
SHA1fe7c326e44909d60434cea3a1021bc1affc53839
SHA2563bd1d1d4ff0dd6ba7814ddfb04daac855558e325a0f04b9a4ab79a6d2cff15ad
SHA5121565dde97fe96523308ef0060c518d555176b8a04aef0508cb721a605e551eeb3a2d822aa14a4f51dbaf242d10a889999f3e164320e14ec03e4da17a3b24123a
-
Filesize
858KB
MD5c7719f774bb859240eb6dfa91a1f10be
SHA1be1461e770333eb13e0fe66d378e3fac4f1112b5
SHA256b3ce811fb696b94f9117ee7fe725ae6b907d695636beceeb1672d5d5eeb81df4
SHA5128a561e927a7a65f5211c76b488bed2a3cc0525ecd9775d25e1863b52ff532349c125b76a51eb63ea2e4479a567e8fac6b8ae38b7fd1970bad2556befe9e3b529
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
512KB
-
Filesize
280KB
-
Filesize
512KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
40KB
-
Filesize
312KB
