792f7b6362d213e5976d71aea0f36488aae184b30e021210e847d1450546c39d

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-05-2023 19:28

Target

NOTIFICACION DEMANDA PERSONAL.exe
Size

489KB
MD5

35e7110e47ba3d42bf5b71937e02ce8b
SHA1

7194f08ad122d5e2e1d7b432522d6e9fc2565d7b
SHA256

792f7b6362d213e5976d71aea0f36488aae184b30e021210e847d1450546c39d
SHA512

70020e4680f74fd17705b14b0cc11541c773844952ee211eda82291b49b07c94acae9a7aa406c0f6e41fbad4a54d7ff10432b0acb0b2bbf5bc66201b8c6aec43
SSDEEP

12288:qimcuTGiqcyQoiAsxhfi+/wHKK8zsK/nn6F2oG:qimcUGiqcyuAoh6jHKRzsKvQ23

Score

8^/10

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 1716 powershell.exe
6 1716 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1716 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1716 powershell.exe

flow	pid	process
4	1716	powershell.exe
6	1716	powershell.exe

pid	process
1716	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1716	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

NOTIFICACION DEMANDA PERSONAL.exe

description	pid	process	target process
PID 1496 wrote to memory of 1716	1496	NOTIFICACION DEMANDA PERSONAL.exe	powershell.exe
PID 1496 wrote to memory of 1716	1496	NOTIFICACION DEMANDA PERSONAL.exe	powershell.exe
PID 1496 wrote to memory of 1716	1496	NOTIFICACION DEMANDA PERSONAL.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DEMANDA PERSONAL.exe
"C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DEMANDA PERSONAL.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -F C:/ProgramData/md9fmn2uj52E8Ut8f5xmiH0j4abpph3A.ps1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

C:\ProgramData\md9fmn2uj52E8Ut8f5xmiH0j4abpph3A.ps1

Filesize
25KB

MD5
e8c3e078f9a6d9efa1391687a983ffae

SHA1
f5e0b299465164cd1745ab5153d98ceb66b465f4

SHA256
9d1c391c7730878897d9c03c5f2ab09a7428293bcf058346eaeb6c617e0e7289

SHA512
566bd10fae840974ce4214d4d7247afd62891780af7dc75a7e3f0b1ad849e2ebea44318280e188149268371a31975b711abfd3f72949a43018b5b0c66620a9cd

Download Submit
memory/1716-59-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/1716-60-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/1716-62-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/1716-61-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/1716-64-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download