bandook | hxxps://drive[.]google[.]com/file/d/1jmr9tD0FAZaLefXl8kXCS08BY7tAmEbO/view?usp=drive_web

Analysis

max time kernel
597s
max time network
600s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2023 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1jmr9tD0FAZaLefXl8kXCS08BY7tAmEbO/view?usp=drive_web

Score

10^/10

bandook rat trojan upx

Malware Config

Extracted

Family

bandook

185.10.68.52

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1320-574-0x0000000013140000-0x00000000140BE000-memory.dmp	family_bandook
behavioral1/memory/1892-622-0x0000000013140000-0x00000000140BE000-memory.dmp	family_bandook
behavioral1/memory/1892-623-0x0000000013140000-0x00000000140BE000-memory.dmp	family_bandook
behavioral1/memory/5100-723-0x0000000013140000-0x00000000140BE000-memory.dmp	family_bandook
behavioral1/memory/5100-724-0x0000000013140000-0x00000000140BE000-memory.dmp	family_bandook

Executes dropped EXE 6 IoCs

Processes:

Documento_Digital.pdf.exeDocumento_Digital.pdf.exeDocumento_Digital.pdf.exeDocumento_Digital.pdf.exeDocumento_Digital.pdf.exeDocumento_Digital.pdf.exe

pid	process
2272	Documento_Digital.pdf.exe
2904	Documento_Digital.pdf.exe
1816	Documento_Digital.pdf.exe
1960	Documento_Digital.pdf.exe
3208	Documento_Digital.pdf.exe
4160	Documento_Digital.pdf.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1320-574-0x0000000013140000-0x00000000140BE000-memory.dmp	upx
behavioral1/memory/1892-622-0x0000000013140000-0x00000000140BE000-memory.dmp	upx
behavioral1/memory/1892-623-0x0000000013140000-0x00000000140BE000-memory.dmp	upx
behavioral1/memory/5100-723-0x0000000013140000-0x00000000140BE000-memory.dmp	upx
behavioral1/memory/5100-724-0x0000000013140000-0x00000000140BE000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

Processes:

PowerShell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 2 IoCs

Processes:

firefox.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Pract_pdf07072023.7z:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Pract_pdf07072023(1).7z:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

PowerShell.exemsinfo32.exepowershell.exe

pid process

2084 PowerShell.exe
2084 PowerShell.exe
1320 msinfo32.exe
1320 msinfo32.exe
2576 powershell.exe
2576 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4556 OpenWith.exe

pid	process
2084	PowerShell.exe
2084	PowerShell.exe
1320	msinfo32.exe
1320	msinfo32.exe
2576	powershell.exe
2576	powershell.exe

pid	process
4556	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

firefox.exe7zG.exePowerShell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1752	firefox.exe
Token: SeDebugPrivilege	1752	firefox.exe
Token: SeDebugPrivilege	1752	firefox.exe
Token: SeDebugPrivilege	1752	firefox.exe
Token: SeRestorePrivilege	3220	7zG.exe
Token: 35	3220	7zG.exe
Token: SeSecurityPrivilege	3220	7zG.exe
Token: SeSecurityPrivilege	3220	7zG.exe
Token: SeDebugPrivilege	2084	PowerShell.exe
Token: SeDebugPrivilege	2576	powershell.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

firefox.exe7zG.exe

pid process

1752 firefox.exe
1752 firefox.exe
1752 firefox.exe
1752 firefox.exe
3220 7zG.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1752 firefox.exe
1752 firefox.exe
1752 firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

firefox.exeOpenWith.exe

pid	process
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe
4556	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 232 wrote to memory of 1752	232	firefox.exe	firefox.exe
PID 232 wrote to memory of 1752	232	firefox.exe	firefox.exe
PID 232 wrote to memory of 1752	232	firefox.exe	firefox.exe
PID 232 wrote to memory of 1752	232	firefox.exe	firefox.exe
PID 232 wrote to memory of 1752	232	firefox.exe	firefox.exe
PID 232 wrote to memory of 1752	232	firefox.exe	firefox.exe
PID 232 wrote to memory of 1752	232	firefox.exe	firefox.exe
PID 232 wrote to memory of 1752	232	firefox.exe	firefox.exe
PID 232 wrote to memory of 1752	232	firefox.exe	firefox.exe
PID 232 wrote to memory of 1752	232	firefox.exe	firefox.exe
PID 232 wrote to memory of 1752	232	firefox.exe	firefox.exe
PID 1752 wrote to memory of 940	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 940	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 996	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 4948	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 4948	1752	firefox.exe	firefox.exe
PID 1752 wrote to memory of 4948	1752	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://drive.google.com/file/d/1jmr9tD0FAZaLefXl8kXCS08BY7tAmEbO/view?usp=drive_web
1⤵
- Suspicious use of WriteProcessMemory
PID:232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://drive.google.com/file/d/1jmr9tD0FAZaLefXl8kXCS08BY7tAmEbO/view?usp=drive_web
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.0.866952536\1043837997" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e892fb75-12a2-4ed4-bbfc-201ecd0eeeeb} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 1932 1d51a5f1058 gpu
3⤵
PID:940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.1.1974673423\1911248638" -parentBuildID 20221007134813 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {627b54a3-1d8b-49c9-aea8-99966415c2f6} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 2368 1d50686fb58 socket
3⤵
- Checks processor information in registry
PID:996

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.2.167583229\1179362135" -childID 1 -isForBrowser -prefsHandle 3156 -prefMapHandle 3152 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf6578ee-8914-4dac-8b87-a82c921520bc} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 3168 1d51a55a858 tab
3⤵
PID:4948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.3.1405688446\884658924" -childID 2 -isForBrowser -prefsHandle 3548 -prefMapHandle 3544 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {147acd93-fdc7-4baf-a35e-65f1e37f8ceb} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 3556 1d51f474458 tab
3⤵
PID:1468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.4.1054759658\381126082" -childID 3 -isForBrowser -prefsHandle 4996 -prefMapHandle 4992 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cec2622-7a4a-4f56-9e08-83aa000f82e6} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 5008 1d520977c58 tab
3⤵
PID:1080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.5.401165798\2092441042" -childID 4 -isForBrowser -prefsHandle 5152 -prefMapHandle 5156 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9952c186-028a-42a6-b2b5-e7743d5d2f38} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 5144 1d520978558 tab
3⤵
PID:3780

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.6.1632139841\583377201" -childID 5 -isForBrowser -prefsHandle 5344 -prefMapHandle 5348 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e74d8c74-9f9d-47c6-94a6-00e4ff42d17f} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 5336 1d5213fba58 tab
3⤵
PID:4776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1752.7.607586715\574519193" -childID 6 -isForBrowser -prefsHandle 5796 -prefMapHandle 5720 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ac90f0a-626b-466d-a666-1232437755fe} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" 5808 1d521dc1458 tab
3⤵
PID:3388

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4556

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\Downloads\Pract_pdf07072023.7z"
2⤵
PID:2060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2552

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap31419:94:7zEvent21740
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3220

C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe
"C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe"
1⤵
- Executes dropped EXE
PID:2272

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\26723.bat"
3⤵
PID:892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Set-MpPreference -ExclusionExtension exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe
C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe ooooooooooooooo
2⤵
- Executes dropped EXE
PID:1960

C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe
"C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe"
1⤵
- Executes dropped EXE
PID:2904

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
PID:1892

C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe
C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe ooooooooooooooo
2⤵
- Executes dropped EXE
PID:3208

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Downloads\Pract_pdf07072023'
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe
"C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe"
2⤵
- Executes dropped EXE
PID:1816

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
3⤵
PID:5100

C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe
C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe ooooooooooooooo
3⤵
- Executes dropped EXE
PID:4160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hw21aoqh.default-release\activity-stream.discovery_stream.json.tmp
Filesize
155KB

MD5
2428fa598b489bd2232c34b621a69333

SHA1
9ed8fe0b969adfe331ecf8d9a5c765737c4b4e86

SHA256
cc7d454ba3ddd2eb1caf996853bed2ba934c214e3d37c5f2e6d12af9e598bb85

SHA512
4e698f6152b785a6b355af8e87a55f602cfa927b984dd0ef0f74b1ef15a3f8ceb0704179bfd3979516ad9582aec21aa76f6c42a10bcdd7e233acc4e5beb609da

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hw21aoqh.default-release\cache2\doomed\11628
Filesize
8KB

MD5
ae097fb8b41a14bc5de7eccd514de6e4

SHA1
ec2c5783bb92f363915c9f23d0aea22ac917d3a4

SHA256
f659b193bae44f3524d2bb744af857a2ec13ddec2a563bf26990299461bf9c84

SHA512
bf8c58d490322e12f465dded47f3ffa67a5e0b792cb47a07fb53e7f7bc3269bdc350660aa1726d11d80911e9970263b1876b3670e38da06cef045d81a879f3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nsgs0z42.ffv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\26723.bat
Filesize
883B

MD5
798dc26cf1eac4b0107b737a248704e7

SHA1
3b50c698712a678fc94c91fe360a554a2fca6f8f

SHA256
3bc3dd9c15fa1695ae8d1d78b483f6bb40c8230113c35cda9376a86e20e21e48

SHA512
3e68b1a0d88ca4af376794f2c9733a8346ca3c3bde828c8b24f2938d8e2c63ed3261562f8dc6e5a57f8e93028cb271d2fabf008bb98a4cd5d6df42efbe94c1d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\prefs-1.js
Filesize
7KB

MD5
39f2bd34c25ba3681e015bbf5e5b2194

SHA1
2e29dfa7d333c22d9bad5d0c961e263cee273e39

SHA256
a29a066c002a44f479203f05239b39968ee23721a406b495e600fa0a5840d76b

SHA512
fc14034fa5ff3014a0953403890de2a2f25669533432bf3916cb60c501d0c7a76226885dddd92d415be73d53bd54ba7a4b950986b2f1162167bc32e5d7eff6e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\prefs-1.js
Filesize
7KB

MD5
4e9c336168081a3ef3a9ff937a4e3c34

SHA1
cb10ddcce394fe56cbf60b05731a3668995ac113

SHA256
3aeecad581210132b5779ac8e6c10693ad7b143c462385e0e4c33f6c33ed9e4a

SHA512
e5b928ba40496a18200559f52fd333eea720c4f524c81a659d29e8f9b24e486d124c9117b89f5243fa253ec9f7ab2b7336a199b5bccd0cf0a9d4d07730c140c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\prefs.js
Filesize
6KB

MD5
f47fb1a47b39674565df5732f13c944b

SHA1
0d553d7e785c840d2fc315898b97302fcaebbae9

SHA256
558b83be18d411738383575b8e212198c2276651253a5d852fceae95ac34762c

SHA512
aacb931bf29fb3867e4c297ed95d15124177f3262ce95b9eb86235d122fd490c3beb0d3597fbb68469e4cdbd3724d9fa8bcd265df28ecfa97b8955a88bb6cef8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\prefs.js
Filesize
6KB

MD5
ffc959619a8645752f652188f3d8fe9a

SHA1
d0791a3459ec8972ca7233e7d8123d4664024230

SHA256
58aac6d46ffa404ea8192f949b2a4fca353c77f902a3f82f31e4ae2fbd7958b6

SHA512
56e9e7684eb0ac6210cd324ab1e4140f6597fc970ff08d8f4689dab87805738cad4b91e2fcab82af796528d6d7b1cb35b0da159b1ece92f87d054cd366c33502

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
991B

MD5
c330faae1d679221543936a34d988dcb

SHA1
69f284f15e0cea14777a8cc20cefdb286c3a81c0

SHA256
ec693ed3ab208440dc845fd0e558b475186ba8fae0f84291a231c359d694af4c

SHA512
5601168f7cc4cf89fe4f71d166cc2c8ea188a9ac38f2b649a24e7aacc98432b2c123bee5fda345705d967ad2891672e83d7f907eb503c4847729330f2db66455

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
2bfba75e2f2c311ddd93c9ba2a35f345

SHA1
a18e9d5249b3103890d697f9ce318c6f3150136f

SHA256
54c39a643bbf548f841a52f946399bf9a86a1f96a118cb7351061ae1b9093684

SHA512
dbc1a983ffca8c55e33576c1c589f0e553179f404733b8cb7d091f53f2584a67e4d7273167c4eade4335bf10b0ceafd4da1359d4ec7dad255836da0c2258936b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
91c5dd27e34f1a524eef6d2a0244003c

SHA1
f603f3da7009abd0310cb3aa31755726ee1e4187

SHA256
385789f02add2106bdf166332cdafb182cb096fc45f37fbf668737d8f8a98332

SHA512
5cb97808ee6018e50f71ce6b032a233ff93c0df80e48d331950114709e2bbb7e14101c7c055fc962a309afcfbd19bd7659e9e5b69da9e2937eebcf9d67dc45f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
681c4efea24b7d820731b3c357dc6bc5

SHA1
b390ff05cc0a3cece34438d640141c20a2d6cd4d

SHA256
0ca36586bf516fb295c5b1caaecfb44005e9a55be70e654aabc4af7979335725

SHA512
b59d6f0ba8476a20ec6304fb0e3dccf332df6a499d97876d57e1b73d16b841d99fc469c7fc7d9eaa08828fea9e6635a21479a2d902eaf393685b1a6dbba3b3e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\sessionstore.jsonlz4
Filesize
3KB

MD5
051850f1161cee9e83c645726048a4a5

SHA1
f4f6d86f5a3dcbebb0997d772c00e30daaecf700

SHA256
07a71104ad6d480f006397b898e2b7357cdc17cf974fe7afdea7bebc38e05f6a

SHA512
6cb1b2f2912a354f3b93280b9148251992b013080fe9437d4ab0bc856300ca4cfae71f3edeb5d348e011dc0736b553e1f0fcd6efd7e8b7d44d06cce35ff82878

Download Submit
C:\Users\Admin\Downloads\Pract_pdf07072023.7z
Filesize
5.0MB

MD5
efbf833bd996c6945ce027ead6875f8b

SHA1
84c503bdd575f472cff3b1697309453566b39ce8

SHA256
478a52663837384c054ce9f2bad6be72522a1ff609343b85ff5bcdfa97c97271

SHA512
7d6c7efdcc0b5c64d61279f14967050ec1da61fa530f2353998b4d0ed911e512e3a60348ea9bb0bbfe71eb081a05abf10cac01f3a065f45e6fd435c6701efa4d

Download Submit
C:\Users\Admin\Downloads\Pract_pdf07072023.u6slnsPL.7z.part
Filesize
12KB

MD5
8796b497dcae1c63c974f5aa56497def

SHA1
bf34a332a912abbaeba9fffe1b7ef89ef7343d16

SHA256
f34d4f15ccc7eb0bd1d57c6163d009402e4d69bd19f23d74263bb4d0efdb4bb6

SHA512
f17632ce5050e6db5cc93aeb81e6751f0249cc7b4da81ebcb93046743b89f949c9e00b415b9a79551a0fdbd919068931927e677be6d0d2f3aee877bbf9083280

Download Submit
C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe
Filesize
7.3MB

MD5
71135a8b3e5cbc7f6f372008b97e9d64

SHA1
8d38d71c8d6a7d49939c7883f930379486e4d74e

SHA256
f046bb5428fdd140157d256ddc8809d114799a893ee30c6e994c54d20aff582f

SHA512
2c57337122c275c41708bee16e27a14a441fc48688e95ed3f5909abf845392bf1ffc73a090880a003cc72913af8f7073eda4217851d263e8d0bc4c24352208ff

Download Submit
C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe
Filesize
7.3MB

MD5
71135a8b3e5cbc7f6f372008b97e9d64

SHA1
8d38d71c8d6a7d49939c7883f930379486e4d74e

SHA256
f046bb5428fdd140157d256ddc8809d114799a893ee30c6e994c54d20aff582f

SHA512
2c57337122c275c41708bee16e27a14a441fc48688e95ed3f5909abf845392bf1ffc73a090880a003cc72913af8f7073eda4217851d263e8d0bc4c24352208ff

Download Submit
C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe
Filesize
7.3MB

MD5
71135a8b3e5cbc7f6f372008b97e9d64

SHA1
8d38d71c8d6a7d49939c7883f930379486e4d74e

SHA256
f046bb5428fdd140157d256ddc8809d114799a893ee30c6e994c54d20aff582f

SHA512
2c57337122c275c41708bee16e27a14a441fc48688e95ed3f5909abf845392bf1ffc73a090880a003cc72913af8f7073eda4217851d263e8d0bc4c24352208ff

Download Submit
C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe
Filesize
7.3MB

MD5
71135a8b3e5cbc7f6f372008b97e9d64

SHA1
8d38d71c8d6a7d49939c7883f930379486e4d74e

SHA256
f046bb5428fdd140157d256ddc8809d114799a893ee30c6e994c54d20aff582f

SHA512
2c57337122c275c41708bee16e27a14a441fc48688e95ed3f5909abf845392bf1ffc73a090880a003cc72913af8f7073eda4217851d263e8d0bc4c24352208ff

Download Submit
C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe
Filesize
7.3MB

MD5
71135a8b3e5cbc7f6f372008b97e9d64

SHA1
8d38d71c8d6a7d49939c7883f930379486e4d74e

SHA256
f046bb5428fdd140157d256ddc8809d114799a893ee30c6e994c54d20aff582f

SHA512
2c57337122c275c41708bee16e27a14a441fc48688e95ed3f5909abf845392bf1ffc73a090880a003cc72913af8f7073eda4217851d263e8d0bc4c24352208ff

Download Submit
C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe
Filesize
7.3MB

MD5
71135a8b3e5cbc7f6f372008b97e9d64

SHA1
8d38d71c8d6a7d49939c7883f930379486e4d74e

SHA256
f046bb5428fdd140157d256ddc8809d114799a893ee30c6e994c54d20aff582f

SHA512
2c57337122c275c41708bee16e27a14a441fc48688e95ed3f5909abf845392bf1ffc73a090880a003cc72913af8f7073eda4217851d263e8d0bc4c24352208ff

Download Submit
C:\Users\Admin\Downloads\Pract_pdf07072023\Documento_Digital.pdf.exe
Filesize
7.3MB

MD5
71135a8b3e5cbc7f6f372008b97e9d64

SHA1
8d38d71c8d6a7d49939c7883f930379486e4d74e

SHA256
f046bb5428fdd140157d256ddc8809d114799a893ee30c6e994c54d20aff582f

SHA512
2c57337122c275c41708bee16e27a14a441fc48688e95ed3f5909abf845392bf1ffc73a090880a003cc72913af8f7073eda4217851d263e8d0bc4c24352208ff

Download Submit
memory/1320-574-0x0000000013140000-0x00000000140BE000-memory.dmp

Filesize
15.5MB

Download
memory/1816-490-0x0000000000400000-0x0000000000B52000-memory.dmp

Filesize
7.3MB

Download
memory/1816-484-0x0000000000400000-0x0000000000B52000-memory.dmp

Filesize
7.3MB

Download
memory/1816-479-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1892-622-0x0000000013140000-0x00000000140BE000-memory.dmp

Filesize
15.5MB

Download
memory/1892-623-0x0000000013140000-0x00000000140BE000-memory.dmp

Filesize
15.5MB

Download
memory/1960-579-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1960-563-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/2084-466-0x00000146E9540000-0x00000146E9584000-memory.dmp

Filesize
272KB

Download
memory/2084-472-0x00000146E85F0000-0x00000146E8600000-memory.dmp

Filesize
64KB

Download
memory/2084-473-0x00000146E85F0000-0x00000146E8600000-memory.dmp

Filesize
64KB

Download
memory/2084-476-0x00000146E9590000-0x00000146E95AE000-memory.dmp

Filesize
120KB

Download
memory/2084-471-0x00000146E85F0000-0x00000146E8600000-memory.dmp

Filesize
64KB

Download
memory/2084-467-0x00000146E9610000-0x00000146E9686000-memory.dmp

Filesize
472KB

Download
memory/2084-465-0x00000146E85F0000-0x00000146E8600000-memory.dmp

Filesize
64KB

Download
memory/2084-463-0x00000146E85F0000-0x00000146E8600000-memory.dmp

Filesize
64KB

Download
memory/2084-464-0x00000146E85F0000-0x00000146E8600000-memory.dmp

Filesize
64KB

Download
memory/2084-462-0x00000146E9180000-0x00000146E91A2000-memory.dmp

Filesize
136KB

Download
memory/2272-440-0x0000000000400000-0x0000000000B52000-memory.dmp

Filesize
7.3MB

Download
memory/2272-441-0x0000000000400000-0x0000000000B52000-memory.dmp

Filesize
7.3MB

Download
memory/2272-359-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/2272-438-0x0000000000400000-0x0000000000B52000-memory.dmp

Filesize
7.3MB

Download
memory/2272-439-0x0000000000400000-0x0000000000B52000-memory.dmp

Filesize
7.3MB

Download
memory/2576-668-0x00000000051D0000-0x00000000057F8000-memory.dmp

Filesize
6.2MB

Download
memory/2576-698-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/2576-667-0x0000000002A90000-0x0000000002AC6000-memory.dmp

Filesize
216KB

Download
memory/2576-710-0x0000000007670000-0x0000000007678000-memory.dmp

Filesize
32KB

Download
memory/2576-669-0x0000000005180000-0x00000000051A2000-memory.dmp

Filesize
136KB

Download
memory/2576-675-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/2576-676-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/2576-683-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/2576-684-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/2576-685-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/2576-709-0x0000000007690000-0x00000000076AA000-memory.dmp

Filesize
104KB

Download
memory/2576-687-0x0000000006610000-0x0000000006642000-memory.dmp

Filesize
200KB

Download
memory/2576-688-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

Filesize
304KB

Download
memory/2576-708-0x0000000007580000-0x000000000758E000-memory.dmp

Filesize
56KB

Download
memory/2576-699-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download
memory/2576-700-0x0000000007350000-0x000000000736A000-memory.dmp

Filesize
104KB

Download
memory/2576-701-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/2576-702-0x000000007F7C0000-0x000000007F7D0000-memory.dmp

Filesize
64KB

Download
memory/2576-703-0x00000000073C0000-0x00000000073CA000-memory.dmp

Filesize
40KB

Download
memory/2576-704-0x00000000075D0000-0x0000000007666000-memory.dmp

Filesize
600KB

Download
memory/2904-444-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2904-450-0x0000000000400000-0x0000000000B52000-memory.dmp

Filesize
7.3MB

Download
memory/2904-446-0x0000000000400000-0x0000000000B52000-memory.dmp

Filesize
7.3MB

Download
memory/3208-617-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4160-716-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/5100-723-0x0000000013140000-0x00000000140BE000-memory.dmp

Filesize
15.5MB

Download
memory/5100-724-0x0000000013140000-0x00000000140BE000-memory.dmp

Filesize
15.5MB

Download