dc2846fc0c652194ae759a1a06119bc5e4f0102dd62b2eaab341464ec89944fe

General

Target

Transferencia.exe
Size

263KB
MD5

eab44b2328f9db484cc042970b19a2be
SHA1

c38c69f8a7597a06a4b12cd06309aa23af0ce496
SHA256

36464f131691f5a812e22d4255377f79a475700185352606586f671b9ab63b66
SHA512

5793c049bbb25131725e33e09f6247fa056c64ef0d2bd5e4d643cb2b809b9767aa95bf9d421db9fe960cbf1e408c410a8c43faabf09fc1cc218c56057173a763
SSDEEP

6144:9T4Dth1R6LFzFktPQnmzpE7HBCKRx69ChHjZ9zh9Amq8:9Ti1btIIpELBCKRx6eHjZ93AmN

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
2780	Transferencia.exe
2780	Transferencia.exe
2780	Transferencia.exe
2780	Transferencia.exe
2780	Transferencia.exe
2004	bitsadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2420	Transferencia.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2780	Transferencia.exe
2420	Transferencia.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2780 set thread context of 2420	2780	Transferencia.exe	30
PID 2420 set thread context of 1260	2420	Transferencia.exe	15
PID 2420 set thread context of 2004	2420	Transferencia.exe	33
PID 2004 set thread context of 1260	2004	bitsadmin.exe	15

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2085049433-1067986815-1244098655-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	bitsadmin.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2420	Transferencia.exe
2420	Transferencia.exe
2420	Transferencia.exe
2420	Transferencia.exe
2420	Transferencia.exe
2420	Transferencia.exe
2420	Transferencia.exe
2420	Transferencia.exe
2004	bitsadmin.exe
2004	bitsadmin.exe
2004	bitsadmin.exe
2004	bitsadmin.exe
2004	bitsadmin.exe
2004	bitsadmin.exe
2004	bitsadmin.exe
2004	bitsadmin.exe
2004	bitsadmin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1260	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2780	Transferencia.exe
2420	Transferencia.exe
1260	Explorer.EXE
1260	Explorer.EXE
2004	bitsadmin.exe
2004	bitsadmin.exe
2004	bitsadmin.exe
2004	bitsadmin.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2420	2780	Transferencia.exe	30
PID 2780 wrote to memory of 2420	2780	Transferencia.exe	30
PID 2780 wrote to memory of 2420	2780	Transferencia.exe	30
PID 2780 wrote to memory of 2420	2780	Transferencia.exe	30
PID 2780 wrote to memory of 2420	2780	Transferencia.exe	30
PID 2780 wrote to memory of 2420	2780	Transferencia.exe	30
PID 1260 wrote to memory of 2004	1260	Explorer.EXE	33
PID 1260 wrote to memory of 2004	1260	Explorer.EXE	33
PID 1260 wrote to memory of 2004	1260	Explorer.EXE	33
PID 1260 wrote to memory of 2004	1260	Explorer.EXE	33
PID 2004 wrote to memory of 2356	2004	bitsadmin.exe	35
PID 2004 wrote to memory of 2356	2004	bitsadmin.exe	35
PID 2004 wrote to memory of 2356	2004	bitsadmin.exe	35
PID 2004 wrote to memory of 2356	2004	bitsadmin.exe	35
PID 2004 wrote to memory of 2356	2004	bitsadmin.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\Transferencia.exe
  "C:\Users\Admin\AppData\Local\Temp\Transferencia.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\Transferencia.exe
    "C:\Users\Admin\AppData\Local\Temp\Transferencia.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2420
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\SysWOW64\bitsadmin.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd7C42.tmp\LangDLL.dll

Filesize
5KB

MD5
08de81a4584f5201086f57a7a93ed83b

SHA1
266a6ecc8fb7dca115e6915cd75e2595816841a8

SHA256
4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

SHA512
b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wnvtqh.zip

Filesize
433KB

MD5
ecc8ac417181d4885ef8c208d1f073dc

SHA1
33154e45485bc0ae3bb0203ffcb9baaaed4038d3

SHA256
d01c69d09282f9050f6b113c45884fe9b9abf3bdf5bd93b45927d9b6bfb233fe

SHA512
f7601763447bed9b7b45fef2bd584da669636d2657c6066516c949e713ce1caf0641a1889345e92e584b84f438fa19029d13c6f6f1583d35fcc1eb3f998631da

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7C42.tmp\LangDLL.dll

Filesize
5KB

MD5
08de81a4584f5201086f57a7a93ed83b

SHA1
266a6ecc8fb7dca115e6915cd75e2595816841a8

SHA256
4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

SHA512
b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7C42.tmp\LangDLL.dll

Filesize
5KB

MD5
08de81a4584f5201086f57a7a93ed83b

SHA1
266a6ecc8fb7dca115e6915cd75e2595816841a8

SHA256
4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

SHA512
b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7C42.tmp\LangDLL.dll

Filesize
5KB

MD5
08de81a4584f5201086f57a7a93ed83b

SHA1
266a6ecc8fb7dca115e6915cd75e2595816841a8

SHA256
4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

SHA512
b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7C42.tmp\LangDLL.dll

Filesize
5KB

MD5
08de81a4584f5201086f57a7a93ed83b

SHA1
266a6ecc8fb7dca115e6915cd75e2595816841a8

SHA256
4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

SHA512
b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7C42.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
828KB

MD5
d5ea9b5814553bd2f9bbb8bf0ea94ed6

SHA1
29629836c088dcd968efb321832edcbcfaac5b51

SHA256
5ea67d6b7f67301ca214af511740f26b9e6cc9e16b2c0ec7bba071d05b9bde78

SHA512
6867452995c8354622fe22ce4fb4868d2b9cb28bb31aa60b42f06e494b952f66c427aa66c7af09240954bf55ebcde62d4c7feb9d99e742ea3bc5beb3756a7a1e

Download Submit
memory/1260-79-0x0000000006C70000-0x0000000006D69000-memory.dmp

Filesize
996KB

Download
memory/1260-124-0x0000000006C70000-0x0000000006D69000-memory.dmp

Filesize
996KB

Download
memory/1260-68-0x00000000089E0000-0x000000000AC93000-memory.dmp

Filesize
34.7MB

Download
memory/1260-76-0x0000000003930000-0x0000000003A30000-memory.dmp

Filesize
1024KB

Download
memory/1260-80-0x00000000089E0000-0x000000000AC93000-memory.dmp

Filesize
34.7MB

Download
memory/2004-123-0x0000000000370000-0x000000000040F000-memory.dmp

Filesize
636KB

Download
memory/2004-77-0x0000000000370000-0x000000000040F000-memory.dmp

Filesize
636KB

Download
memory/2004-122-0x0000000061E00000-0x0000000061EBC000-memory.dmp

Filesize
752KB

Download
memory/2004-73-0x0000000000100000-0x000000000013A000-memory.dmp

Filesize
232KB

Download
memory/2004-72-0x0000000001F90000-0x0000000002293000-memory.dmp

Filesize
3.0MB

Download
memory/2004-121-0x0000000000100000-0x000000000013A000-memory.dmp

Filesize
232KB

Download
memory/2004-70-0x0000000000100000-0x000000000013A000-memory.dmp

Filesize
232KB

Download
memory/2004-69-0x0000000000100000-0x000000000013A000-memory.dmp

Filesize
232KB

Download
memory/2420-59-0x0000000035810000-0x0000000035B13000-memory.dmp

Filesize
3.0MB

Download
memory/2420-67-0x00000000000C0000-0x00000000000E0000-memory.dmp

Filesize
128KB

Download
memory/2420-66-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2420-58-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2420-57-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2420-71-0x0000000001470000-0x00000000054A6000-memory.dmp

Filesize
64.2MB

Download
memory/2420-74-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2420-56-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2420-55-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2420-54-0x0000000001470000-0x00000000054A6000-memory.dmp

Filesize
64.2MB

Download
memory/2420-53-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2420-31-0x0000000076F50000-0x00000000770F9000-memory.dmp

Filesize
1.7MB

Download
memory/2420-30-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2420-29-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2780-28-0x0000000074610000-0x0000000074617000-memory.dmp

Filesize
28KB

Download
memory/2780-27-0x0000000077140000-0x0000000077216000-memory.dmp

Filesize
856KB

Download
memory/2780-26-0x0000000076F50000-0x00000000770F9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing