dc2846fc0c652194ae759a1a06119bc5e4f0102dd62b2eaab341464ec89944fe

General

Target

Transferencia.exe
Size

263KB
MD5

eab44b2328f9db484cc042970b19a2be
SHA1

c38c69f8a7597a06a4b12cd06309aa23af0ce496
SHA256

36464f131691f5a812e22d4255377f79a475700185352606586f671b9ab63b66
SHA512

5793c049bbb25131725e33e09f6247fa056c64ef0d2bd5e4d643cb2b809b9767aa95bf9d421db9fe960cbf1e408c410a8c43faabf09fc1cc218c56057173a763
SSDEEP

6144:9T4Dth1R6LFzFktPQnmzpE7HBCKRx69ChHjZ9zh9Amq8:9Ti1btIIpELBCKRx6eHjZ93AmN

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
3276	Transferencia.exe
3276	Transferencia.exe
3276	Transferencia.exe
3276	Transferencia.exe
3276	Transferencia.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4876	Transferencia.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3276	Transferencia.exe
4876	Transferencia.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3276 set thread context of 4876	3276	Transferencia.exe	108
PID 4876 set thread context of 3220	4876	Transferencia.exe	49
PID 4876 set thread context of 3920	4876	Transferencia.exe	110
PID 3920 set thread context of 3220	3920	bitsadmin.exe	49

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	bitsadmin.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4876	Transferencia.exe
4876	Transferencia.exe
4876	Transferencia.exe
4876	Transferencia.exe
4876	Transferencia.exe
4876	Transferencia.exe
4876	Transferencia.exe
4876	Transferencia.exe
4876	Transferencia.exe
4876	Transferencia.exe
4876	Transferencia.exe
4876	Transferencia.exe
4876	Transferencia.exe
4876	Transferencia.exe
4876	Transferencia.exe
4876	Transferencia.exe
3920	bitsadmin.exe
3920	bitsadmin.exe
3920	bitsadmin.exe
3920	bitsadmin.exe
3920	bitsadmin.exe
3920	bitsadmin.exe
3920	bitsadmin.exe
3920	bitsadmin.exe
3920	bitsadmin.exe
3920	bitsadmin.exe
3920	bitsadmin.exe
3920	bitsadmin.exe
3920	bitsadmin.exe
3920	bitsadmin.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
3276	Transferencia.exe
4876	Transferencia.exe
3220	Explorer.EXE
3220	Explorer.EXE
3920	bitsadmin.exe
3920	bitsadmin.exe
3920	bitsadmin.exe
3920	bitsadmin.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 4876	3276	Transferencia.exe	108
PID 3276 wrote to memory of 4876	3276	Transferencia.exe	108
PID 3276 wrote to memory of 4876	3276	Transferencia.exe	108
PID 3276 wrote to memory of 4876	3276	Transferencia.exe	108
PID 3276 wrote to memory of 4876	3276	Transferencia.exe	108
PID 3220 wrote to memory of 3920	3220	Explorer.EXE	110
PID 3220 wrote to memory of 3920	3220	Explorer.EXE	110
PID 3220 wrote to memory of 3920	3220	Explorer.EXE	110
PID 3920 wrote to memory of 5052	3920	bitsadmin.exe	111
PID 3920 wrote to memory of 5052	3920	bitsadmin.exe	111
PID 3920 wrote to memory of 5052	3920	bitsadmin.exe	111

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\Transferencia.exe
  "C:\Users\Admin\AppData\Local\Temp\Transferencia.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Users\Admin\AppData\Local\Temp\Transferencia.exe
    "C:\Users\Admin\AppData\Local\Temp\Transferencia.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4876
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\SysWOW64\bitsadmin.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsq74F.tmp\LangDLL.dll

Filesize
5KB

MD5
08de81a4584f5201086f57a7a93ed83b

SHA1
266a6ecc8fb7dca115e6915cd75e2595816841a8

SHA256
4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

SHA512
b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq74F.tmp\LangDLL.dll

Filesize
5KB

MD5
08de81a4584f5201086f57a7a93ed83b

SHA1
266a6ecc8fb7dca115e6915cd75e2595816841a8

SHA256
4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

SHA512
b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq74F.tmp\LangDLL.dll

Filesize
5KB

MD5
08de81a4584f5201086f57a7a93ed83b

SHA1
266a6ecc8fb7dca115e6915cd75e2595816841a8

SHA256
4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

SHA512
b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq74F.tmp\LangDLL.dll

Filesize
5KB

MD5
08de81a4584f5201086f57a7a93ed83b

SHA1
266a6ecc8fb7dca115e6915cd75e2595816841a8

SHA256
4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

SHA512
b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq74F.tmp\LangDLL.dll

Filesize
5KB

MD5
08de81a4584f5201086f57a7a93ed83b

SHA1
266a6ecc8fb7dca115e6915cd75e2595816841a8

SHA256
4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

SHA512
b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq74F.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
memory/3220-70-0x00000000031E0000-0x000000000329A000-memory.dmp

Filesize
744KB

Download
memory/3220-59-0x00000000031E0000-0x000000000329A000-memory.dmp

Filesize
744KB

Download
memory/3220-50-0x000000000BEE0000-0x000000000C3AC000-memory.dmp

Filesize
4.8MB

Download
memory/3220-61-0x000000000BEE0000-0x000000000C3AC000-memory.dmp

Filesize
4.8MB

Download
memory/3220-60-0x00000000031E0000-0x000000000329A000-memory.dmp

Filesize
744KB

Download
memory/3276-21-0x0000000077761000-0x0000000077881000-memory.dmp

Filesize
1.1MB

Download
memory/3276-22-0x00000000745C0000-0x00000000745C7000-memory.dmp

Filesize
28KB

Download
memory/3920-68-0x00000000010F0000-0x000000000112A000-memory.dmp

Filesize
232KB

Download
memory/3920-58-0x00000000016C0000-0x000000000175F000-memory.dmp

Filesize
636KB

Download
memory/3920-57-0x00000000010F0000-0x000000000112A000-memory.dmp

Filesize
232KB

Download
memory/3920-56-0x0000000001940000-0x0000000001C8A000-memory.dmp

Filesize
3.3MB

Download
memory/3920-53-0x00000000010F0000-0x000000000112A000-memory.dmp

Filesize
232KB

Download
memory/3920-69-0x00000000016C0000-0x000000000175F000-memory.dmp

Filesize
636KB

Download
memory/3920-51-0x00000000010F0000-0x000000000112A000-memory.dmp

Filesize
232KB

Download
memory/4876-45-0x0000000077761000-0x0000000077881000-memory.dmp

Filesize
1.1MB

Download
memory/4876-49-0x0000000035550000-0x0000000035570000-memory.dmp

Filesize
128KB

Download
memory/4876-48-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4876-52-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4876-44-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4876-54-0x0000000001660000-0x0000000005696000-memory.dmp

Filesize
64.2MB

Download
memory/4876-43-0x0000000035AA0000-0x0000000035DEA000-memory.dmp

Filesize
3.3MB

Download
memory/4876-55-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4876-42-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4876-41-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4876-40-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4876-39-0x0000000001660000-0x0000000005696000-memory.dmp

Filesize
64.2MB

Download
memory/4876-38-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4876-25-0x0000000077805000-0x0000000077806000-memory.dmp

Filesize
4KB

Download
memory/4876-24-0x00000000777E8000-0x00000000777E9000-memory.dmp

Filesize
4KB

Download
memory/4876-23-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing