Overview

overview

7

Static

static

1

justifican...go.exe

windows7-x64

7

justifican...go.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    22-11-2023 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    justificante de pago.exe

  • Size

    290KB

  • MD5

    7f45d3ae1250a354a3c0955e0414f9ec

  • SHA1

    e2242211da4349bb85d1935831957405a4f98669

  • SHA256

    206b596f2a06c33b636698217854ab8c417ae20f50ba59247a7a2bed74ccacf2

  • SHA512

    eda0da12d190ce6e03a4f9ab8c1e9e24b3be5a0db186619f167fd54359fbdbf6a40d42162ef67b58c73a012ae73cd99b5b4c6d0e56b77f697ae8bc181480f3ef

  • SSDEEP

    6144:TT4DtPsbFhPYwPL0cMVTmsmOriSyygpCFccq22SWJtC3yv9gg3rZ/m:TTAsbzPT0rVasjSFoF5qltCi9hVm

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3332
    • C:\Users\Admin\AppData\Local\Temp\justificante de pago.exe
      "C:\Users\Admin\AppData\Local\Temp\justificante de pago.exe"
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4064
      • C:\Users\Admin\AppData\Local\Temp\justificante de pago.exe
        "C:\Users\Admin\AppData\Local\Temp\justificante de pago.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:2808
    • C:\Windows\SysWOW64\bitsadmin.exe
      "C:\Windows\SysWOW64\bitsadmin.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:5024

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsd8F02.tmp\LangDLL.dll
      Filesize

      5KB

      MD5

      014a3be4a7c1ccb217916dbf4f222bd1

      SHA1

      9b4c41eb0e84886beb5591d8357155e27f9c68ed

      SHA256

      09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

      SHA512

      0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsd8F02.tmp\LangDLL.dll
      Filesize

      5KB

      MD5

      014a3be4a7c1ccb217916dbf4f222bd1

      SHA1

      9b4c41eb0e84886beb5591d8357155e27f9c68ed

      SHA256

      09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

      SHA512

      0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsd8F02.tmp\LangDLL.dll
      Filesize

      5KB

      MD5

      014a3be4a7c1ccb217916dbf4f222bd1

      SHA1

      9b4c41eb0e84886beb5591d8357155e27f9c68ed

      SHA256

      09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

      SHA512

      0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsd8F02.tmp\LangDLL.dll
      Filesize

      5KB

      MD5

      014a3be4a7c1ccb217916dbf4f222bd1

      SHA1

      9b4c41eb0e84886beb5591d8357155e27f9c68ed

      SHA256

      09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

      SHA512

      0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsd8F02.tmp\LangDLL.dll
      Filesize

      5KB

      MD5

      014a3be4a7c1ccb217916dbf4f222bd1

      SHA1

      9b4c41eb0e84886beb5591d8357155e27f9c68ed

      SHA256

      09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

      SHA512

      0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsd8F02.tmp\System.dll
      Filesize

      12KB

      MD5

      564bb0373067e1785cba7e4c24aab4bf

      SHA1

      7c9416a01d821b10b2eef97b80899d24014d6fc1

      SHA256

      7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

      SHA512

      22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

      Download Submit

    • memory/2536-71-0x0000000000BC0000-0x0000000000C5F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/2536-70-0x0000000000390000-0x00000000003CA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2536-69-0x0000000000390000-0x00000000003CA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2536-52-0x0000000000390000-0x00000000003CA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2536-59-0x0000000000BC0000-0x0000000000C5F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/2536-58-0x0000000000390000-0x00000000003CA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2536-56-0x0000000000CD0000-0x000000000101A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2536-53-0x0000000000390000-0x00000000003CA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2808-25-0x00000000774E8000-0x00000000774E9000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2808-40-0x0000000001660000-0x0000000004C2D000-memory.dmp

      Filesize

      53.8MB

      Download

    • memory/2808-44-0x0000000035100000-0x000000003544A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2808-45-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/2808-46-0x0000000077461000-0x0000000077581000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2808-49-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/2808-50-0x0000000034AE0000-0x0000000034B00000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2808-24-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/2808-42-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/2808-41-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/2808-54-0x0000000001660000-0x0000000004C2D000-memory.dmp

      Filesize

      53.8MB

      Download

    • memory/2808-43-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/2808-55-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/2808-39-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/2808-26-0x0000000077505000-0x0000000077506000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3332-60-0x0000000002920000-0x0000000002A20000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3332-61-0x0000000002920000-0x0000000002A20000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3332-62-0x000000000C400000-0x000000000E758000-memory.dmp

      Filesize

      35.3MB

      Download

    • memory/3332-51-0x000000000C400000-0x000000000E758000-memory.dmp

      Filesize

      35.3MB

      Download

    • memory/3332-72-0x0000000002920000-0x0000000002A20000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4064-23-0x0000000074140000-0x0000000074147000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4064-22-0x0000000077461000-0x0000000077581000-memory.dmp

      Filesize

      1.1MB

      Download