912444aec56fd47f95d449249675e51f2b07da90934d486c0d91e148cec71567

General

Target

FACTURAS PENDIENTES.exe
Size

736KB
MD5

be5049954ae1360c7c73edc98c252948
SHA1

347c475c80875dec8a84f6fbb70309e73f6c6036
SHA256

912444aec56fd47f95d449249675e51f2b07da90934d486c0d91e148cec71567
SHA512

8151efe7a2cbc5af735bd19eae31398ffae0fa19d97991903005c2d0d39e112285c4ea1ccc336429d293a29716d5df38439a1f43caac8f9d4f8fc9991acb89f1
SSDEEP

12288:SydzjtuEA9MsXWyiXiP9tyy2mFYauVJhsM4DZ264KuinZ5F0y65u:SydzB+7XxiXYt12mFYauVjcF2KtnZINw

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FACTURAS PENDIENTES.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FACTURAS PENDIENTES.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FACTURAS PENDIENTES.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2320	FACTURAS PENDIENTES.exe
3036	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	FACTURAS PENDIENTES.exe
Token: SeDebugPrivilege	3036	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 3036	2320	FACTURAS PENDIENTES.exe	29
PID 2320 wrote to memory of 3036	2320	FACTURAS PENDIENTES.exe	29
PID 2320 wrote to memory of 3036	2320	FACTURAS PENDIENTES.exe	29
PID 2320 wrote to memory of 2584	2320	FACTURAS PENDIENTES.exe	31
PID 2320 wrote to memory of 2584	2320	FACTURAS PENDIENTES.exe	31
PID 2320 wrote to memory of 2584	2320	FACTURAS PENDIENTES.exe	31
PID 2320 wrote to memory of 2584	2320	FACTURAS PENDIENTES.exe	31
PID 2320 wrote to memory of 2584	2320	FACTURAS PENDIENTES.exe	31
PID 2320 wrote to memory of 2584	2320	FACTURAS PENDIENTES.exe	31
PID 2320 wrote to memory of 2584	2320	FACTURAS PENDIENTES.exe	31

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FACTURAS PENDIENTES.exe

C:\Users\Admin\AppData\Local\Temp\FACTURAS PENDIENTES.exe
"C:\Users\Admin\AppData\Local\Temp\FACTURAS PENDIENTES.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FACTURAS PENDIENTES.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
  2⤵
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2320-0-0x0000000001280000-0x00000000012AA000-memory.dmp

Filesize
168KB

Download
memory/2320-1-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-2-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2320-3-0x00000000011C0000-0x0000000001256000-memory.dmp

Filesize
600KB

Download
memory/2320-20-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2320-19-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2584-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3036-12-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/3036-13-0x0000000001E30000-0x0000000001E38000-memory.dmp

Filesize
32KB

Download
memory/3036-14-0x000007FEEE3A0000-0x000007FEEED3D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-15-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/3036-16-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/3036-17-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/3036-18-0x000007FEEE3A0000-0x000007FEEED3D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-9-0x000007FEEE3A0000-0x000007FEEED3D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-10-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads