218a13ad076b70fc269012143fe6ebeb5883f651a99f60cb58c31b2eb421dfab

General

Target

facturas N° EX46240573.exe
Size

1.0MB
MD5

7510ca968d647c58b6a90aad25b67ea9
SHA1

98e9b389b53fac08e5b57b4f7510b62262cd2b60
SHA256

c721b3739c4b79acc13fb4694c123cc1c6c4ca2fa73a0e0afcd13438bd7e808a
SHA512

5295f022cb517be10ee6b932bf77d0fee6c516526748dd9c55b22b0a60132eb451cbb31d1e0c42e22fbd03280c487bc52404212cfd195bace3cf0cfa92275f10
SSDEEP

24576:CyS5+ePu723mYdVUnOnWKyowfm66aicu9oI+/7bbL:CyE+OkaGGWK7H66FbUX

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2628	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2628	powershell.exe
600	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2628 set thread context of 600	2628	powershell.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2628	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2628	2992	facturas N° EX46240573.exe	28
PID 2992 wrote to memory of 2628	2992	facturas N° EX46240573.exe	28
PID 2992 wrote to memory of 2628	2992	facturas N° EX46240573.exe	28
PID 2992 wrote to memory of 2628	2992	facturas N° EX46240573.exe	28
PID 2628 wrote to memory of 2248	2628	powershell.exe	30
PID 2628 wrote to memory of 2248	2628	powershell.exe	30
PID 2628 wrote to memory of 2248	2628	powershell.exe	30
PID 2628 wrote to memory of 2248	2628	powershell.exe	30
PID 2628 wrote to memory of 600	2628	powershell.exe	32
PID 2628 wrote to memory of 600	2628	powershell.exe	32
PID 2628 wrote to memory of 600	2628	powershell.exe	32
PID 2628 wrote to memory of 600	2628	powershell.exe	32
PID 2628 wrote to memory of 600	2628	powershell.exe	32
PID 2628 wrote to memory of 600	2628	powershell.exe	32

C:\Users\Admin\AppData\Local\Temp\facturas N° EX46240573.exe
"C:\Users\Admin\AppData\Local\Temp\facturas N° EX46240573.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Ekspressionismens7=Get-Content 'C:\Users\Admin\AppData\Local\Temp\positurs\Seashell176\Interpoint.Bal';$Tullibee=$Ekspressionismens7.SubString(53040,3);.$Tullibee($Ekspressionismens7)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
    3⤵
    PID:2248
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\positurs\Seashell176\Interpoint.Bal

Filesize
51KB

MD5
0400d405566489bfa0be0013ec788876

SHA1
f04115b88eb250a7332048c592d3c1ffb41cbd53

SHA256
9c33687a4432512107b44023c799308950beff4b7262187185a7811fcf7e0bd4

SHA512
33f4a908f6d5845ebad4a9cca27ec157fbaa0b5d9d43dde2988aede0c8327cbc4b914077ea6da71a7bbdc22218b5a7a1221611f7addf4fc87f51cf6c31a6cf19

Download Submit
C:\Users\Admin\AppData\Local\Temp\positurs\Seashell176\Knaldfilmenes.Mod

Filesize
325KB

MD5
74dced431efab55fd63c946859e15d6c

SHA1
76ff2b7d0dd9c1512c4e644d76201c2e38b14a39

SHA256
5359e920abce48937791362d2756b73db750bd385bef3cd4b648f2da22a514dc

SHA512
27c4235bf61be47972722ab432dbf21f45146be17cb324d93b1b8a5d8d6cf0d645a4a8ea43856731dc0f30e18c27b01e600cc2975f0d62fc8a981f964689e764

Download Submit
memory/600-39-0x00000000008A0000-0x0000000001902000-memory.dmp

Filesize
16.4MB

Download
memory/2628-17-0x00000000741C1000-0x00000000741C2000-memory.dmp

Filesize
4KB

Download
memory/2628-18-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-19-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-20-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-21-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-25-0x00000000066C0000-0x00000000078CF000-memory.dmp

Filesize
18.1MB

Download
memory/2628-26-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing