Overview

overview

10

Static

static

3

Confirmaci...ago.gz

windows7-x64

3

Confirmaci...ago.gz

windows10-2004-x64

3

sample.tar

windows7-x64

3

sample.tar

windows10-2004-x64

3

Confirmaci...go.exe

windows7-x64

10

Confirmaci...go.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Confirmación de pago.gz

  • Size

    1.4MB

  • MD5

    f7455f462dcaa58e46ceb606d51a3b96

  • SHA1

    c29da0495d6c998caba875acb0cae66c94900e9a

  • SHA256

    aee487cfb44d63408f984764a1a3ffafbe6986db198a66d90c1ac97c389d95ff

  • SHA512

    46fcfd6b3a2f001765c9d542c0bae106c8f4714a28d36309667ed543f32bcddb941d9aa020f18c2015687265475556cdd62b1943d9d625796f55bf4fca0654f5

  • SSDEEP

    12288:+1W3nUQNUVFWaMCe+ej65u1P2t8QTW6Ptywb7+aH6hq5V:ReFWYRw1PAvPcwb7fee

Score
3/10
discovery

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Confirmación de pago.gz"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Confirmación de pago.gz
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Confirmación de pago.gz
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2316
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Confirmación de pago.gz"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    6fd67da523475a6d53f11cc90128cea1

    SHA1

    4d4fcac47acabdc2e634e3ff0d81ddcc7a1e8235

    SHA256

    0d9e3fd7d59c7fbfda3189aa00f331c31cac3501e64721fda6c02fa2d9861aa7

    SHA512

    b4f0fd49530f84d7cd728b0bddbcc784e7d662f7d7af04e97005908e0f378004cbd8cdc1c71e8a270ad835e0fdc14b24c19c629bfce7e549ce4282d3476b89d6

    Download Submit