809a6bc586ffc5b3c4b20c95d7b6038a185e3a8227d4990cf876c369e811955b

General

Target

Boleto.2a.via.arquivo.anexos.visualizar.exe
Size

478KB
MD5

6981524ca41b3fdcdf2e17b1987e312b
SHA1

6687c094e37b7367b924f09ee7b0fb44a71f9c39
SHA256

830eda18b7bab059bb57b6d5f1ab225b0e19bc036501e26ba694062c0c903924
SHA512

2e226128a4ad6941e73898a8571ef4aeede7a19e5938e3726fe1e989933a5c4b6c423d71d3ae4c2801a90deb5ff4652f0a8563bb9bcc1ba1f7cda088185b829f
SSDEEP

6144:ZiLpzJlA3hTWyArrlMtSFXeww8Mlc02HLm+ZHBX0SZe2Tf/9VJUzVW4OX9WKKxK7:ZiLpjA3SaQeeZ6+Z+U/BNXnms

Score

6^/10

discovery upx

Malware Config

Signatures

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Boleto.2a.via.arquivo.anexos.visualizar.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Boleto.2a.via.arquivo.anexos.visualizar.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-0-0x0000000000400000-0x0000000000529000-memory.dmp	upx
behavioral1/memory/3012-28-0x0000000000400000-0x0000000000529000-memory.dmp	upx
behavioral1/memory/3012-45-0x0000000000400000-0x0000000000529000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boleto.2a.via.arquivo.anexos.visualizar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2564	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2564	AcroRd32.exe
2564	AcroRd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2764	3012	Boleto.2a.via.arquivo.anexos.visualizar.exe	30
PID 3012 wrote to memory of 2764	3012	Boleto.2a.via.arquivo.anexos.visualizar.exe	30
PID 3012 wrote to memory of 2764	3012	Boleto.2a.via.arquivo.anexos.visualizar.exe	30
PID 3012 wrote to memory of 2764	3012	Boleto.2a.via.arquivo.anexos.visualizar.exe	30
PID 3012 wrote to memory of 2516	3012	Boleto.2a.via.arquivo.anexos.visualizar.exe	32
PID 3012 wrote to memory of 2516	3012	Boleto.2a.via.arquivo.anexos.visualizar.exe	32
PID 3012 wrote to memory of 2516	3012	Boleto.2a.via.arquivo.anexos.visualizar.exe	32
PID 3012 wrote to memory of 2516	3012	Boleto.2a.via.arquivo.anexos.visualizar.exe	32
PID 2516 wrote to memory of 2564	2516	CMD.exe	34
PID 2516 wrote to memory of 2564	2516	CMD.exe	34
PID 2516 wrote to memory of 2564	2516	CMD.exe	34
PID 2516 wrote to memory of 2564	2516	CMD.exe	34

C:\Users\Admin\AppData\Local\Temp\Boleto.2a.via.arquivo.anexos.visualizar.exe
"C:\Users\Admin\AppData\Local\Temp\Boleto.2a.via.arquivo.anexos.visualizar.exe"
1⤵
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\CMD.exe
  CMD /C C:\Users\Admin\AppData\Local\Temp\BOLETO~1.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764
- C:\Windows\SysWOW64\CMD.exe
  CMD /C Start BOLETO~1.PDF
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Boleto.2a.via.arquivo.anexos.visualizar.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BOLETO~1.bat

Filesize
252B

MD5
94b604c0e403a68d8be10cf2d11ae0fa

SHA1
8939ae010db8ff6d553bc33537fa7b7acaadf0f2

SHA256
e72b59e3a947af9a6504ec8c45dfb1fe0e7478a13c968a74c8ed7a0c96b041a0

SHA512
99e7c2195c78443ce3f1eff93cbe7b151f9eb8b0d4502141600f910ac1a0412fbfb257e938f72ba247d88c28e13daf508f64899c657f48354880195ff960c6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boleto.2a.via.arquivo.anexos.visualizar.pdf

Filesize
20B

MD5
da3427767b8164b069b7f1cead5afd02

SHA1
7d9a577acfaa533a9c479f88d466929180576447

SHA256
e53b93633158290fd3856558e94d8171c78dd285a7c039cfdc1a3285d634e75f

SHA512
a6e4b092ecc0b682089b654066fbca30668c94fa9d54eea4e3c56477971d5cafbcb29462265a3064b7ef3d24d7d910c91bb8baf20af2d2a7acb4a2311a65b0f5

Download Submit
memory/3012-0-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/3012-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3012-28-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/3012-30-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3012-45-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing