Overview

overview

10

Static

static

1

MOVIMIENTO...1).eml

windows7-x64

10

MOVIMIENTO...1).eml

windows10-2004-x64

3

H.png

windows7-x64

3

H.png

windows10-2004-x64

3

email-html-2.html

windows7-x64

3

email-html-2.html

windows10-2004-x64

3

email-plain-1.txt

windows7-x64

1

email-plain-1.txt

windows10-2004-x64

1

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 18:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO (1).eml

  • Size

    19KB

  • MD5

    0e204a7f452ac12937c29c1ba8ff7e73

  • SHA1

    70a7fffb6318bbae045f6194f20b4c9580394597

  • SHA256

    7d714cbb29c50203b38dc40fb727d9e6a071f53062f506631717ce9a2f44bb33

  • SHA512

    ed17da3e20ca15af013f68b6b16a577df6a2927776fcc7c04fb6dadfa703c681a3fe1444be99d47014e536603f2024b6355f315b5c1561b46030ef9963f80de8

  • SSDEEP

    384:sUKh9yr4zgvrGlgPUGM2tTNLIMqIAnCZGwPF83uwcckhSCZt/I5K+g9wt:0ciEn9Nrqx2VF8+LJv/3/W

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO (1).eml"
    1⤵
    • Modifies registry class
    • NTFS ADS
    PID:864
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1204

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    dl.delivery.mp.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    dl.delivery.mp.microsoft.com
    IN A
    Response
    dl.delivery.mp.microsoft.com
    IN CNAME
    dl.delivery.mp.microsoft.com.delivery.microsoft.com
    dl.delivery.mp.microsoft.com.delivery.microsoft.com
    IN CNAME
    dcat-f-nlu-net.trafficmanager.net
    dcat-f-nlu-net.trafficmanager.net
    IN CNAME
    dcat.azureedge.net
    dcat.azureedge.net
    IN CNAME
    dcat.ec.azureedge.net
    dcat.ec.azureedge.net
    IN CNAME
    wu.wpc.apr-52dd2.edgecastdns.net
    wu.wpc.apr-52dd2.edgecastdns.net
    IN CNAME
    hlb.apr-52dd2-0.edgecastdns.net
    hlb.apr-52dd2-0.edgecastdns.net
    IN CNAME
    cs11.wpc.v0cdn.net
    cs11.wpc.v0cdn.net
    IN A
    93.184.221.240
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=16CCFC05225B6A3E140EE91623996B86; domain=.bing.com; expires=Mon, 03-Nov-2025 18:27:15 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BFB18D165A764B759F6808063A95A155 Ref B: LON601060106034 Ref C: 2024-10-09T18:27:15Z
    date: Wed, 09 Oct 2024 18:27:14 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=16CCFC05225B6A3E140EE91623996B86
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=T6iF33vp-G_S3j5637p-X3Q1QxoF8aIC3pYTa8O91KA; domain=.bing.com; expires=Mon, 03-Nov-2025 18:27:15 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2BF8B0FDA57D48C9845AE279DA46323C Ref B: LON601060106034 Ref C: 2024-10-09T18:27:15Z
    date: Wed, 09 Oct 2024 18:27:14 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=16CCFC05225B6A3E140EE91623996B86; MSPTC=T6iF33vp-G_S3j5637p-X3Q1QxoF8aIC3pYTa8O91KA
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E180AA7CEC7445098E25902413265448 Ref B: LON601060106034 Ref C: 2024-10-09T18:27:15Z
    date: Wed, 09 Oct 2024 18:27:14 GMT
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.190.18.2.in-addr.arpa
    IN PTR
    Response
    73.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    72.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    tls, http2
    2.0kB
     9.3kB
     22
    18

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dcb20346639841f18d2e293957166e86&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    140 B
     432 B
     2
    2

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    dl.delivery.mp.microsoft.com

    DNS Response

    93.184.221.240

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    73.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    72.209.201.84.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    72.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.