Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2024 13:32
Static task
static1
Behavioral task
behavioral1
Sample
PEDIDO PV0155511.exe
Resource
win7-20241010-en
General
-
Target
PEDIDO PV0155511.exe
-
Size
806KB
-
MD5
2a5ad62b4cf94952164467b22c0064a5
-
SHA1
8cb2cee66a55b620969a1093b5f8590a6a4cc7ca
-
SHA256
358474ad2351f5a3b12e63af3097541879a12f45a395be698b45107ae295b1e1
-
SHA512
4ff9d3c2e835c468b8e5fa225ecb01c77df6e68469feb2ef2cb22b17edeec8f81882c8bcadb75345aa4f5360af668c4649aa0469534d5416c856542ad3a9b104
-
SSDEEP
24576:7RY7ECknlgbxch0oIKF6ReKabril9OLxKn:7ReECMlgbBPKHKkrilk
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot8171626722:AAGIo9PvRpFrmWwamfv0SMURLy1PCYFG9a8/sendMessage?chat_id=6542615755
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PEDIDO PV0155511.exedescription pid process target process PID 2044 set thread context of 3052 2044 PEDIDO PV0155511.exe PEDIDO PV0155511.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
PEDIDO PV0155511.exePEDIDO PV0155511.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PEDIDO PV0155511.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PEDIDO PV0155511.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PEDIDO PV0155511.exepid process 2044 PEDIDO PV0155511.exe 2044 PEDIDO PV0155511.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PEDIDO PV0155511.exedescription pid process Token: SeDebugPrivilege 2044 PEDIDO PV0155511.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PEDIDO PV0155511.exepid process 3052 PEDIDO PV0155511.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
PEDIDO PV0155511.exedescription pid process target process PID 2044 wrote to memory of 1336 2044 PEDIDO PV0155511.exe PEDIDO PV0155511.exe PID 2044 wrote to memory of 1336 2044 PEDIDO PV0155511.exe PEDIDO PV0155511.exe PID 2044 wrote to memory of 1336 2044 PEDIDO PV0155511.exe PEDIDO PV0155511.exe PID 2044 wrote to memory of 3052 2044 PEDIDO PV0155511.exe PEDIDO PV0155511.exe PID 2044 wrote to memory of 3052 2044 PEDIDO PV0155511.exe PEDIDO PV0155511.exe PID 2044 wrote to memory of 3052 2044 PEDIDO PV0155511.exe PEDIDO PV0155511.exe PID 2044 wrote to memory of 3052 2044 PEDIDO PV0155511.exe PEDIDO PV0155511.exe PID 2044 wrote to memory of 3052 2044 PEDIDO PV0155511.exe PEDIDO PV0155511.exe PID 2044 wrote to memory of 3052 2044 PEDIDO PV0155511.exe PEDIDO PV0155511.exe PID 2044 wrote to memory of 3052 2044 PEDIDO PV0155511.exe PEDIDO PV0155511.exe PID 2044 wrote to memory of 3052 2044 PEDIDO PV0155511.exe PEDIDO PV0155511.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PEDIDO PV0155511.exe"C:\Users\Admin\AppData\Local\Temp\PEDIDO PV0155511.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\PEDIDO PV0155511.exe"C:\Users\Admin\AppData\Local\Temp\PEDIDO PV0155511.exe"2⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\PEDIDO PV0155511.exe"C:\Users\Admin\AppData\Local\Temp\PEDIDO PV0155511.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3052