46fb3e0957a29ee2e6463b64930eabb9ba8949c7d2395111463be8a3a8752c19

Analysis

max time kernel
180s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INFORME COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE/OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe
Size

695KB
MD5

f621bcc81502beb71cfc6cb277f541d7
SHA1

899d5a8bde60177a5ead87c999f79ee1076592e3
SHA256

1ee61e9cb3034a6229ff3975ae8c871047afcc0e9e4b21f19a9198e463ae62c2
SHA512

84514718bfc367c1a23c7dcafae2df45055d0f3001340740f1415cd6911f71d3b7a064d853c38d50e3ca774bc3221a72960f878922d2d7477eb7cfac1de5191d
SSDEEP

12288:rZeZi1X5Ni3O32PaxC119ebmiOZgIu0dFnbA:88i+3LK3eIu0dFnbA

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4984 created 3432	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe	56

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4984 set thread context of 1360	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe
Token: SeDebugPrivilege	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1360	InstallUtil.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 1360	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe	87
PID 4984 wrote to memory of 1360	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe	87
PID 4984 wrote to memory of 1360	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe	87
PID 4984 wrote to memory of 1360	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe	87
PID 4984 wrote to memory of 1360	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe	87
PID 4984 wrote to memory of 1360	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe	87
PID 4984 wrote to memory of 1360	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe	87
PID 4984 wrote to memory of 1360	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe	87
PID 4984 wrote to memory of 1360	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe	87
PID 4984 wrote to memory of 1360	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe	87
PID 4984 wrote to memory of 1360	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe	87
PID 4984 wrote to memory of 1360	4984	OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe	87

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\INFORME COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE\OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe
  "C:\Users\Admin\AppData\Local\Temp\INFORME COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE\OFICIO COMERCIAL DE TRANSACCIÓN 18 DE OCTUBRE.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\asfddfsdfd\logs.dat

Filesize
184B

MD5
185b9086a1cf81bce1a7a22af48f25db

SHA1
a828b112010d53cd73f0e562eb8ba316902e90ff

SHA256
6af19765c9538cdb47cd8354e37ec09c3abc37ad1283dac6482bbde30f3b988a

SHA512
58256bdd7946e4acda3c35f21160e1504312c3645049bdb8bc82864b5fa011e8e8f699183ff80e85a1bb86911962a85cc3415e0fd0027b200cd734f54b9c1ecb

Download Submit
memory/4984-0-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/4984-1-0x00000000006C0000-0x000000000076E000-memory.dmp

Filesize
696KB

Download
memory/4984-2-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/4984-3-0x0000000006380000-0x00000000064A4000-memory.dmp

Filesize
1.1MB

Download
memory/4984-4-0x0000000006A50000-0x0000000006FF4000-memory.dmp

Filesize
5.6MB

Download
memory/4984-5-0x0000000006560000-0x00000000065F2000-memory.dmp

Filesize
584KB

Download
memory/4984-9-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-15-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-37-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-45-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-69-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-67-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-65-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-63-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-61-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-59-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-57-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-55-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-53-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-51-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-49-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-47-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-43-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-41-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-39-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-33-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-31-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-35-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-29-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-25-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-23-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-21-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-19-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-17-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-13-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-12-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-7-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-27-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-6-0x0000000006380000-0x000000000649F000-memory.dmp

Filesize
1.1MB

Download
memory/4984-1081-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/4984-1080-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/4984-1082-0x00000000068D0000-0x0000000006968000-memory.dmp

Filesize
608KB

Download
memory/4984-1083-0x0000000006700000-0x000000000674C000-memory.dmp

Filesize
304KB

Download
memory/4984-1084-0x0000000006860000-0x00000000068B4000-memory.dmp

Filesize
336KB

Download
memory/4984-1088-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/4984-1090-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/4984-1091-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/4984-1092-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/4984-1106-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download