Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 20:09
Static task
static1
Behavioral task
behavioral1
Sample
justificante de pago.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
justificante de pago.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Fyldiges.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Fyldiges.ps1
Resource
win10v2004-20241007-en
General
-
Target
justificante de pago.exe
-
Size
990KB
-
MD5
d3c00b7eda8c538a2938610398e69a74
-
SHA1
cd93e03dc64c2064d0aa586e00a00f9c99ea36bc
-
SHA256
2e2dd6f6dd471723ad206f6b8f154f3a84aba592e2838942b5e35b4378522ef4
-
SHA512
719c03d1ded02334f1f74812f8e4a193f9028291eb190d4e241b4b34b055c6c7deef31bf33bea047a551ee14df35443a6cefe294907ac87b0918dade5f470837
-
SSDEEP
24576:J+63+OSOWAnNN591nNr8xAGuwIm/yWiopvC9wF:J+tOSqnNN591S/RaWi6MwF
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 1472 powershell.exe 2172 powershell.exe -
Drops file in Program Files directory 1 IoCs
Processes:
justificante de pago.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Hemicrane.ini justificante de pago.exe -
Drops file in Windows directory 3 IoCs
Processes:
justificante de pago.exedescription ioc process File created C:\Windows\resources\0409\syntonolydian\statsminister.lnk justificante de pago.exe File opened for modification C:\Windows\resources\0409\federalt\Telephonists230.Ube justificante de pago.exe File opened for modification C:\Windows\resources\snagline.sub justificante de pago.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
justificante de pago.exepowershell.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language justificante de pago.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1472 powershell.exe 2172 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
justificante de pago.exedescription pid process target process PID 2848 wrote to memory of 1472 2848 justificante de pago.exe powershell.exe PID 2848 wrote to memory of 1472 2848 justificante de pago.exe powershell.exe PID 2848 wrote to memory of 1472 2848 justificante de pago.exe powershell.exe PID 2848 wrote to memory of 1472 2848 justificante de pago.exe powershell.exe PID 2848 wrote to memory of 2172 2848 justificante de pago.exe powershell.exe PID 2848 wrote to memory of 2172 2848 justificante de pago.exe powershell.exe PID 2848 wrote to memory of 2172 2848 justificante de pago.exe powershell.exe PID 2848 wrote to memory of 2172 2848 justificante de pago.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\justificante de pago.exe"C:\Users\Admin\AppData\Local\Temp\justificante de pago.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Minimals=Get-Content -raw 'C:\Users\Admin\AppData\Local\fona\Kvit\Fyldiges.Tid';$Aesthete=$Minimals.SubString(54366,3);.$Aesthete($Minimals)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Minimals=Get-Content -raw 'C:\Users\Admin\AppData\Local\fona\Kvit\Fyldiges.Tid';$Aesthete=$Minimals.SubString(54366,3);.$Aesthete($Minimals)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
898B
MD5cdb23e8da3adab7f58280186abf30572
SHA10599fb63a7fa857094947726ea8a7b5e142172f0
SHA25600d34a0f08952acbfc03c1a44db12f384819b83f4340d2e6a90576b394d8481b
SHA512c8cb8fcb6ba9aee25d9f1afc83e488aef22145a02f895714ad9dbea9040390240485926655f4593c1094c451089a5a0852300cf10b64fdaccc8a51ef0c86dd2b
-
Filesize
852B
MD5f531f1b805017206cd3d0f52e088fbbf
SHA100eacc2e15236a38e743d0203493335c029d97ca
SHA2560b472228e563bfb78ab84bcee81c5e86bfb54ed3d24b1cef470c00d54c6d1a22
SHA512bceeb4c7dbcb458e42a923ed21f1e37a6404c75f7e76d43a0005bef21a9c6c7efc8e0b4aec8b301f98f8dc95e8e741dfa5bb86ace74548f56331e6eec7b5bb09
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD50cbab3a16d4a738d250d9875401732e4
SHA1f598fd94570c18c2bc5827e2eda04d1f5cbddafc
SHA256393ea13c5d77e80ac443ca757c6c46de1a33a9495f1e5870cc47657f5cf4c513
SHA512b667cf4f1d2a90632c0aa94a6b323c6e6f14869078c2f69df5f9d76104b4866b89f12a5faee61619fa5d31e43741e9fddc17265defb4345170db6b0953002b79