Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-es -
resource tags
arch:x64arch:x86image:win7-20240903-eslocale:es-esos:windows7-x64systemwindows -
submitted
30/10/2024, 13:52
Behavioral task
behavioral1
Sample
-.exe
Resource
win7-20241023-es
Behavioral task
behavioral2
Sample
-.exe
Resource
win10v2004-20241007-es
Behavioral task
behavioral3
Sample
FormulariomillasbonusLATAM_ZmRftcN8bM1W0r.cmd
Resource
win7-20240903-es
Behavioral task
behavioral4
Sample
FormulariomillasbonusLATAM_ZmRftcN8bM1W0r.cmd
Resource
win10v2004-20241007-es
General
-
Target
FormulariomillasbonusLATAM_ZmRftcN8bM1W0r.cmd
-
Size
6.9MB
-
MD5
9029b50732be7b60a8da21528e5127e4
-
SHA1
2dda289dda6d8d30c01aef905f7c5ed4f5b80a9b
-
SHA256
9b473d8800df286816abdd44e5eae44c98e1a7ce29029f48de9109e6fd9a329f
-
SHA512
d0dddb8b4a0d4c67f2f5eb2941906e07b00af5b1f809e1ed5435d356dea0d709f794a474635ecb6eb08801eb98eeb1b83c8b8393ca75c6a22117a2b9fd1d4b58
-
SSDEEP
24576:dXbexdi7iH3MNJv7uTLoioB602dqT1w5GYPWX4X7FMt8SLG+puZDlWtbc96JDZXv:Z
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 4 2368 powershell.exe 6 2368 powershell.exe 7 2368 powershell.exe 9 792 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ipinfo.io -
System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs
Adversaries may abuse Verclsid to proxy execution of malicious code.
pid Process 540 verclsid.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2368 powershell.exe 792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 792 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 920 wrote to memory of 1416 920 cmd.exe 31 PID 920 wrote to memory of 1416 920 cmd.exe 31 PID 920 wrote to memory of 1416 920 cmd.exe 31 PID 920 wrote to memory of 2512 920 cmd.exe 32 PID 920 wrote to memory of 2512 920 cmd.exe 32 PID 920 wrote to memory of 2512 920 cmd.exe 32 PID 2512 wrote to memory of 2368 2512 cmd.exe 33 PID 2512 wrote to memory of 2368 2512 cmd.exe 33 PID 2512 wrote to memory of 2368 2512 cmd.exe 33 PID 2776 wrote to memory of 548 2776 cmd.exe 40 PID 2776 wrote to memory of 548 2776 cmd.exe 40 PID 2776 wrote to memory of 548 2776 cmd.exe 40 PID 2776 wrote to memory of 2036 2776 cmd.exe 41 PID 2776 wrote to memory of 2036 2776 cmd.exe 41 PID 2776 wrote to memory of 2036 2776 cmd.exe 41 PID 2036 wrote to memory of 792 2036 cmd.exe 42 PID 2036 wrote to memory of 792 2036 cmd.exe 42 PID 2036 wrote to memory of 792 2036 cmd.exe 42
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\FormulariomillasbonusLATAM_ZmRftcN8bM1W0r.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo %DL1H1T6DTG5P% "2⤵PID:1416
-
-
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec bypass -nop -win 1 -2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec bypass -nop -win 1 -3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
- System Binary Proxy Execution: Verclsid
PID:540
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FormulariomillasbonusLATAM_ZmRftcN8bM1W0r.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo %DL1H1T6DTG5P% "2⤵PID:548
-
-
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec bypass -nop -win 1 -2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec bypass -nop -win 1 -3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c62d774a6e52696a3995cf08f6ca2277
SHA151553e45e03fe53a29d895dcc9b805ef8c8f6bdd
SHA256cf636c36bade577a75fe0a7d30bc62587c999f180668b927ba30edcc5e4f712c
SHA5126af99678a33585187221c0aedd3c81b052e5699a601ba0ebc8ebdd24621038cea70f62a2a66a8f1d47e5f34402b133570fab1bebf8e410c9679167c8c26619c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FB9BVWVQ43ZL6S6I9MA7.temp
Filesize7KB
MD5c5a0a905734d4ff0debfd8cc276a4343
SHA1bce6fa8a609bb156f6452862bb76cd726b7749c1
SHA2569d896c97fd9a92f469c77a5aa80701ad8e4ed877ffe5851cbd006534dabc8aa0
SHA5128f6e0cc124434251e452698c8045917141c305961a1fa39c208cd3777dc8cad79ee205c535db59d9cffd9f858fe7359d8a2d27155c84794881ad1901a9e897e0