Analysis
-
max time kernel
105s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-es -
resource tags
arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
30/10/2024, 13:52
Behavioral task
behavioral1
Sample
-.exe
Resource
win7-20241023-es
Behavioral task
behavioral2
Sample
-.exe
Resource
win10v2004-20241007-es
Behavioral task
behavioral3
Sample
FormulariomillasbonusLATAM_ZmRftcN8bM1W0r.cmd
Resource
win7-20240903-es
Behavioral task
behavioral4
Sample
FormulariomillasbonusLATAM_ZmRftcN8bM1W0r.cmd
Resource
win10v2004-20241007-es
General
-
Target
FormulariomillasbonusLATAM_ZmRftcN8bM1W0r.cmd
-
Size
6.9MB
-
MD5
9029b50732be7b60a8da21528e5127e4
-
SHA1
2dda289dda6d8d30c01aef905f7c5ed4f5b80a9b
-
SHA256
9b473d8800df286816abdd44e5eae44c98e1a7ce29029f48de9109e6fd9a329f
-
SHA512
d0dddb8b4a0d4c67f2f5eb2941906e07b00af5b1f809e1ed5435d356dea0d709f794a474635ecb6eb08801eb98eeb1b83c8b8393ca75c6a22117a2b9fd1d4b58
-
SSDEEP
24576:dXbexdi7iH3MNJv7uTLoioB602dqT1w5GYPWX4X7FMt8SLG+puZDlWtbc96JDZXv:Z
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 6 2084 powershell.exe 15 2084 powershell.exe 16 2084 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ipinfo.io -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2084 powershell.exe 2084 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2084 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1448 wrote to memory of 5072 1448 cmd.exe 85 PID 1448 wrote to memory of 5072 1448 cmd.exe 85 PID 1448 wrote to memory of 5116 1448 cmd.exe 86 PID 1448 wrote to memory of 5116 1448 cmd.exe 86 PID 5116 wrote to memory of 2084 5116 cmd.exe 87 PID 5116 wrote to memory of 2084 5116 cmd.exe 87
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FormulariomillasbonusLATAM_ZmRftcN8bM1W0r.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo %DL1H1T6DTG5P% "2⤵PID:5072
-
-
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec bypass -nop -win 1 -2⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec bypass -nop -win 1 -3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82