66b7d6a454320a3f7f9cae8910c0ea2824075536b689635417d79b022a1d933c

Analysis

max time kernel
179s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Comunicado Judicial Proferido del Código penal. Articulo 287/Oficio Judicial Proferido del Código penal. Articulo 287.exe
Size

3.3MB
MD5

ad99305ad18406a8b71c8c5ed39964cd
SHA1

cb491af5054798d83567e904032da7e61c29de31
SHA256

5f4b7ad2a652a53de76f0278d01129be79ee9b6b8c99c18b5249a073f47f0a9d
SHA512

88488e580b60f2c9681f96734518a79837985c9c2b4ec47e2505304ab70f58063ee79a6e152edad97066f56782f19b2e71f0e2189256f41c91071ff221ee3367
SSDEEP

24576:OIhdJeLdstdSQIFKhEb/XjpygFVYIvBS2+PuaRNnaXhBi6eWrLg:JJeLduUBS2CUvi6eWrc

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Oficio Judicial Proferido del Código penal. Articulo 287.exe

description pid process target process

PID 4408 created 3356 4408 Oficio Judicial Proferido del Código penal. Articulo 287.exe Explorer.EXE

description	pid	process	target process
PID 4408 created 3356	4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe	Explorer.EXE

Drops startup file 1 IoCs

Processes:

Oficio Judicial Proferido del Código penal. Articulo 287.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AlgorithmType.vbs	Oficio Judicial Proferido del Código penal. Articulo 287.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Oficio Judicial Proferido del Código penal. Articulo 287.exe

description	pid	process	target process
PID 4408 set thread context of 2784	4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe	InstallUtil.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Oficio Judicial Proferido del Código penal. Articulo 287.exeInstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oficio Judicial Proferido del Código penal. Articulo 287.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Oficio Judicial Proferido del Código penal. Articulo 287.exe

pid process

4408 Oficio Judicial Proferido del Código penal. Articulo 287.exe

pid	process
4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Oficio Judicial Proferido del Código penal. Articulo 287.exe

description	pid	process
Token: SeDebugPrivilege	4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe
Token: SeDebugPrivilege	4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

2784 InstallUtil.exe

pid	process
2784	InstallUtil.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Oficio Judicial Proferido del Código penal. Articulo 287.exe

description	pid	process	target process
PID 4408 wrote to memory of 2784	4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe	InstallUtil.exe
PID 4408 wrote to memory of 2784	4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe	InstallUtil.exe
PID 4408 wrote to memory of 2784	4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe	InstallUtil.exe
PID 4408 wrote to memory of 2784	4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe	InstallUtil.exe
PID 4408 wrote to memory of 2784	4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe	InstallUtil.exe
PID 4408 wrote to memory of 2784	4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe	InstallUtil.exe
PID 4408 wrote to memory of 2784	4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe	InstallUtil.exe
PID 4408 wrote to memory of 2784	4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe	InstallUtil.exe
PID 4408 wrote to memory of 2784	4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe	InstallUtil.exe
PID 4408 wrote to memory of 2784	4408	Oficio Judicial Proferido del Código penal. Articulo 287.exe	InstallUtil.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3356
- C:\Users\Admin\AppData\Local\Temp\Comunicado Judicial Proferido del Código penal. Articulo 287\Oficio Judicial Proferido del Código penal. Articulo 287.exe
  "C:\Users\Admin\AppData\Local\Temp\Comunicado Judicial Proferido del Código penal. Articulo 287\Oficio Judicial Proferido del Código penal. Articulo 287.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\data\registros.dat

Filesize
184B

MD5
d92ab3572b3a49cf8bb1abade451ff2b

SHA1
d7f8570269be37c3cd66b0c53a74f711b82b7049

SHA256
428265c99caa52472367de1fcd7664c0f8bdcc2df7e857221f1534d151e0fca4

SHA512
cc6dcecf0db4658b7b8ffb9b344a979466e3cc545466ed1ac350077601bb99eb10a91da9d744275ba57dcf93d534eb02e433e3879db8cd21e63f802e7c297eac

Download Submit
memory/4408-0-0x00000000750FE000-0x00000000750FF000-memory.dmp

Filesize
4KB

Download
memory/4408-1-0x0000000000ED0000-0x0000000001222000-memory.dmp

Filesize
3.3MB

Download
memory/4408-2-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/4408-3-0x00000000750FE000-0x00000000750FF000-memory.dmp

Filesize
4KB

Download
memory/4408-4-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/4408-5-0x0000000007370000-0x0000000007496000-memory.dmp

Filesize
1.1MB

Download
memory/4408-6-0x0000000007A70000-0x0000000008014000-memory.dmp

Filesize
5.6MB

Download
memory/4408-7-0x00000000075C0000-0x0000000007652000-memory.dmp

Filesize
584KB

Download
memory/4408-11-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-8-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-17-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-57-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-71-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-69-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-67-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-65-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-63-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-61-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-59-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-55-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-53-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-51-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-49-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-47-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-45-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-43-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-39-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-37-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-35-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-33-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-41-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-31-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-27-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-25-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-24-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-21-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-19-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-15-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-13-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-9-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-29-0x0000000007370000-0x0000000007490000-memory.dmp

Filesize
1.1MB

Download
memory/4408-1082-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/4408-1083-0x0000000006D80000-0x0000000006E18000-memory.dmp

Filesize
608KB

Download
memory/4408-1084-0x0000000007810000-0x000000000785C000-memory.dmp

Filesize
304KB

Download
memory/4408-1085-0x0000000005640000-0x0000000005694000-memory.dmp

Filesize
336KB

Download
memory/4408-1090-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/4408-1092-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/4408-1091-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/4408-1108-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download