5b2ccb2c5b9841d63653e632204720390dafb320c849a9f2bde95967a874892b

Analysis

max time kernel
136s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

justificante.tar
Size

1.2MB
MD5

0c96cf7782de0959146e08946a29d834
SHA1

54b00b97e81523086103018fe2221cd362fc5d20
SHA256

5b2ccb2c5b9841d63653e632204720390dafb320c849a9f2bde95967a874892b
SHA512

235314b48e4a16d80fa1d86e39733577031cd3a97cd9fb0dc0464bc3450a499a8266b22a30cb5cd8ea397c253154dec7a26f25a803e1140916d2e5e2384d4788
SSDEEP

24576:aPAOd0hbOnhmfiS2vaWrzAk2LIP4ylsjM3NVzyYTjM:rZ4vf4k2o4RjMXDTjM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4696	justificante.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\resources\Woodbined189\gorgously.lnk	justificante.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	justificante.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000b000000023c55-2.dat	nsis_installer_1
behavioral2/files/0x000b000000023c55-2.dat	nsis_installer_2

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1948	7zFM.exe
Token: 35	1948	7zFM.exe
Token: SeSecurityPrivilege	1948	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1948	7zFM.exe
1948	7zFM.exe
1948	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\justificante.tar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1948

C:\Users\Admin\Desktop\justificante.exe
"C:\Users\Admin\Desktop\justificante.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4696

C:\Users\Admin\Desktop\justificante.exe
"C:\Users\Admin\Desktop\justificante.exe"
1⤵
PID:2500

C:\Users\Admin\Desktop\justificante.exe
"C:\Users\Admin\Desktop\justificante.exe"
1⤵
PID:5112

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nswB7AF.tmp\System.dll

Filesize
11KB

MD5
cf85183b87314359488b850f9e97a698

SHA1
6b6c790037eec7ebea4d05590359cb4473f19aea

SHA256
3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

SHA512
fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Lividities\indlaegger\noncapillaries\Aranyaka.Ver

Filesize
75KB

MD5
e672ce7b3e5b5903d610890b61f092de

SHA1
33e59122fce6283b37f4532e60071cc5ad008d53

SHA256
97fc741eeb4065bf8e617dffcd67e729b88d4e8a5990633baf0b64b401b9bb69

SHA512
d81ac41b30f4972ad884d469cda4effe7d1f497ff88ee7d60ecf59cf6f0a93dbfd467d22b10155407369da7598315f9f0dc6c4ff923c6454fc961d864ad26971

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Lividities\indlaegger\noncapillaries\Beskytte\streit.jpg

Filesize
1KB

MD5
2980cd86b217d867baeaa1d7ac9d06d9

SHA1
66c25885b02be25367143bfb0884ca1414dd3c10

SHA256
3fd1bd105e698b3f7d70ebd4966852b004d83ca4704e558f7d3dd06ad201e9e0

SHA512
013c5c5effcb3e86e97f71a9a32721d6d77702d9536f8c2933c8dea6b1f963efc6689aa788846a7e46b6f72abe8cdc182bc2fe2d9d1d755446d51a5104ad4534

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Lividities\indlaegger\noncapillaries\Beskytte\subrutinerne.txt

Filesize
4KB

MD5
83630fc7257861106087c064a51f62dd

SHA1
a12cf167039883ca3c68bff09aca333a528ba7e5

SHA256
e76427edf22b94245e19a72e2cc02298ead2a426f3d7dca0c861259619b9466a

SHA512
daad9a2c5707d73573638c0e17196c0aefe81c955087e548b42ef75ddee701afb6ac4b4d7024ef0440434317001d428ad41b4dd13a1d86137b0e2a0d88a9500a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Lividities\indlaegger\noncapillaries\Beskytte\unhardiness.ini

Filesize
78KB

MD5
847c27bc8ec8810471ac81ae89b16d8e

SHA1
ccabc83ecee05806e06efbc7f1ca7b13a55b1dc2

SHA256
25593662499b1e705461dddce72159eaffee5bc4f646eb9ac3d585e7ec799425

SHA512
658aa9f5c473f651223dd4354db92efa1b0c583913c6457cd6d60547b76e3de37d37aa36f4946097f58bfa20cc9afaa3f1e21027766970cf11bd8405e4522f91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Lividities\indlaegger\noncapillaries\Bourignian\Wavelike.irl

Filesize
2.2MB

MD5
c64f89b4583b1cbc17958086073f28a2

SHA1
511205ef7d00d81ed78335f874f1e8f41d97da77

SHA256
ff76859410b5288592df9b3596b1bf3ded1b6f8f54b3e6b7c2bfdb2ec8d37feb

SHA512
edea7dc2ba43a923b85e3d1d46c5e41feacb603c038e51771e1aac302d13dfbb3a17355cf23d1f49a69a8ca51f572efdf53c7f696e8b082c4534de9440d84761

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Lividities\indlaegger\noncapillaries\Bourignian\chirm.jpg

Filesize
77KB

MD5
043194c8f470deec9a5e433fdd8e638d

SHA1
5505d227a8fdb35a006bd70fa74118c675aa8efa

SHA256
3bcafaa6b280f52e4cc2602be99d6b4316e4961d5b01a09c90ce8354f1ab1659

SHA512
d33f2b4cf57a79383b168162df4610dc8d4958604291fefbeb0da52ab38ec50d5ecef31291de40a3a208ff0b707fab439c7c44df8508cbee74e32455d47845f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Lividities\indlaegger\noncapillaries\Bourignian\faddier.ene

Filesize
6.0MB

MD5
541963d213e485fc5f222af3e74af8fb

SHA1
9e113a32ba98e7654405b879c0a4498693b9aef3

SHA256
bf00024bddc056421118a784ca77c0a7279af544d7a7b1dda749d2eac053f73f

SHA512
66efa6994f4b249c3897c36baaabc56e77c6e5883a9853d31faf3b731f9c6d43b833249dc5e9e96686d3f61d2b685e33e8ae94235a7b8b8ede442c3a912ad117

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Lividities\indlaegger\noncapillaries\Bourignian\kafat.ini

Filesize
4KB

MD5
4c33d4fb7fe411b717e325dac8ce0995

SHA1
22e13c4cf938c645bed0f117783623732956386a

SHA256
55dfb03a9e5129248901d06abd24f2eac3e297363cdaafbc24b457830186ddf0

SHA512
c0a131a49a8e4b05b23e9ba342f60c1527aecbb4ce1080d22bc53d10d6e4160f6cc148c111132886d7883f93fef504298be2ee502a1af070c3c4a68a7f203134

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Lividities\indlaegger\noncapillaries\Bourignian\lillebrors.txt

Filesize
5KB

MD5
5d948704ca19427ed21559fdf604ef9b

SHA1
c52ce015f3140a8d58b8528d20a7a278b19ff653

SHA256
56063cd5315f6d3043deca72ec631c9995f2da07634c8378ee2cf69e2a09010d

SHA512
696830bd3b08d61ae6b9ce2a6f29c9fbc527201e3bd300c174665694b2ecf0bd1975491bd63b912bb876316037dcb17a1237cc0c8ae27e12fa2c8680ff5164fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Lividities\indlaegger\noncapillaries\Bourignian\proletars.txt

Filesize
3KB

MD5
1a8c6ea1b59a75bd5315c9f1b6638b8d

SHA1
7f0bd7bed36989430d8e7d66818ff6de7c9826b2

SHA256
04d6131d3fc2e069290bcca62f1c6b0fd284f9ccf4519b8f684d8251490cac5c

SHA512
df98faa94f7a283558a7d317a864ffd130e255fe7c2fb37c327700e78898261dd5510daa409428171219f0e28307eb0c3d907c08fd001a32d6889c800213f733

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Lividities\indlaegger\noncapillaries\Buntmagerier99.jpg

Filesize
3KB

MD5
a83e94c52cf72696779b318aa61d9375

SHA1
f1a89e8676a3b14afd79861e707391bc2b05c07b

SHA256
d417e83744f79af982883cbc43f67afb7e69c7d674a15b646a59198a908fe6d6

SHA512
447dd661465a53cc94e0f869ffe8af310d2e5c43482eb40fa7f08e6c40eefe3d71f325d9ce2988b22501dfa471bd510da93334220c82c07f4b4317b5abfa6308

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Lividities\indlaegger\noncapillaries\Midlets.And

Filesize
402KB

MD5
f458390aaac39333219a2e166042249c

SHA1
3366c01f5e0bc5b5a59d5d6ece1d73d0d3457786

SHA256
83c6e932e890289997ff95bc648c715d88fbca48544c476dcfd842201c84e427

SHA512
081e6000b8f32c4e68e7543cee6eeb681c1d932613327f8210d9d04a99beea0d71f13d0b0e4c0f71826effdc04b5266b3542482e91d7677bd7800fe7504ecc04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Lividities\indlaegger\noncapillaries\Resolver56.dim

Filesize
5.4MB

MD5
04de99f3adb87f5326b51cda15dfd6ef

SHA1
5d7ca6803ed8a5fb82e0df306d7c52a0f51e7238

SHA256
36b9bbb037cccdf4e8487c4b891022806b63cbecc84a9d67748382c5bfd76bd0

SHA512
1f167c66f0788f002c8913ccbd045dfcc7262ecc289fd995ab78c239bb680ae5583d2f8b212b9369a25856d6def5dd681512a19288e876df2b270bd133229371

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Lividities\indlaegger\noncapillaries\Varighedens77.ove

Filesize
6.4MB

MD5
464442760296c3a67d3696d332c3dae6

SHA1
5bd0ba69df8c27bcf06eb44df80663ddc5fde3ca

SHA256
4a6b887e11af9986710131828c5314b5b54f80fa8dad17c7593d897834ff3c0e

SHA512
6af4d5fad5e6087e92f4655d41b910693d5bb8c88a42f9ca3239d09cd5382a88a3d58768218b1449080c11b646241d2d7de37996f8b111b9c188ea7c3c42135c

Download Submit
C:\Users\Admin\Desktop\justificante.exe

Filesize
1.2MB

MD5
2f92983369027037f6ffa80c15c7f447

SHA1
6e43b9ca99c8b3f92cec17a28d18629e6b8a71bb

SHA256
739fe4e674af110057f17073e129057d569f3a71ad0794a61551d82652409f66

SHA512
695d85f1ec7c2b85bd730afab5352bc5ace60feaf1a18aa01ae2cb208caf03fdff16fba21f9f4c2dff18d6d7626e7fe864301c9203d7132b3ef47e3e6ba89982

Download Submit
memory/4612-187-0x000002252A220000-0x000002252A221000-memory.dmp

Filesize
4KB

Download
memory/4612-185-0x000002252A220000-0x000002252A221000-memory.dmp

Filesize
4KB

Download
memory/4612-179-0x000002252A220000-0x000002252A221000-memory.dmp

Filesize
4KB

Download
memory/4612-178-0x000002252A220000-0x000002252A221000-memory.dmp

Filesize
4KB

Download
memory/4612-177-0x000002252A220000-0x000002252A221000-memory.dmp

Filesize
4KB

Download
memory/4612-191-0x000002252A220000-0x000002252A221000-memory.dmp

Filesize
4KB

Download
memory/4612-189-0x000002252A220000-0x000002252A221000-memory.dmp

Filesize
4KB

Download
memory/4612-188-0x000002252A220000-0x000002252A221000-memory.dmp

Filesize
4KB

Download
memory/4612-186-0x000002252A220000-0x000002252A221000-memory.dmp

Filesize
4KB

Download
memory/4612-190-0x000002252A220000-0x000002252A221000-memory.dmp

Filesize
4KB

Download