f7b6fe9f584bc1662bf71f4baa1a242edfe7d823eb1538f24065fd9094e9b02f

Analysis

Target

KERSEL00000209419.scr
Size

976KB
MD5

f9ddb4afd10f811f82d3efc7335a3899
SHA1

7132e4e6d07df37905950ef8d92f38b12ae4832e
SHA256

f7b6fe9f584bc1662bf71f4baa1a242edfe7d823eb1538f24065fd9094e9b02f
SHA512

a172061299d4b7ec2d54e32379f4e2156e0176964282b481acfd354993bddca979e5a98335b9905572de4c4ac8b5ab56b3743daff690f89933b9248a4eeec2ab

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

oamjouuda.pif

pid process

1320 oamjouuda.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1320	oamjouuda.pif

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

KERSEL00000209419.scr

description	pid	process	target process
PID 412 wrote to memory of 1320	412	KERSEL00000209419.scr	oamjouuda.pif
PID 412 wrote to memory of 1320	412	KERSEL00000209419.scr	oamjouuda.pif
PID 412 wrote to memory of 1320	412	KERSEL00000209419.scr	oamjouuda.pif

C:\Users\Admin\AppData\Local\Temp\KERSEL00000209419.scr
"C:\Users\Admin\AppData\Local\Temp\KERSEL00000209419.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\29006555\oamjouuda.pif
"C:\Users\Admin\AppData\Local\Temp\29006555\oamjouuda.pif" qgxxhbeeur.fak
2⤵
- Executes dropped EXE
PID:1320

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Temp\29006555\oamjouuda.pif
MD5
e1f85da023a9f5784e38a37c16c777e6

SHA1
6623fe6bb1903311cfa96ebdcd25822bc4f221ef

SHA256
f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162

SHA512
28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

Download Submit
memory/1320-115-0x0000000000000000-mapping.dmp

Download