ecf857c6d2ddb6613dc98b490ca582e6627a5e2c23ef0df093fee897c34f08de

General

Target

ERP_Impressora.exe
Size

4.1MB
MD5

194abc8ffd472dbd563e0cd1df8e3755
SHA1

a6fb5ff7d555234ebdfe0dba332dd946192a19f9
SHA256

ecf857c6d2ddb6613dc98b490ca582e6627a5e2c23ef0df093fee897c34f08de
SHA512

225c849e8993fbe464d8511108e60892f4d35e5aabf8773340bad7078ba1f6d41c12094a6d89a539697c5671d92254f2072e7eed42576b8f3edb1de5c71ae00c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1016	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
1668	ERP_Impressora.exe
1668	ERP_Impressora.exe
1668	ERP_Impressora.exe
1668	ERP_Impressora.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1016	1668	ERP_Impressora.exe	27
PID 1668 wrote to memory of 1016	1668	ERP_Impressora.exe	27
PID 1668 wrote to memory of 1016	1668	ERP_Impressora.exe	27
PID 1668 wrote to memory of 1016	1668	ERP_Impressora.exe	27
PID 1668 wrote to memory of 1016	1668	ERP_Impressora.exe	27
PID 1668 wrote to memory of 1016	1668	ERP_Impressora.exe	27
PID 1668 wrote to memory of 1016	1668	ERP_Impressora.exe	27

C:\Users\Admin\AppData\Local\Temp\ERP_Impressora.exe
"C:\Users\Admin\AppData\Local\Temp\ERP_Impressora.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
553KB

MD5
0cf99e8a42dec39d9f7d689fe417b6fc

SHA1
0da82b5614e42f2c68d530f4b38deac48a5a6cad

SHA256
78c3d9f71334b5ec5f3db6f70d7c9d6080f82181cbcfcc234c05f8744c7b8ba1

SHA512
a12d3631d553433e0a9a08422e72cbc360a2f32da5fec46af61143fa76404245eb9583028cfd8d79dd93f46f3eeb526d540994e6469b33517b9f9d96acc19a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
553KB

MD5
0cf99e8a42dec39d9f7d689fe417b6fc

SHA1
0da82b5614e42f2c68d530f4b38deac48a5a6cad

SHA256
78c3d9f71334b5ec5f3db6f70d7c9d6080f82181cbcfcc234c05f8744c7b8ba1

SHA512
a12d3631d553433e0a9a08422e72cbc360a2f32da5fec46af61143fa76404245eb9583028cfd8d79dd93f46f3eeb526d540994e6469b33517b9f9d96acc19a45

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
553KB

MD5
0cf99e8a42dec39d9f7d689fe417b6fc

SHA1
0da82b5614e42f2c68d530f4b38deac48a5a6cad

SHA256
78c3d9f71334b5ec5f3db6f70d7c9d6080f82181cbcfcc234c05f8744c7b8ba1

SHA512
a12d3631d553433e0a9a08422e72cbc360a2f32da5fec46af61143fa76404245eb9583028cfd8d79dd93f46f3eeb526d540994e6469b33517b9f9d96acc19a45

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
553KB

MD5
0cf99e8a42dec39d9f7d689fe417b6fc

SHA1
0da82b5614e42f2c68d530f4b38deac48a5a6cad

SHA256
78c3d9f71334b5ec5f3db6f70d7c9d6080f82181cbcfcc234c05f8744c7b8ba1

SHA512
a12d3631d553433e0a9a08422e72cbc360a2f32da5fec46af61143fa76404245eb9583028cfd8d79dd93f46f3eeb526d540994e6469b33517b9f9d96acc19a45

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
553KB

MD5
0cf99e8a42dec39d9f7d689fe417b6fc

SHA1
0da82b5614e42f2c68d530f4b38deac48a5a6cad

SHA256
78c3d9f71334b5ec5f3db6f70d7c9d6080f82181cbcfcc234c05f8744c7b8ba1

SHA512
a12d3631d553433e0a9a08422e72cbc360a2f32da5fec46af61143fa76404245eb9583028cfd8d79dd93f46f3eeb526d540994e6469b33517b9f9d96acc19a45

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
553KB

MD5
0cf99e8a42dec39d9f7d689fe417b6fc

SHA1
0da82b5614e42f2c68d530f4b38deac48a5a6cad

SHA256
78c3d9f71334b5ec5f3db6f70d7c9d6080f82181cbcfcc234c05f8744c7b8ba1

SHA512
a12d3631d553433e0a9a08422e72cbc360a2f32da5fec46af61143fa76404245eb9583028cfd8d79dd93f46f3eeb526d540994e6469b33517b9f9d96acc19a45

Download Submit
memory/1668-54-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing