a81076c506153d7ad7ea9e20b73f4d5266ea457a7af35beb437fbf22160c23a5

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
13-10-2022 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe
Size

597KB
MD5

6a43f35b77a44c42cb33927c4f08797a
SHA1

0e7d1c52bc14ec2f95c1ef095f565091ace2f1b5
SHA256

8d9fec419d0893e5b2e6a2f1fbbc70102be16b2aa5fbe3708401d2ee52ab62e9
SHA512

0d8b3c48c65303ea0bec74a907b85b8bcfdbd8765ef9b3cf33ca0a43d09a17ed0d488d1de3a65b22aede229eead5c84a018a19494434ee7ba1bc4992b0021da8
SSDEEP

6144:KQA4zfgMigGBfCppM2mxlkxYylRgajBLkjje2zZG9msXoStVb74gW:ecc6TM2mxSjlRb8Hz4Azs6

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe

pid process

1492 R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe
1492 R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe

pid	process
1492	R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe
1492	R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe

Drops file in System32 directory 1 IoCs

Processes:

R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Fabriksskorstene\Docsmith\Porthors\Sbeoperaen.ini	R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe

Drops file in Windows directory 3 IoCs

Processes:

R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Miljstyrelser\Forpraktikanternes\Kontrolafdelingernes.Wil	R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe
File opened for modification	C:\Windows\resources\0409\Folien\Pipile.ini	R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe
File created	C:\Windows\Fonts\Padishahs\Unanimatedness\knippers\Ankrendes.lnk	R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe

description	pid	process	target process
PID 1492 wrote to memory of 1160	1492	R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe	cmd.exe
PID 1492 wrote to memory of 1160	1492	R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe	cmd.exe
PID 1492 wrote to memory of 1160	1492	R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe	cmd.exe
PID 1492 wrote to memory of 1160	1492	R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe
"C:\Users\Admin\AppData\Local\Temp\R_018996_GRUPO OCLEM_RCL181378_SEPTEMBER_2022.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c echo C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Zootomic\Triangulationen\Femkampene\Nailproof\Levnedsmiddellovenes63\Loomed.pre
2⤵
PID:1160

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyDF8.tmp\System.dll
Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDF8.tmp\nsExec.dll
Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
memory/1160-56-0x0000000000000000-mapping.dmp

Download
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1492-58-0x0000000003890000-0x00000000039EC000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads