2e644ef57ac147bc5283cc5192792a3a396c68f62c8c90ce870e0eea276430ea

Analysis

max time kernel
90s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2022, 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOLICITUD DE OFERTA.exe
Size

624KB
MD5

b47e1ab501e4a96100632e46f4506468
SHA1

5b3a1dd3ed22be9caa31a1a3106b9cb8b37158c0
SHA256

2e644ef57ac147bc5283cc5192792a3a396c68f62c8c90ce870e0eea276430ea
SHA512

84a133d0afe249cdb472f594ada771e13218f2a0945e26cd811efd2b35e725648ffda0ec63eefd7e60cca8a1202da7a4c68ae5946abcbd6e39172ce8dcfe7f1e
SSDEEP

12288:/eS2Cp0JwEk/+d9a5VQircJlWG+jbJJ7E18gWo7Or:V2CnEkmdGV9rcJD+jo8r

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4060	SOLICITUD DE OFERTA.exe
4060	SOLICITUD DE OFERTA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Harmoniserede\Straffefanstalterne\Henlggelses\Subangled.ini	SOLICITUD DE OFERTA.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\Atophan\Indboets\Trimyristin.Boa	SOLICITUD DE OFERTA.exe
File opened for modification	C:\Windows\Skraldenglers.ini	SOLICITUD DE OFERTA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4060	SOLICITUD DE OFERTA.exe
Token: SeCreatePagefilePrivilege	4060	SOLICITUD DE OFERTA.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4512	4060	SOLICITUD DE OFERTA.exe	84
PID 4060 wrote to memory of 4512	4060	SOLICITUD DE OFERTA.exe	84
PID 4060 wrote to memory of 4512	4060	SOLICITUD DE OFERTA.exe	84

C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA.exe
"C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo C:\Users\Admin\Skillemnt\Redepreciated.Luf
  2⤵
  PID:4512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdA994.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA994.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
memory/4060-138-0x0000000002980000-0x0000000002A81000-memory.dmp

Filesize
1.0MB

Download
memory/4060-139-0x0000000002980000-0x0000000002A81000-memory.dmp

Filesize
1.0MB

Download