Analysis
-
max time kernel
270s -
max time network
296s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 08:42
Static task
static1
Behavioral task
behavioral1
Sample
NUEVA ORDEN DE COMPRA.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
NUEVA ORDEN DE COMPRA.exe
Resource
win10v2004-20221111-en
General
-
Target
NUEVA ORDEN DE COMPRA.exe
-
Size
811KB
-
MD5
ba9aadaadc270f2311dc84a4c33c3a8e
-
SHA1
ea2bc535baa5f3d9efae8df9a1928f557c72b863
-
SHA256
43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9
-
SHA512
33ec365aa550cd7c7d99055c5d7f434f2e65541ccdde1a4665f74e64050f42cb9fbb3f64ec09793805e0e1792e1dcd9288eb7580fa5fe8a4f21b874c0ed0d6f4
-
SSDEEP
12288:GkTDYsZ1DX/VDJtV7NuswRlClEl7xoDMvu/R9OPgpB0IOJc0:GyDYkMnoSLIMG/CPgT0Bc0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NUEVA ORDEN DE COMPRA.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation NUEVA ORDEN DE COMPRA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
NUEVA ORDEN DE COMPRA.exedescription pid process target process PID 4208 wrote to memory of 5072 4208 NUEVA ORDEN DE COMPRA.exe powershell.exe PID 4208 wrote to memory of 5072 4208 NUEVA ORDEN DE COMPRA.exe powershell.exe PID 4208 wrote to memory of 5072 4208 NUEVA ORDEN DE COMPRA.exe powershell.exe PID 4208 wrote to memory of 3468 4208 NUEVA ORDEN DE COMPRA.exe schtasks.exe PID 4208 wrote to memory of 3468 4208 NUEVA ORDEN DE COMPRA.exe schtasks.exe PID 4208 wrote to memory of 3468 4208 NUEVA ORDEN DE COMPRA.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NUEVA ORDEN DE COMPRA.exe"C:\Users\Admin\AppData\Local\Temp\NUEVA ORDEN DE COMPRA.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZLEBiTF.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZLEBiTF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB0E7.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB0E7.tmpFilesize
1KB
MD5622f77098adcf8ed39eae9737d8c09cb
SHA1502fb302c40e25a449a6d2802d6668cc48de31a4
SHA2564e9dfb54ea6ed6899d27becaccb1444d18137f1a09e29e1e02d3fd393c19069c
SHA512c5de3869579b9053db794e4e9424f55da57e8922c3487c59b9e4664f4b328806c6309c287a7d0bb67c54b97c66c1300c158d84f4cf67934f9711e771d2e3d471
-
memory/3468-138-0x0000000000000000-mapping.dmp
-
memory/4208-132-0x0000000000B60000-0x0000000000C32000-memory.dmpFilesize
840KB
-
memory/4208-133-0x0000000005B00000-0x00000000060A4000-memory.dmpFilesize
5.6MB
-
memory/4208-134-0x00000000055F0000-0x0000000005682000-memory.dmpFilesize
584KB
-
memory/4208-135-0x00000000055B0000-0x00000000055BA000-memory.dmpFilesize
40KB
-
memory/4208-136-0x0000000001600000-0x000000000169C000-memory.dmpFilesize
624KB
-
memory/5072-137-0x0000000000000000-mapping.dmp
-
memory/5072-139-0x0000000002F80000-0x0000000002FB6000-memory.dmpFilesize
216KB