Overview

overview

10

Static

static

NUEVA ORDE...RA.exe

windows7-x64

10

NUEVA ORDE...RA.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    270s
  • max time network
    296s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 08:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NUEVA ORDEN DE COMPRA.exe

  • Size

    811KB

  • MD5

    ba9aadaadc270f2311dc84a4c33c3a8e

  • SHA1

    ea2bc535baa5f3d9efae8df9a1928f557c72b863

  • SHA256

    43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9

  • SHA512

    33ec365aa550cd7c7d99055c5d7f434f2e65541ccdde1a4665f74e64050f42cb9fbb3f64ec09793805e0e1792e1dcd9288eb7580fa5fe8a4f21b874c0ed0d6f4

  • SSDEEP

    12288:GkTDYsZ1DX/VDJtV7NuswRlClEl7xoDMvu/R9OPgpB0IOJc0:GyDYkMnoSLIMG/CPgT0Bc0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NUEVA ORDEN DE COMPRA.exe
    "C:\Users\Admin\AppData\Local\Temp\NUEVA ORDEN DE COMPRA.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4208
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZLEBiTF.exe"
      2⤵
        PID:5072
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZLEBiTF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB0E7.tmp"
        2⤵
        • Creates scheduled task(s)
        PID:3468

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpB0E7.tmp
      Filesize

      1KB

      MD5

      622f77098adcf8ed39eae9737d8c09cb

      SHA1

      502fb302c40e25a449a6d2802d6668cc48de31a4

      SHA256

      4e9dfb54ea6ed6899d27becaccb1444d18137f1a09e29e1e02d3fd393c19069c

      SHA512

      c5de3869579b9053db794e4e9424f55da57e8922c3487c59b9e4664f4b328806c6309c287a7d0bb67c54b97c66c1300c158d84f4cf67934f9711e771d2e3d471

      Download Submit
    • memory/3468-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4208-132-0x0000000000B60000-0x0000000000C32000-memory.dmp
      Filesize

      840KB

      Download
    • memory/4208-133-0x0000000005B00000-0x00000000060A4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4208-134-0x00000000055F0000-0x0000000005682000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4208-135-0x00000000055B0000-0x00000000055BA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4208-136-0x0000000001600000-0x000000000169C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/5072-137-0x0000000000000000-mapping.dmp
      Download
    • memory/5072-139-0x0000000002F80000-0x0000000002FB6000-memory.dmp
      Filesize

      216KB

      Download