Overview

overview

10

Static

static

1

Orden de c...23.exe

windows7-x64

3

Orden de c...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27-03-2023 15:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Orden de compra del proveedor OC_No 1435 27-03-2023.exe

  • Size

    822KB

  • MD5

    91da3743bb05e6744e50fe749f5a9cc6

  • SHA1

    fbb00ec09354ded8bf1b7f18f2e9cb2ef0e3d3b3

  • SHA256

    b3811fa28d3e22cf5029476f6870c54e7fcd4d68da1342bb199ca6d41ed9ff56

  • SHA512

    08bb7e82f83aa4d5146838b8cdc2c40382656c8db8775792d850b3bf5426f53a4e5b9e3420c16e4b4140767a030e0eab9d3339f5182f6390def143d470f3f277

  • SSDEEP

    12288:LUJB0Oq8p2ZEtCgO27/mW9XqUjX5OFUuOWGt0p4VedclBeHlOrh1CuQvpAoJhZ:AZpTtV7fjc36veA1Gx9D

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe
    "C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1124
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YCNgsiXL.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1168
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YCNgsiXL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD5D6.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1868
    • C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe
      "C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe"
      2⤵
        PID:748
      • C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe
        "C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe"
        2⤵
          PID:1564
        • C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe
          "C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe"
          2⤵
            PID:864
          • C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe
            "C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe"
            2⤵
              PID:112
            • C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe
              "C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe"
              2⤵
                PID:1172

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpD5D6.tmp
              Filesize

              1KB

              MD5

              28abd624f5229b260c3e58a83bc4126f

              SHA1

              afd00e326dbbaf7413c7b6e5a80f3f0785790148

              SHA256

              4ea0e9565faa88a3f58e1714b95ae4ba97550aef764c79e233a3a233a50fa7d5

              SHA512

              917cb4cb4c6cfa90c984c43dc9692d543810bde6ebf8d1a7abb06f5fab1b0e10900750e22b23edd027b64a0ba5a18d96e4bf5b78c360bcec3b21a970c502772f

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y8UVJ1IA4GOBJY88KK02.temp
              Filesize

              7KB

              MD5

              d5196f7dc7f860bf8c79a1e7378d4b29

              SHA1

              0a4f3e27ad13fa747bca83eb3379c629f4e560e4

              SHA256

              55a8c03a625a99b32c105700a49e5b890f609ba49c79bbf2a91827a0520d0156

              SHA512

              8e194f13f11760feb15c8f45d7f9bd7c07b74edbd540278bc80f31f28adcc9709ea493b95e81b3e768c8a8c5c81969abb238d6d3a724a199bd43acab6a107468

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              d5196f7dc7f860bf8c79a1e7378d4b29

              SHA1

              0a4f3e27ad13fa747bca83eb3379c629f4e560e4

              SHA256

              55a8c03a625a99b32c105700a49e5b890f609ba49c79bbf2a91827a0520d0156

              SHA512

              8e194f13f11760feb15c8f45d7f9bd7c07b74edbd540278bc80f31f28adcc9709ea493b95e81b3e768c8a8c5c81969abb238d6d3a724a199bd43acab6a107468

              Download Submit
            • memory/1124-74-0x00000000024B0000-0x00000000024F0000-memory.dmp
              Filesize

              256KB

              Download
            • memory/1168-75-0x0000000002580000-0x00000000025C0000-memory.dmp
              Filesize

              256KB

              Download
            • memory/1168-73-0x0000000002580000-0x00000000025C0000-memory.dmp
              Filesize

              256KB

              Download
            • memory/1376-57-0x0000000004DF0000-0x0000000004E30000-memory.dmp
              Filesize

              256KB

              Download
            • memory/1376-59-0x0000000007FF0000-0x00000000080A0000-memory.dmp
              Filesize

              704KB

              Download
            • memory/1376-58-0x0000000000480000-0x000000000048C000-memory.dmp
              Filesize

              48KB

              Download
            • memory/1376-72-0x0000000004420000-0x0000000004458000-memory.dmp
              Filesize

              224KB

              Download
            • memory/1376-54-0x0000000000390000-0x0000000000464000-memory.dmp
              Filesize

              848KB

              Download
            • memory/1376-56-0x0000000000350000-0x0000000000370000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1376-55-0x0000000004DF0000-0x0000000004E30000-memory.dmp
              Filesize

              256KB

              Download