700283bca383bbe8d1fa4a157ad7517018a9941468cff328ab1a3ecebd788718

Resubmissions

10/07/2023, 12:36

230710-ps9kesac56 7

10/07/2023, 12:33

230710-pq9seaac44 7

Analysis

max time kernel
127s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
10/07/2023, 12:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

rama.exe
Size

1.5MB
MD5

3b9d15addc60abe5f09129ec60f2fb74
SHA1

6be7be3543424a6a3ed72e0af41a0d5599e99147
SHA256

700283bca383bbe8d1fa4a157ad7517018a9941468cff328ab1a3ecebd788718
SHA512

8681d11a9f473e68fcfe8cec8292e7df5830cb881b29d1fd74648513c9b2143cf6562302dd2eb7bee9391b5f0d29d39f6cc234e4661987196ffd60a00acb5f34
SSDEEP

24576:dOuz3GIV6EGpBSBat+vdEv0hC5dcRx7Op71yC5TYFOlxN/VZqOPI6sMAa:suz3GDGIsvdIcRx7OpddaOdVZqOPI6n

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2812	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2812	2640	rama.exe	69
PID 2640 wrote to memory of 2812	2640	rama.exe	69
PID 2640 wrote to memory of 2812	2640	rama.exe	69

C:\Users\Admin\AppData\Local\Temp\rama.exe
"C:\Users\Admin\AppData\Local\Temp\rama.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /U S6Erude.NV -S
  2⤵
  - Loads dropped DLL
  PID:2812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\S6Erude.NV

Filesize
1.6MB

MD5
0ce3dea512f5c9a44240363196f8858d

SHA1
f421b81525c4c6d47807292425010ca963d25bd8

SHA256
87d2b670ee1c852911d2b2f490faa3939d47ca9db6f780f29d6ebf3efb2fc1bc

SHA512
11d09591f0031008f1ec0253a9359b8ebe52668c6a4ad149e300486e5a675159b9a026327c5d2ee0adc3a153e6c93f92ffbc2cc5ccb9cb12c0e96f55a5628ebd

Download Submit
\Users\Admin\AppData\Local\Temp\S6Erude.NV

Filesize
1.6MB

MD5
0ce3dea512f5c9a44240363196f8858d

SHA1
f421b81525c4c6d47807292425010ca963d25bd8

SHA256
87d2b670ee1c852911d2b2f490faa3939d47ca9db6f780f29d6ebf3efb2fc1bc

SHA512
11d09591f0031008f1ec0253a9359b8ebe52668c6a4ad149e300486e5a675159b9a026327c5d2ee0adc3a153e6c93f92ffbc2cc5ccb9cb12c0e96f55a5628ebd

Download Submit
memory/2812-123-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/2812-125-0x0000000002C70000-0x0000000002C76000-memory.dmp

Filesize
24KB

Download
memory/2812-127-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/2812-128-0x0000000004830000-0x000000000492D000-memory.dmp

Filesize
1012KB

Download
memory/2812-129-0x0000000004A80000-0x0000000004B63000-memory.dmp

Filesize
908KB

Download
memory/2812-132-0x0000000004A80000-0x0000000004B63000-memory.dmp

Filesize
908KB

Download
memory/2812-133-0x0000000004A80000-0x0000000004B63000-memory.dmp

Filesize
908KB

Download