Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03/10/2024, 02:05
General
-
Target
OrcamePDF.exe
-
Size
178KB
-
MD5
7cd87f8ad0cd8279f8699cd441238338
-
SHA1
523c83c22647164b7e7465fecaf798f3be5ac2d8
-
SHA256
71a7f53796731bd270704b825af080d1e84e2bb4d2184bb77926cd895dc87214
-
SHA512
b5ee28a24ba6fc4bb0e8a5b0c1a5adbfac204be43635ad99998bd4617726a5b5f95876dbdc7807b30cc74569b431ef7eb4a540f3e62b759e2fb36df9cff10796
-
SSDEEP
3072:k+sGBD3O9O6qe+4T+vqwqYROyCUbSIMAAAAAAAUAAAk2o5U:kZGBD3O9O6qe+4T+vqwqYROyCUbSDv5U
Malware Config
Extracted
https://raw.githubusercontent.com/massgravel/Microsoft-Activation-Scripts/b1b5299c4725d97349b18b59061647198f7cc59b/MAS/All-In-One-Version-KL/MAS_AIO.cmd
https://bitbucket.org/WindowsAddict/microsoft-activation-scripts/raw/b1b5299c4725d97349b18b59061647198f7cc59b/MAS/All-In-One-Version-KL/MAS_AIO.cmd
https://codeberg.org/massgravel/Microsoft-Activation-Scripts/raw/commit/b1b5299c4725d97349b18b59061647198f7cc59b/MAS/All-In-One-Version-KL/MAS_AIO.cmd
https://rochaservicos.online/www.zip
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\OrcamePDF.exe"C:\Users\Admin\AppData\Local\Temp\OrcamePDF.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Rerdsim.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -file C:\Users\Admin\AppData\Roaming\Rerdsim.ps13⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Ternura\72669756\Ternura.exe"C:\Users\Admin\AppData\Roaming\Ternura\72669756\Ternura.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
90B
MD53cb326b1ffaa1874d03a4a8d43332b16
SHA16eef7f32c7669ed89bff2df61faf61d4e4038506
SHA2566abb56ddfc94567a026af95597e4f54256edbecd4158ceb15c7e3f0d15931516
SHA5128741c8138069844f60dea699e6919c18fd658174e904df521cd75e9aef67b4593ea18b0567212420b5e0b8df84f3b49fb9845c37351ea75db5ece8a75d794d13
-
Filesize
2KB
MD55c26dc436889cdcefdf3e145b43f1806
SHA14f96e93bb2011e69f77d458b092257911e74de9d
SHA256dc68909778fb5c96bcb0b2f5ea912ea6b663549a15c33fb65c9ae85124ba2427
SHA512242e2aa9f69fc8849c3bbd8ff3ee6c37195e1de691f82cc6d46b93522d2f3a164ae1b56e9848f13f3f5fbf1a40d408d4a9632fc251a8a81efc5123ccb640beee
-
Filesize
1.9MB
MD53a664689942da6efa5bb2723de27d048
SHA1a0e245fef2593ba1ed221a990c4d3ef11febacdd
SHA256e3a2956fe651fe68ac2188b65292c16c0fa605ed1194db6992ad4d4928336420
SHA512944415233adaa5e6616c95cdfc2f5854bea67fe4fbda10c506fba0217231f422d505d64648a6aee9d208eb595ff6bb2362f907495bbd3cfe9970048fcdf05105
-
Filesize
37.2MB
MD50b253f29f531cef78d8c798b8437a3bc
SHA142e71ddf718ec5f09955a2601647a757b49c091c
SHA256a222347bd0f34e4d4ba6dd729434cee64f21585ff52e9d9a742d20c76d04a2d6
SHA512b39a1f0dc17ad0c7ea770535a241850f2583cda5a64a2d5914dd2f6afa800e9ef58ff581cc6211891e593058cce5a788d918cec565c7678d00f3da3186294cd5
-
Filesize
37.2MB
-
Filesize
6.4MB
-
Filesize
16.0MB
-
Filesize
37.2MB
-
Filesize
6.4MB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
14.1MB
-
Filesize
14.1MB
-
Filesize
4KB