9e459f0e7279c11fe25ea5b97737beefb6708dd844d9e5e29d0e089c7943f99e

Resubmissions

24/03/2025, 02:10

250324-cl4dlstths 10

24/03/2025, 02:02

250324-cgb4kaxks8 10

Analysis

max time kernel
427s
max time network
549s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
24/03/2025, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

REPO_ElEnemigos.rar
Size

387.1MB
MD5

8eb5c7ef9a8a34b5e33f9c97a724d7cf
SHA1

877927612c0b5eb2921bc52fb467011479bd3571
SHA256

9e459f0e7279c11fe25ea5b97737beefb6708dd844d9e5e29d0e089c7943f99e
SHA512

05056f2968565507a9688163e943547f7ca48beb0133749235c388feae781e66c9cd99e7d9b046d07052023327808d3b93fbd737ab5664bf2d623de7fd93323f
SSDEEP

6291456:Xw1OJp69lW75YCC3/HSq6vOwBXIZVMY8TB8mkzCKRMamFEJGxz:gIJp2A1YCIJKXgVD8TkzCxFCS

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	R.E.P.O Launcher.exe

Executes dropped EXE 4 IoCs

pid	Process
2920	REPO.exe
4988	R.E.P.O Launcher.exe
1708	REPO.exe
4308	REPO.exe

Loads dropped DLL 12 IoCs

pid	Process
2920	REPO.exe
2920	REPO.exe
2920	REPO.exe
2920	REPO.exe
1708	REPO.exe
1708	REPO.exe
1708	REPO.exe
1708	REPO.exe
4308	REPO.exe
4308	REPO.exe
4308	REPO.exe
4308	REPO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R.E.P.O Launcher.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4936	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
580	7zFM.exe
2996	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	580	7zFM.exe
Token: 35	580	7zFM.exe
Token: SeSecurityPrivilege	580	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
580	7zFM.exe
580	7zFM.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe
2996	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 4936	2996	OpenWith.exe	96
PID 2996 wrote to memory of 4936	2996	OpenWith.exe	96
PID 4988 wrote to memory of 1708	4988	R.E.P.O Launcher.exe	98
PID 4988 wrote to memory of 1708	4988	R.E.P.O Launcher.exe	98

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\REPO_ElEnemigos.rar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4020

C:\Users\Admin\Desktop\REPO_ElEnemigos\REPO.exe
"C:\Users\Admin\Desktop\REPO_ElEnemigos\REPO.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\REPO_ElEnemigos\ElEnemigos_Launcher.json
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4936

C:\Users\Admin\Desktop\REPO_ElEnemigos\R.E.P.O Launcher.exe
"C:\Users\Admin\Desktop\REPO_ElEnemigos\R.E.P.O Launcher.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\Desktop\REPO_ElEnemigos\REPO.exe
  "C:\Users\Admin\Desktop\REPO_ElEnemigos\REPO.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1708

C:\Users\Admin\Desktop\REPO_ElEnemigos\REPO.exe
"C:\Users\Admin\Desktop\REPO_ElEnemigos\REPO.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\REPO_ElEnemigos\ElEnemigos_Launcher.json

Filesize
62B

MD5
d4476a8c8f0f637333667566b03080d4

SHA1
f42d4ebdd9cee2fbac861f6ba58e6ec1768e9076

SHA256
486343641558eade27caa13109fe6a4377c44aec21cca488a75223da149aa5d3

SHA512
3cc26a615107ff21137a7dbf9e541c784257ed86d16c1d524a1a1e042c5c1c71deebb6a5ad342ce684c921be972d31b6910d48088b259140c760c1f4a4b0157b

Download Submit
C:\Users\Admin\Desktop\REPO_ElEnemigos\ElEnemigos_Launcher.json

Filesize
88B

MD5
e8254a91128552518ce6979a0f109444

SHA1
2ee900f86275aeeb26767a47aab061e09b38ac6f

SHA256
bff4f6832446e49e02b5deb207f001c9c60e118932dc4ce6456c90a0b176ab86

SHA512
bd6820399ce30cd2d468e4111cacb780d11616696a37f40faf66857c42b89d1f508084369dae47ace8887b3288b2aa5a68c54861018b23d8a6d4c16b9d6d9d82

Download Submit
C:\Users\Admin\Desktop\REPO_ElEnemigos\MonoBleedingEdge\etc\mono\4.5\Browsers\Compat.browser

Filesize
1KB

MD5
0d831c1264b5b32a39fa347de368fe48

SHA1
187dff516f9448e63ea5078190b3347922c4b3eb

SHA256
8a1082057ac5681dcd4e9c227ed7fb8eb42ac1618963b5de3b65739dd77e2741

SHA512
4b7549eda1f8ed2c4533d056b62ca5030445393f9c6003e5ee47301ff7f44b4bd5022b74d54f571aa890b6e4593c6eded1a881500ac5ba2a720dc0ff280300af

Download Submit
C:\Users\Admin\Desktop\REPO_ElEnemigos\MonoBleedingEdge\etc\mono\4.5\DefaultWsdlHelpGenerator.aspx

Filesize
59KB

MD5
f7be9f1841ff92f9d4040aed832e0c79

SHA1
b3e4b508aab3cf201c06892713b43ddb0c43b7ae

SHA256
751861040b69ea63a3827507b7c8da9c7f549dc181c1c8af4b7ca78cc97d710a

SHA512
380e97f7c17ee0fdf6177ed65f6e30de662a33a8a727d9f1874e9f26bd573434c3dedd655b47a21b998d32aaa72a0566df37e901fd6c618854039d5e0cbef3f5

Download Submit
C:\Users\Admin\Desktop\REPO_ElEnemigos\R.E.P.O Launcher.exe

Filesize
172KB

MD5
a28214ec9363ee22458ff2765303a869

SHA1
a7da6cbcca7f334a64d2eb7fd1fa1da5a4a77fe2

SHA256
1959cf4399a3fdf24397697ed7da33242a81dc5c76b0fc98955a445c8bc7305f

SHA512
136a8d015091fc9db228f92727033b1d46ad5e392062ae856828fde8de1516d76250df05b9e95afceac47014ff1db1aff4ca06ff4f8e887eb0e5107ae2783c87

Download Submit
C:\Users\Admin\Desktop\REPO_ElEnemigos\REPO.exe

Filesize
651KB

MD5
37e2e7e012343ccef500133286fcbf27

SHA1
4b7e66039d04b14ddcfb580a6e6a395ea52222be

SHA256
1643ff9ed131adde7a22363f26d36308b4b4fb8f9ba61e5afce3b6803c5cb302

SHA512
418dcb69e506f42248c00459eb3fa5a576006fead83cb5372e5710a8e95265654c316bbb314e4b8afa69e393a7cdf01219b7e17095d1990ab418f0aed68c687e

Download Submit
C:\Users\Admin\Desktop\REPO_ElEnemigos\SteamOverlay64.dll

Filesize
114KB

MD5
0a5429b888c75f6525e1100e32dd2b69

SHA1
8ae224580aa0838a7b1570c79d4d8f27a1b46d19

SHA256
f784b4b85b627c7ea541bd2a90c9fc6e9736a0731707c31265aa86fe684dc2df

SHA512
5f77ac9619ccb5baebabb2e406ce265148ad18c6e1162c7d4c3a5656f38abedf90f756a829da856312689a738a3258382f37a279843bf7db0c14ac953c6992ef

Download Submit
C:\Users\Admin\Desktop\REPO_ElEnemigos\UnityPlayer.dll

Filesize
29.5MB

MD5
b33d91200048e718c7207367f49d60fe

SHA1
cc95b2632f33ec9a533852df3402c58ef3faf0c1

SHA256
4b34672318371b54be9d89c9482a91ab3d26ae5d209935b8ad5919e00ec4f1d9

SHA512
edc94d2deab48e3aa57566904ebafc7082d63f14901c36067783deb10538e74124cdbadc72d40ec3c9db09c9e1cd27b18bdfd1969545e2607d34d5d12ec1d220

Download Submit
C:\Users\Admin\Desktop\REPO_ElEnemigos\dlllist.txt

Filesize
139B

MD5
7dd443df8404c42b7db22908ad5132b9

SHA1
302f827ca20c8b4c7d71a466907c2421661429e1

SHA256
4b93c54c0d588197645352d11ebc066f6f8150a2826ed04c1525ae865ce00153

SHA512
a5be18614385400aadc57c2bd09760ac58a367b3bd1643b2e4aaa2db5426e5fe806a5428568fadc896243f65f7391c12f71b83475ed6db9ad175de6c3ab9f530

Download Submit
C:\Users\Admin\Desktop\REPO_ElEnemigos\winhttp.dll

Filesize
25KB

MD5
b2a4d0cb04bf8f5a27ccab237ecc2586

SHA1
c305de177f4193558d2a9a7a8cddff21a0db7f8e

SHA256
d3b62f4c9c3e2196ef82603c52d6b98c043a0d6c125c081fd33d7ca3798b41b8

SHA512
1b2e91ae3a636746aab68cbaccd0c4fba98cf434ad710d2fb9c0985b458fbb3724dc73ae209e2a7db1d48555bd7733c721775e5b0d3d901e80f0d7eba7e7d8f9

Download Submit
C:\Users\Admin\Desktop\REPO_ElEnemigos\winmm.dll

Filesize
512KB

MD5
e59aac558d9f9c5d1312ac24d09c51d5

SHA1
2f11c4b00f5f92d4466348f9501aa657c9bf6fa7

SHA256
ba37009eef6c041bc6d0a271c13679fb9e14a005bd7e038cee596cd4064cf8b3

SHA512
1c3b357074d62d5ca11c92d71ffdacb4a7e3d6fb17cbd4b489e5bea0032cea43650a6809388e98e4b98256b477c6b5dbd8fd2c7f4e3e08af00ef68e0ed4406d0

Download Submit
memory/4988-441-0x0000000000A70000-0x0000000000AA2000-memory.dmp

Filesize
200KB

Download
memory/4988-442-0x0000000005AB0000-0x0000000006056000-memory.dmp

Filesize
5.6MB

Download
memory/4988-443-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/4988-444-0x0000000005310000-0x000000000531A000-memory.dmp

Filesize
40KB

Download