4119afdd7fb25978a0f7fa74cdb6be97df0a67ddc3607efbce5de855d9a765d2

General

Target

61f9d2b055b4c6b2fcd157f73ae63cd1.exe
Size

1.5MB
MD5

61f9d2b055b4c6b2fcd157f73ae63cd1
SHA1

f4e42225c42c5378ccd4e03b7ccb465d79797388
SHA256

4119afdd7fb25978a0f7fa74cdb6be97df0a67ddc3607efbce5de855d9a765d2
SHA512

58e321c0d746ed4da8f7bbe19c4524544449a67f1f84b5cb87b3c64107bf6639ed0f163d5f5f8cfa58cbd7dbfacb12439cfea5376dc052f271df124e09fe2c3e
SSDEEP

24576:277xjRO4/1gy4+aDckmi7DaC+V+aqaGI5KMADy2n1Cpp4c7cxXZh:c7xjRJgywDCyDSWaCM0y2ngHdm7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Dotay forikiyi bibaja.exe

pid process

1744 Dotay forikiyi bibaja.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1196 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

61f9d2b055b4c6b2fcd157f73ae63cd1.exe

pid process

1736 61f9d2b055b4c6b2fcd157f73ae63cd1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1120 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1888 PING.EXE

pid	process
1744	Dotay forikiyi bibaja.exe

pid	process
1196	cmd.exe

pid	process
1120	schtasks.exe

pid	process
1888	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

61f9d2b055b4c6b2fcd157f73ae63cd1.exeDotay forikiyi bibaja.exe

pid	process
1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
1744	Dotay forikiyi bibaja.exe
1744	Dotay forikiyi bibaja.exe
1744	Dotay forikiyi bibaja.exe
1744	Dotay forikiyi bibaja.exe
1744	Dotay forikiyi bibaja.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

61f9d2b055b4c6b2fcd157f73ae63cd1.execmd.exe

description	pid	process	target process
PID 1736 wrote to memory of 1120	1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	schtasks.exe
PID 1736 wrote to memory of 1120	1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	schtasks.exe
PID 1736 wrote to memory of 1120	1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	schtasks.exe
PID 1736 wrote to memory of 1120	1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	schtasks.exe
PID 1736 wrote to memory of 1744	1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	Dotay forikiyi bibaja.exe
PID 1736 wrote to memory of 1744	1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	Dotay forikiyi bibaja.exe
PID 1736 wrote to memory of 1744	1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	Dotay forikiyi bibaja.exe
PID 1736 wrote to memory of 1744	1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	Dotay forikiyi bibaja.exe
PID 1736 wrote to memory of 1196	1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	cmd.exe
PID 1736 wrote to memory of 1196	1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	cmd.exe
PID 1736 wrote to memory of 1196	1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	cmd.exe
PID 1736 wrote to memory of 1196	1736	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	cmd.exe
PID 1196 wrote to memory of 1720	1196	cmd.exe	chcp.com
PID 1196 wrote to memory of 1720	1196	cmd.exe	chcp.com
PID 1196 wrote to memory of 1720	1196	cmd.exe	chcp.com
PID 1196 wrote to memory of 1720	1196	cmd.exe	chcp.com
PID 1196 wrote to memory of 1888	1196	cmd.exe	PING.EXE
PID 1196 wrote to memory of 1888	1196	cmd.exe	PING.EXE
PID 1196 wrote to memory of 1888	1196	cmd.exe	PING.EXE
PID 1196 wrote to memory of 1888	1196	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\61f9d2b055b4c6b2fcd157f73ae63cd1.exe
"C:\Users\Admin\AppData\Local\Temp\61f9d2b055b4c6b2fcd157f73ae63cd1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe"
2⤵
- Creates scheduled task(s)
PID:1120

C:\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe
"C:\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\61f9d2b055b4c6b2fcd157f73ae63cd1.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1720

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1888

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe
Filesize
308.8MB

MD5
664ca750ddcae0f096a7d3abbc6a0e21

SHA1
4d06c97cf9005678412cbcdf85e6e2f08743533b

SHA256
28cc3aea70b96f09e4c187a0dde60da654e81983c40cac0735621736751fc900

SHA512
b125a62e2b5400e429595386c083136056b9840180abce0d23b2c2941381b0096572deeb065239ba2c963a35b6f4b8bd965f83f169e2dfb0fdd049e243038daf

Download Submit
\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe
Filesize
304.8MB

MD5
ff68018fde46842b46d25426e99364c5

SHA1
bfe40a0092a18b8d4baf8eb26a2a51cc754af8fe

SHA256
93f68834612e671da331925d9cca93d3f913a3d628a988d79dc9d5617876a90b

SHA512
f3b61f2ffd93a0313961eb9cacd2b172a5fc8a2870d41aa5db7e61beed21a5bc1ec19f64c668e92bdd938ac823162eaaf25b3db17d9677b54d3fc2d4a5ec368d

Download Submit
memory/1120-61-0x0000000000000000-mapping.dmp

Download
memory/1196-65-0x0000000000000000-mapping.dmp

Download
memory/1720-67-0x0000000000000000-mapping.dmp

Download
memory/1736-59-0x0000000001EC0000-0x00000000025D8000-memory.dmp

Filesize
7.1MB

Download
memory/1736-55-0x0000000001EC0000-0x00000000025D8000-memory.dmp

Filesize
7.1MB

Download
memory/1736-54-0x0000000001EC0000-0x00000000025D8000-memory.dmp

Filesize
7.1MB

Download
memory/1736-58-0x00000000025E0000-0x0000000002748000-memory.dmp

Filesize
1.4MB

Download
memory/1736-60-0x00000000025E0000-0x0000000002748000-memory.dmp

Filesize
1.4MB

Download
memory/1736-57-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1736-56-0x00000000025E0000-0x0000000002748000-memory.dmp

Filesize
1.4MB

Download
memory/1736-66-0x00000000025E0000-0x0000000002748000-memory.dmp

Filesize
1.4MB

Download
memory/1744-63-0x0000000000000000-mapping.dmp

Download
memory/1744-69-0x0000000002230000-0x0000000002948000-memory.dmp

Filesize
7.1MB

Download
memory/1744-70-0x0000000002230000-0x0000000002948000-memory.dmp

Filesize
7.1MB

Download
memory/1744-71-0x00000000008A0000-0x0000000000A08000-memory.dmp

Filesize
1.4MB

Download
memory/1744-73-0x00000000008A0000-0x0000000000A08000-memory.dmp

Filesize
1.4MB

Download
memory/1744-74-0x0000000002230000-0x0000000002948000-memory.dmp

Filesize
7.1MB

Download
memory/1744-75-0x00000000008A0000-0x0000000000A08000-memory.dmp

Filesize
1.4MB

Download
memory/1888-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads