03c4a886c03d8eed421aa32b2df96d4b9a107d09aa5d797e69791b1b92794519

General

Target

9d8203962d8b5788b97804558e4347eb.exe
Size

1.5MB
MD5

9d8203962d8b5788b97804558e4347eb
SHA1

fbfec5c5bc40fab91e44e347d3429aa773968e06
SHA256

03c4a886c03d8eed421aa32b2df96d4b9a107d09aa5d797e69791b1b92794519
SHA512

a39ad21c40e6a623cfc1c9f8919b413af966f90e8847c2dcca7a85bca5908de0837a5ac11ba997ea0ee6e931775c0a01806b81f1f7a384d2294476c939ce6855
SSDEEP

24576:277xjRO4/1gy4+aDckmi7DaC+V+aqaGI5KMADy2n1Cpp4c7cxXZw:c7xjRJgywDCyDSWaCM0y2ngHdmu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Dotay forikiyi bibaja.exe

pid process

1992 Dotay forikiyi bibaja.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1200 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

9d8203962d8b5788b97804558e4347eb.exe

pid process

1812 9d8203962d8b5788b97804558e4347eb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1752 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

268 PING.EXE

pid	process
1992	Dotay forikiyi bibaja.exe

pid	process
1200	cmd.exe

pid	process
1752	schtasks.exe

pid	process
268	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

9d8203962d8b5788b97804558e4347eb.exeDotay forikiyi bibaja.exe

pid	process
1812	9d8203962d8b5788b97804558e4347eb.exe
1812	9d8203962d8b5788b97804558e4347eb.exe
1812	9d8203962d8b5788b97804558e4347eb.exe
1812	9d8203962d8b5788b97804558e4347eb.exe
1812	9d8203962d8b5788b97804558e4347eb.exe
1992	Dotay forikiyi bibaja.exe
1992	Dotay forikiyi bibaja.exe
1992	Dotay forikiyi bibaja.exe
1992	Dotay forikiyi bibaja.exe
1992	Dotay forikiyi bibaja.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

9d8203962d8b5788b97804558e4347eb.execmd.exe

description	pid	process	target process
PID 1812 wrote to memory of 1752	1812	9d8203962d8b5788b97804558e4347eb.exe	schtasks.exe
PID 1812 wrote to memory of 1752	1812	9d8203962d8b5788b97804558e4347eb.exe	schtasks.exe
PID 1812 wrote to memory of 1752	1812	9d8203962d8b5788b97804558e4347eb.exe	schtasks.exe
PID 1812 wrote to memory of 1752	1812	9d8203962d8b5788b97804558e4347eb.exe	schtasks.exe
PID 1812 wrote to memory of 1992	1812	9d8203962d8b5788b97804558e4347eb.exe	Dotay forikiyi bibaja.exe
PID 1812 wrote to memory of 1992	1812	9d8203962d8b5788b97804558e4347eb.exe	Dotay forikiyi bibaja.exe
PID 1812 wrote to memory of 1992	1812	9d8203962d8b5788b97804558e4347eb.exe	Dotay forikiyi bibaja.exe
PID 1812 wrote to memory of 1992	1812	9d8203962d8b5788b97804558e4347eb.exe	Dotay forikiyi bibaja.exe
PID 1812 wrote to memory of 1200	1812	9d8203962d8b5788b97804558e4347eb.exe	cmd.exe
PID 1812 wrote to memory of 1200	1812	9d8203962d8b5788b97804558e4347eb.exe	cmd.exe
PID 1812 wrote to memory of 1200	1812	9d8203962d8b5788b97804558e4347eb.exe	cmd.exe
PID 1812 wrote to memory of 1200	1812	9d8203962d8b5788b97804558e4347eb.exe	cmd.exe
PID 1200 wrote to memory of 1152	1200	cmd.exe	chcp.com
PID 1200 wrote to memory of 1152	1200	cmd.exe	chcp.com
PID 1200 wrote to memory of 1152	1200	cmd.exe	chcp.com
PID 1200 wrote to memory of 1152	1200	cmd.exe	chcp.com
PID 1200 wrote to memory of 268	1200	cmd.exe	PING.EXE
PID 1200 wrote to memory of 268	1200	cmd.exe	PING.EXE
PID 1200 wrote to memory of 268	1200	cmd.exe	PING.EXE
PID 1200 wrote to memory of 268	1200	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\9d8203962d8b5788b97804558e4347eb.exe
"C:\Users\Admin\AppData\Local\Temp\9d8203962d8b5788b97804558e4347eb.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe"
2⤵
- Creates scheduled task(s)
PID:1752

C:\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe
"C:\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\9d8203962d8b5788b97804558e4347eb.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1152

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:268

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe
Filesize
496.6MB

MD5
67b52e2fea0967d940ea4a493c3ea847

SHA1
b417188a400c6bba545b75fa2619240322597e1b

SHA256
4d6feb54f03a6e8328fb29af0239d87b9513026f89382dfde77e63223e266086

SHA512
52e70abc426f33677d280f1879a578c02245a0e5b0e6625f01557108e1dcb595f65ba9197c9a421515c5509cdcbd730f24ee472f604bbfe78616da91868e9ae4

Download Submit
\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe
Filesize
515.5MB

MD5
185efc31fcfdd13174a1fff61c92ab9c

SHA1
ae093299d67084cc59a64aa35256965003ed54f3

SHA256
935fbe89dd5b5fb0d19d800eaf73a2aad0b54f36dfc6746740e161bed189a410

SHA512
0687cee2451b45c38c6c08b984ce0a73494c364b6b20fe1a3a7b5e939c3ae07ffa7d3a81dc7c956908d8f002c5fb5d9a2d1a4ccef1e423f49e7e786f377e27a3

Download Submit
memory/268-68-0x0000000000000000-mapping.dmp

Download
memory/1152-67-0x0000000000000000-mapping.dmp

Download
memory/1200-65-0x0000000000000000-mapping.dmp

Download
memory/1752-61-0x0000000000000000-mapping.dmp

Download
memory/1812-59-0x00000000021B0000-0x00000000028C8000-memory.dmp

Filesize
7.1MB

Download
memory/1812-56-0x0000000000710000-0x0000000000878000-memory.dmp

Filesize
1.4MB

Download
memory/1812-54-0x00000000021B0000-0x00000000028C8000-memory.dmp

Filesize
7.1MB

Download
memory/1812-55-0x00000000021B0000-0x00000000028C8000-memory.dmp

Filesize
7.1MB

Download
memory/1812-58-0x0000000000710000-0x0000000000878000-memory.dmp

Filesize
1.4MB

Download
memory/1812-57-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1812-66-0x0000000000710000-0x0000000000878000-memory.dmp

Filesize
1.4MB

Download
memory/1812-60-0x0000000000710000-0x0000000000878000-memory.dmp

Filesize
1.4MB

Download
memory/1992-63-0x0000000000000000-mapping.dmp

Download
memory/1992-69-0x0000000002130000-0x0000000002848000-memory.dmp

Filesize
7.1MB

Download
memory/1992-70-0x0000000002130000-0x0000000002848000-memory.dmp

Filesize
7.1MB

Download
memory/1992-71-0x0000000000590000-0x00000000006F8000-memory.dmp

Filesize
1.4MB

Download
memory/1992-72-0x0000000000590000-0x00000000006F8000-memory.dmp

Filesize
1.4MB

Download
memory/1992-74-0x0000000000590000-0x00000000006F8000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads