76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24

Analysis

max time kernel
91s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 01:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe
Size

208KB
MD5

511766e0be737fdca6b5bdfce55c3025
SHA1

99a874db395d7e8bb7ccdafdef03feb85a7fb45d
SHA256

76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24
SHA512

2ecc043d0746be4d6621d4897edf226582d51c43e004752e30a16b541ea362ec74488766dd70839cf28e4dc9a3315dec0107612020c0c147493b2d365ee29656
SSDEEP

3072:WQIURTXJwvhb6D1MDSMm6wxRrifCsDpdViFMCPIGgDdp+X2E/jBXfXp9+TFYqO:WsIhbuyDzm6Q5ipsKGEdO2ElXv6JYH

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5068	zibadapexide.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe

Loads dropped DLL 7 IoCs

pid	Process
5068	zibadapexide.exe
5068	zibadapexide.exe
5068	zibadapexide.exe
5068	zibadapexide.exe
5068	zibadapexide.exe
5068	zibadapexide.exe
5068	zibadapexide.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5068 set thread context of 3032	5068	zibadapexide.exe	91
PID 3032 set thread context of 4708	3032	76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 5068	1828	76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe	84
PID 1828 wrote to memory of 5068	1828	76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe	84
PID 1828 wrote to memory of 5068	1828	76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe	84
PID 5068 wrote to memory of 3032	5068	zibadapexide.exe	91
PID 5068 wrote to memory of 3032	5068	zibadapexide.exe	91
PID 5068 wrote to memory of 3032	5068	zibadapexide.exe	91
PID 5068 wrote to memory of 3032	5068	zibadapexide.exe	91
PID 5068 wrote to memory of 3032	5068	zibadapexide.exe	91
PID 5068 wrote to memory of 3032	5068	zibadapexide.exe	91
PID 5068 wrote to memory of 3032	5068	zibadapexide.exe	91
PID 5068 wrote to memory of 3032	5068	zibadapexide.exe	91
PID 3032 wrote to memory of 4708	3032	76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe	92
PID 3032 wrote to memory of 4708	3032	76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe	92
PID 3032 wrote to memory of 4708	3032	76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe	92
PID 3032 wrote to memory of 4708	3032	76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe	92
PID 3032 wrote to memory of 4708	3032	76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe	92
PID 3032 wrote to memory of 4708	3032	76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe	92
PID 3032 wrote to memory of 4708	3032	76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe	92
PID 3032 wrote to memory of 4708	3032	76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe	92

C:\Users\Admin\AppData\Local\Temp\76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe
"C:\Users\Admin\AppData\Local\Temp\76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Local\Temp\zibadapexide.exe
  "C:\Users\Admin\AppData\Local\Temp\zibadapexide.exe" "C:\Users\Admin\AppData\Local\Temp\76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe
    "C:\Users\Admin\AppData\Local\Temp\76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe
      "C:\Users\Admin\AppData\Local\Temp\76cc281124fbad26f8dddbfc9c942df16b012b5c7ed20f0ffb220316d3b34c24.exe"
      4⤵
      PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cohegeruro.nek

Filesize
118KB

MD5
6bdead96c3f4d5d82e573d894cf9e8f0

SHA1
ba4c5b4b74ed2699818dc9fe3c20922467d64d65

SHA256
ac91301cb14ce394a81567ccaaba92d9556f206bee7c1c5ddbd7d4e2cbe5a5e5

SHA512
467789dab1878de98928eb4425c20a0516ce1aa682042fdf03f255fda77f033aeaddbc9841192e267c632a7b33bfa6bb6852b310c40ebe9a3f9968c03281fcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dahevihi.dll

Filesize
5KB

MD5
599ab5159a51352c7cc98cc7483785f0

SHA1
23cf910dd1c45095a0e98d38d3b021d49f97b03b

SHA256
93ac9117d186a20d40bbcb9828508b1ee48455beddac46d321d52cb2fa27445b

SHA512
931e59df0e86e1049cc17f7a9aaa8c86ce315c2c0a479b0439487d94bd1096623c561d8233f69aa5acd3db89a4c83c635990693f3fa082cd6cccf98580a00e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dahevihi.dll

Filesize
5KB

MD5
599ab5159a51352c7cc98cc7483785f0

SHA1
23cf910dd1c45095a0e98d38d3b021d49f97b03b

SHA256
93ac9117d186a20d40bbcb9828508b1ee48455beddac46d321d52cb2fa27445b

SHA512
931e59df0e86e1049cc17f7a9aaa8c86ce315c2c0a479b0439487d94bd1096623c561d8233f69aa5acd3db89a4c83c635990693f3fa082cd6cccf98580a00e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Docasufujiza.dll

Filesize
16KB

MD5
7c9ef9291dab5a52ef9a249cb265a0cf

SHA1
50b0a6e17105569a01b5710a82eefdc929c2e680

SHA256
1a34e0bb350baf047a9545294329aaf99214d26fb19040f5857e99b5a7d17042

SHA512
9b941f966a456b5c43e0ab5b4973b4a87ede14a7c6aac1989b7976a703f1781ea7d8c5e2135ff06982f360fbeaba25ed8c52ceed3788b5f12f08d27599d3cf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Docasufujiza.dll

Filesize
16KB

MD5
7c9ef9291dab5a52ef9a249cb265a0cf

SHA1
50b0a6e17105569a01b5710a82eefdc929c2e680

SHA256
1a34e0bb350baf047a9545294329aaf99214d26fb19040f5857e99b5a7d17042

SHA512
9b941f966a456b5c43e0ab5b4973b4a87ede14a7c6aac1989b7976a703f1781ea7d8c5e2135ff06982f360fbeaba25ed8c52ceed3788b5f12f08d27599d3cf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Docasufujiza.dll

Filesize
16KB

MD5
7c9ef9291dab5a52ef9a249cb265a0cf

SHA1
50b0a6e17105569a01b5710a82eefdc929c2e680

SHA256
1a34e0bb350baf047a9545294329aaf99214d26fb19040f5857e99b5a7d17042

SHA512
9b941f966a456b5c43e0ab5b4973b4a87ede14a7c6aac1989b7976a703f1781ea7d8c5e2135ff06982f360fbeaba25ed8c52ceed3788b5f12f08d27599d3cf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaweweqesop.dll

Filesize
22KB

MD5
92555f757b0c281270a0ab0b2ffd7ae2

SHA1
403d6dd04baaeb9de283b45f858629e9499c2467

SHA256
37760a4b8b4dc736b65c7fd7b187a5057795885f3282e309818542c49140c461

SHA512
d2de8667781b03b54e43dacbd00e2653ed2912957fde30c313492735861a257905b749c0c8fbd7b74d7ee60800f99cf33d960ccd73be9fd3d281b3d1f457eb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaweweqesop.dll

Filesize
22KB

MD5
92555f757b0c281270a0ab0b2ffd7ae2

SHA1
403d6dd04baaeb9de283b45f858629e9499c2467

SHA256
37760a4b8b4dc736b65c7fd7b187a5057795885f3282e309818542c49140c461

SHA512
d2de8667781b03b54e43dacbd00e2653ed2912957fde30c313492735861a257905b749c0c8fbd7b74d7ee60800f99cf33d960ccd73be9fd3d281b3d1f457eb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaweweqesop.dll

Filesize
22KB

MD5
92555f757b0c281270a0ab0b2ffd7ae2

SHA1
403d6dd04baaeb9de283b45f858629e9499c2467

SHA256
37760a4b8b4dc736b65c7fd7b187a5057795885f3282e309818542c49140c461

SHA512
d2de8667781b03b54e43dacbd00e2653ed2912957fde30c313492735861a257905b749c0c8fbd7b74d7ee60800f99cf33d960ccd73be9fd3d281b3d1f457eb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuwatutiwaq.dll

Filesize
16KB

MD5
992c2d657efcf0769b5eb738d1bd5639

SHA1
97e7cc36f1ed8c58e4bbee1891a3a6e9c97cdce3

SHA256
8744d3f2290c351f6ace3f6f4b32a5d8a339bed4b35feac337b35c68c38742bb

SHA512
8e8c3882d5d091a110ffbb4fe209ad1e9cf4ec8997be5366ec29147a8a0529deb8abe2b605c8c1a50670c0124278f94bc8e30dec09a8fbf49ce19a1ee61c740b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuwatutiwaq.dll

Filesize
16KB

MD5
992c2d657efcf0769b5eb738d1bd5639

SHA1
97e7cc36f1ed8c58e4bbee1891a3a6e9c97cdce3

SHA256
8744d3f2290c351f6ace3f6f4b32a5d8a339bed4b35feac337b35c68c38742bb

SHA512
8e8c3882d5d091a110ffbb4fe209ad1e9cf4ec8997be5366ec29147a8a0529deb8abe2b605c8c1a50670c0124278f94bc8e30dec09a8fbf49ce19a1ee61c740b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuwatutiwaq.dll

Filesize
16KB

MD5
992c2d657efcf0769b5eb738d1bd5639

SHA1
97e7cc36f1ed8c58e4bbee1891a3a6e9c97cdce3

SHA256
8744d3f2290c351f6ace3f6f4b32a5d8a339bed4b35feac337b35c68c38742bb

SHA512
8e8c3882d5d091a110ffbb4fe209ad1e9cf4ec8997be5366ec29147a8a0529deb8abe2b605c8c1a50670c0124278f94bc8e30dec09a8fbf49ce19a1ee61c740b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zibadapexide.exe

Filesize
45KB

MD5
660def71aa357a70ff3ba34bec2fe3cd

SHA1
debf138e19afdc1ba2b03f111cd30ab03219442a

SHA256
174ac694463ac9887b31b2e2c84fb5ad7a8101d2a561de5b1f5262ecca967842

SHA512
93ff7b8fa87df0920f2938dc77822e81d56459f25547f9252d186a493c9d6f2162e1e4254b91fbde2371e87e2fe558f65c019764e4207174bdddce7f6a5183bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zibadapexide.exe

Filesize
45KB

MD5
660def71aa357a70ff3ba34bec2fe3cd

SHA1
debf138e19afdc1ba2b03f111cd30ab03219442a

SHA256
174ac694463ac9887b31b2e2c84fb5ad7a8101d2a561de5b1f5262ecca967842

SHA512
93ff7b8fa87df0920f2938dc77822e81d56459f25547f9252d186a493c9d6f2162e1e4254b91fbde2371e87e2fe558f65c019764e4207174bdddce7f6a5183bb

Download Submit
memory/3032-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3032-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4708-154-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4708-157-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5068-147-0x00000000006B1000-0x00000000006B5000-memory.dmp

Filesize
16KB

Download
memory/5068-148-0x00000000006A1000-0x00000000006A4000-memory.dmp

Filesize
12KB

Download
memory/5068-144-0x0000000000691000-0x0000000000694000-memory.dmp

Filesize
12KB

Download