588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89

Analysis

max time kernel
107s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 23:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe
Size

208KB
MD5

05e207b1e5e75ed8da49695cead9036f
SHA1

5bd4262fc02d2676e214ba7b62ec8a1a26083ddd
SHA256

588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89
SHA512

6a73e4995bc6a11555000e08af2913d102ae1b3510f0a4a8959fb2439683407ce4dcfdcd281e82f9c6d5250b9995b1b1b711d670e3c2e4bea9c864663ba00422
SSDEEP

3072:WQIURTXJwvhb6D1MDSMm6wxRrifCsDpdViFMCPIGgDdp+X2E/jBXfXp9+TFYq3h:WsIhbuyDzm6Q5ipsKGEdO2ElXv6JYch

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3956	zibadapexide.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe

Loads dropped DLL 7 IoCs

pid	Process
3956	zibadapexide.exe
3956	zibadapexide.exe
3956	zibadapexide.exe
3956	zibadapexide.exe
3956	zibadapexide.exe
3956	zibadapexide.exe
3956	zibadapexide.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3956 set thread context of 4528	3956	zibadapexide.exe	82
PID 4528 set thread context of 4660	4528	588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 3956	1848	588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe	81
PID 1848 wrote to memory of 3956	1848	588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe	81
PID 1848 wrote to memory of 3956	1848	588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe	81
PID 3956 wrote to memory of 4528	3956	zibadapexide.exe	82
PID 3956 wrote to memory of 4528	3956	zibadapexide.exe	82
PID 3956 wrote to memory of 4528	3956	zibadapexide.exe	82
PID 3956 wrote to memory of 4528	3956	zibadapexide.exe	82
PID 3956 wrote to memory of 4528	3956	zibadapexide.exe	82
PID 3956 wrote to memory of 4528	3956	zibadapexide.exe	82
PID 3956 wrote to memory of 4528	3956	zibadapexide.exe	82
PID 3956 wrote to memory of 4528	3956	zibadapexide.exe	82
PID 4528 wrote to memory of 4660	4528	588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe	83
PID 4528 wrote to memory of 4660	4528	588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe	83
PID 4528 wrote to memory of 4660	4528	588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe	83
PID 4528 wrote to memory of 4660	4528	588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe	83
PID 4528 wrote to memory of 4660	4528	588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe	83
PID 4528 wrote to memory of 4660	4528	588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe	83
PID 4528 wrote to memory of 4660	4528	588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe	83
PID 4528 wrote to memory of 4660	4528	588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe	83

C:\Users\Admin\AppData\Local\Temp\588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe
"C:\Users\Admin\AppData\Local\Temp\588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\zibadapexide.exe
  "C:\Users\Admin\AppData\Local\Temp\zibadapexide.exe" "C:\Users\Admin\AppData\Local\Temp\588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe
    "C:\Users\Admin\AppData\Local\Temp\588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe
      "C:\Users\Admin\AppData\Local\Temp\588da1c4790d57614178a440430e0f0fc1b1437ea73053aff0df23622daa7a89.exe"
      4⤵
      PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cohegeruro.nek

Filesize
118KB

MD5
6bdead96c3f4d5d82e573d894cf9e8f0

SHA1
ba4c5b4b74ed2699818dc9fe3c20922467d64d65

SHA256
ac91301cb14ce394a81567ccaaba92d9556f206bee7c1c5ddbd7d4e2cbe5a5e5

SHA512
467789dab1878de98928eb4425c20a0516ce1aa682042fdf03f255fda77f033aeaddbc9841192e267c632a7b33bfa6bb6852b310c40ebe9a3f9968c03281fcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dahevihi.dll

Filesize
5KB

MD5
599ab5159a51352c7cc98cc7483785f0

SHA1
23cf910dd1c45095a0e98d38d3b021d49f97b03b

SHA256
93ac9117d186a20d40bbcb9828508b1ee48455beddac46d321d52cb2fa27445b

SHA512
931e59df0e86e1049cc17f7a9aaa8c86ce315c2c0a479b0439487d94bd1096623c561d8233f69aa5acd3db89a4c83c635990693f3fa082cd6cccf98580a00e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dahevihi.dll

Filesize
5KB

MD5
599ab5159a51352c7cc98cc7483785f0

SHA1
23cf910dd1c45095a0e98d38d3b021d49f97b03b

SHA256
93ac9117d186a20d40bbcb9828508b1ee48455beddac46d321d52cb2fa27445b

SHA512
931e59df0e86e1049cc17f7a9aaa8c86ce315c2c0a479b0439487d94bd1096623c561d8233f69aa5acd3db89a4c83c635990693f3fa082cd6cccf98580a00e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Docasufujiza.dll

Filesize
16KB

MD5
7c9ef9291dab5a52ef9a249cb265a0cf

SHA1
50b0a6e17105569a01b5710a82eefdc929c2e680

SHA256
1a34e0bb350baf047a9545294329aaf99214d26fb19040f5857e99b5a7d17042

SHA512
9b941f966a456b5c43e0ab5b4973b4a87ede14a7c6aac1989b7976a703f1781ea7d8c5e2135ff06982f360fbeaba25ed8c52ceed3788b5f12f08d27599d3cf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Docasufujiza.dll

Filesize
16KB

MD5
7c9ef9291dab5a52ef9a249cb265a0cf

SHA1
50b0a6e17105569a01b5710a82eefdc929c2e680

SHA256
1a34e0bb350baf047a9545294329aaf99214d26fb19040f5857e99b5a7d17042

SHA512
9b941f966a456b5c43e0ab5b4973b4a87ede14a7c6aac1989b7976a703f1781ea7d8c5e2135ff06982f360fbeaba25ed8c52ceed3788b5f12f08d27599d3cf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Docasufujiza.dll

Filesize
16KB

MD5
7c9ef9291dab5a52ef9a249cb265a0cf

SHA1
50b0a6e17105569a01b5710a82eefdc929c2e680

SHA256
1a34e0bb350baf047a9545294329aaf99214d26fb19040f5857e99b5a7d17042

SHA512
9b941f966a456b5c43e0ab5b4973b4a87ede14a7c6aac1989b7976a703f1781ea7d8c5e2135ff06982f360fbeaba25ed8c52ceed3788b5f12f08d27599d3cf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaweweqesop.dll

Filesize
22KB

MD5
92555f757b0c281270a0ab0b2ffd7ae2

SHA1
403d6dd04baaeb9de283b45f858629e9499c2467

SHA256
37760a4b8b4dc736b65c7fd7b187a5057795885f3282e309818542c49140c461

SHA512
d2de8667781b03b54e43dacbd00e2653ed2912957fde30c313492735861a257905b749c0c8fbd7b74d7ee60800f99cf33d960ccd73be9fd3d281b3d1f457eb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaweweqesop.dll

Filesize
22KB

MD5
92555f757b0c281270a0ab0b2ffd7ae2

SHA1
403d6dd04baaeb9de283b45f858629e9499c2467

SHA256
37760a4b8b4dc736b65c7fd7b187a5057795885f3282e309818542c49140c461

SHA512
d2de8667781b03b54e43dacbd00e2653ed2912957fde30c313492735861a257905b749c0c8fbd7b74d7ee60800f99cf33d960ccd73be9fd3d281b3d1f457eb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaweweqesop.dll

Filesize
22KB

MD5
92555f757b0c281270a0ab0b2ffd7ae2

SHA1
403d6dd04baaeb9de283b45f858629e9499c2467

SHA256
37760a4b8b4dc736b65c7fd7b187a5057795885f3282e309818542c49140c461

SHA512
d2de8667781b03b54e43dacbd00e2653ed2912957fde30c313492735861a257905b749c0c8fbd7b74d7ee60800f99cf33d960ccd73be9fd3d281b3d1f457eb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuwatutiwaq.dll

Filesize
16KB

MD5
992c2d657efcf0769b5eb738d1bd5639

SHA1
97e7cc36f1ed8c58e4bbee1891a3a6e9c97cdce3

SHA256
8744d3f2290c351f6ace3f6f4b32a5d8a339bed4b35feac337b35c68c38742bb

SHA512
8e8c3882d5d091a110ffbb4fe209ad1e9cf4ec8997be5366ec29147a8a0529deb8abe2b605c8c1a50670c0124278f94bc8e30dec09a8fbf49ce19a1ee61c740b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuwatutiwaq.dll

Filesize
16KB

MD5
992c2d657efcf0769b5eb738d1bd5639

SHA1
97e7cc36f1ed8c58e4bbee1891a3a6e9c97cdce3

SHA256
8744d3f2290c351f6ace3f6f4b32a5d8a339bed4b35feac337b35c68c38742bb

SHA512
8e8c3882d5d091a110ffbb4fe209ad1e9cf4ec8997be5366ec29147a8a0529deb8abe2b605c8c1a50670c0124278f94bc8e30dec09a8fbf49ce19a1ee61c740b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuwatutiwaq.dll

Filesize
16KB

MD5
992c2d657efcf0769b5eb738d1bd5639

SHA1
97e7cc36f1ed8c58e4bbee1891a3a6e9c97cdce3

SHA256
8744d3f2290c351f6ace3f6f4b32a5d8a339bed4b35feac337b35c68c38742bb

SHA512
8e8c3882d5d091a110ffbb4fe209ad1e9cf4ec8997be5366ec29147a8a0529deb8abe2b605c8c1a50670c0124278f94bc8e30dec09a8fbf49ce19a1ee61c740b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zibadapexide.exe

Filesize
45KB

MD5
660def71aa357a70ff3ba34bec2fe3cd

SHA1
debf138e19afdc1ba2b03f111cd30ab03219442a

SHA256
174ac694463ac9887b31b2e2c84fb5ad7a8101d2a561de5b1f5262ecca967842

SHA512
93ff7b8fa87df0920f2938dc77822e81d56459f25547f9252d186a493c9d6f2162e1e4254b91fbde2371e87e2fe558f65c019764e4207174bdddce7f6a5183bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zibadapexide.exe

Filesize
45KB

MD5
660def71aa357a70ff3ba34bec2fe3cd

SHA1
debf138e19afdc1ba2b03f111cd30ab03219442a

SHA256
174ac694463ac9887b31b2e2c84fb5ad7a8101d2a561de5b1f5262ecca967842

SHA512
93ff7b8fa87df0920f2938dc77822e81d56459f25547f9252d186a493c9d6f2162e1e4254b91fbde2371e87e2fe558f65c019764e4207174bdddce7f6a5183bb

Download Submit
memory/3956-148-0x00000000004E1000-0x00000000004E4000-memory.dmp

Filesize
12KB

Download
memory/3956-147-0x00000000004C1000-0x00000000004C5000-memory.dmp

Filesize
16KB

Download
memory/3956-144-0x00000000004B1000-0x00000000004B4000-memory.dmp

Filesize
12KB

Download
memory/4528-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4528-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4660-155-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4660-157-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download