9d5670638fac6e9e5670cd6985894e9b2fcf1fb334973e5e3424fb246f835e11

General

Target

f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe
Size

1.2MB
MD5

f4a2a8a7d1d2c7b26f4e54ca2612f71a
SHA1

744fadee7a1e67bee2cf1a534a63483ab1d2e3f8
SHA256

9d5670638fac6e9e5670cd6985894e9b2fcf1fb334973e5e3424fb246f835e11
SHA512

4432c4f8cdfb4b36eb7f6b8794348bce1ecc06709ceb2a804998b1685d22f5f539134dc6e1df95b9834390a06ff8eb804f5bbd517522e6f4b0afa7374a4cd9c5
SSDEEP

24576:QolGO8/6YpXCGf+SK/ftRnMh9+bTLWdaVom4v7FM:Q0GL6YpZmSat5LWdNhM

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

fofew gequa botovib moca loja faromemo sow nexonide hete.exe

pid process

1764 fofew gequa botovib moca loja faromemo sow nexonide hete.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1580 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe

pid process

1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe
1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1376 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

624 PING.EXE

pid	process
1764	fofew gequa botovib moca loja faromemo sow nexonide hete.exe

pid	process
1580	cmd.exe

pid	process
1376	schtasks.exe

pid	process
624	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

f4a2a8a7d1d2c7b26f4e54ca2612f71a.exefofew gequa botovib moca loja faromemo sow nexonide hete.exe

pid	process
1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe
1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe
1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe
1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe
1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe
1764	fofew gequa botovib moca loja faromemo sow nexonide hete.exe
1764	fofew gequa botovib moca loja faromemo sow nexonide hete.exe
1764	fofew gequa botovib moca loja faromemo sow nexonide hete.exe
1764	fofew gequa botovib moca loja faromemo sow nexonide hete.exe
1764	fofew gequa botovib moca loja faromemo sow nexonide hete.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

f4a2a8a7d1d2c7b26f4e54ca2612f71a.execmd.exe

description	pid	process	target process
PID 1804 wrote to memory of 1376	1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe	schtasks.exe
PID 1804 wrote to memory of 1376	1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe	schtasks.exe
PID 1804 wrote to memory of 1376	1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe	schtasks.exe
PID 1804 wrote to memory of 1376	1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe	schtasks.exe
PID 1804 wrote to memory of 1764	1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe	fofew gequa botovib moca loja faromemo sow nexonide hete.exe
PID 1804 wrote to memory of 1764	1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe	fofew gequa botovib moca loja faromemo sow nexonide hete.exe
PID 1804 wrote to memory of 1764	1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe	fofew gequa botovib moca loja faromemo sow nexonide hete.exe
PID 1804 wrote to memory of 1764	1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe	fofew gequa botovib moca loja faromemo sow nexonide hete.exe
PID 1804 wrote to memory of 1580	1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe	cmd.exe
PID 1804 wrote to memory of 1580	1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe	cmd.exe
PID 1804 wrote to memory of 1580	1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe	cmd.exe
PID 1804 wrote to memory of 1580	1804	f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe	cmd.exe
PID 1580 wrote to memory of 1368	1580	cmd.exe	chcp.com
PID 1580 wrote to memory of 1368	1580	cmd.exe	chcp.com
PID 1580 wrote to memory of 1368	1580	cmd.exe	chcp.com
PID 1580 wrote to memory of 1368	1580	cmd.exe	chcp.com
PID 1580 wrote to memory of 624	1580	cmd.exe	PING.EXE
PID 1580 wrote to memory of 624	1580	cmd.exe	PING.EXE
PID 1580 wrote to memory of 624	1580	cmd.exe	PING.EXE
PID 1580 wrote to memory of 624	1580	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe
"C:\Users\Admin\AppData\Local\Temp\f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"
2⤵
- Creates scheduled task(s)
PID:1376

C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
"C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1368

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
Filesize
376.8MB

MD5
740cafbe19fed52538056ba4f6a5bd68

SHA1
bab8e503f47b724e79ab87177d0e33119f7881c8

SHA256
ba6c93c7f436b63a6d264d455bab49040d32a1ef451caf2a771573c87bd9dbd2

SHA512
4cfab680d8a5e71a89ec4cc6535e1afa79c1295f16bfffe6599c36a5de1299530550ac949115c3f55c63a65965c8f3d2ad6859262f9f5e5c29d27341b61a0386

Download Submit
\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
Filesize
384.6MB

MD5
7b5b155aff3ca13f8618bd972a91a4a6

SHA1
58853c9f0b79536196129c2b7efffaf90e08d5d8

SHA256
d24f3c8b5c3ff2de26ebf5dedf8b04a448eb2d0ed5f9d765bdc2dc8f63b1889d

SHA512
fba98a7b6e4f3634e0e700fabe023f01751a3c02e2d28f6694a0d7862b6fde9bbcb6f2dd9e2683dc859737d59bad41b4bcb0118e3205b7022c5abe06acaa4ac4

Download Submit
\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
Filesize
278.6MB

MD5
605cc424e5da99ec913ee5164ecba3d5

SHA1
049083730cb24af478b6bbf475cc9edcab4592f9

SHA256
585dc173dc8feb18e401fd898c9013ae468fe1620b46617a01cc1c8890ee7c4c

SHA512
84f8bfd6fedd16c4547ed62c679dfa11cc289ea65121f97a2aafbb2f906a27fc3ef20f7f2f56980960e32ed02e9fa920a08409b47c95d1bbfbffd0fb441aaf5e

Download Submit
memory/624-70-0x0000000000000000-mapping.dmp

Download
memory/1368-69-0x0000000000000000-mapping.dmp

Download
memory/1376-61-0x0000000000000000-mapping.dmp

Download
memory/1580-66-0x0000000000000000-mapping.dmp

Download
memory/1764-68-0x00000000022C0000-0x00000000027A7000-memory.dmp

Filesize
4.9MB

Download
memory/1764-71-0x00000000022C0000-0x00000000027A7000-memory.dmp

Filesize
4.9MB

Download
memory/1764-64-0x0000000000000000-mapping.dmp

Download
memory/1764-75-0x0000000000160000-0x0000000000256000-memory.dmp

Filesize
984KB

Download
memory/1764-74-0x0000000000160000-0x0000000000256000-memory.dmp

Filesize
984KB

Download
memory/1764-72-0x0000000000160000-0x0000000000256000-memory.dmp

Filesize
984KB

Download
memory/1804-58-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1804-56-0x0000000000180000-0x0000000000276000-memory.dmp

Filesize
984KB

Download
memory/1804-54-0x0000000000B30000-0x0000000001017000-memory.dmp

Filesize
4.9MB

Download
memory/1804-55-0x0000000000B30000-0x0000000001017000-memory.dmp

Filesize
4.9MB

Download
memory/1804-67-0x0000000000180000-0x0000000000276000-memory.dmp

Filesize
984KB

Download
memory/1804-57-0x0000000000180000-0x0000000000276000-memory.dmp

Filesize
984KB

Download
memory/1804-60-0x0000000000180000-0x0000000000276000-memory.dmp

Filesize
984KB

Download
memory/1804-59-0x0000000000B30000-0x0000000001017000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads