Analysis
-
max time kernel
135s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
16/11/2022, 09:18
Static task
static1
Behavioral task
behavioral1
Sample
f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe
Resource
win7-20220812-en
General
-
Target
f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe
-
Size
1.2MB
-
MD5
f4a2a8a7d1d2c7b26f4e54ca2612f71a
-
SHA1
744fadee7a1e67bee2cf1a534a63483ab1d2e3f8
-
SHA256
9d5670638fac6e9e5670cd6985894e9b2fcf1fb334973e5e3424fb246f835e11
-
SHA512
4432c4f8cdfb4b36eb7f6b8794348bce1ecc06709ceb2a804998b1685d22f5f539134dc6e1df95b9834390a06ff8eb804f5bbd517522e6f4b0afa7374a4cd9c5
-
SSDEEP
24576:QolGO8/6YpXCGf+SK/ftRnMh9+bTLWdaVom4v7FM:Q0GL6YpZmSat5LWdNhM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1764 fofew gequa botovib moca loja faromemo sow nexonide hete.exe -
Deletes itself 1 IoCs
pid Process 1580 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1376 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 624 PING.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 1764 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 1764 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 1764 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 1764 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 1764 fofew gequa botovib moca loja faromemo sow nexonide hete.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1804 wrote to memory of 1376 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 30 PID 1804 wrote to memory of 1376 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 30 PID 1804 wrote to memory of 1376 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 30 PID 1804 wrote to memory of 1376 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 30 PID 1804 wrote to memory of 1764 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 32 PID 1804 wrote to memory of 1764 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 32 PID 1804 wrote to memory of 1764 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 32 PID 1804 wrote to memory of 1764 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 32 PID 1804 wrote to memory of 1580 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 33 PID 1804 wrote to memory of 1580 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 33 PID 1804 wrote to memory of 1580 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 33 PID 1804 wrote to memory of 1580 1804 f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe 33 PID 1580 wrote to memory of 1368 1580 cmd.exe 35 PID 1580 wrote to memory of 1368 1580 cmd.exe 35 PID 1580 wrote to memory of 1368 1580 cmd.exe 35 PID 1580 wrote to memory of 1368 1580 cmd.exe 35 PID 1580 wrote to memory of 624 1580 cmd.exe 36 PID 1580 wrote to memory of 624 1580 cmd.exe 36 PID 1580 wrote to memory of 624 1580 cmd.exe 36 PID 1580 wrote to memory of 624 1580 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe"C:\Users\Admin\AppData\Local\Temp\f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"2⤵
- Creates scheduled task(s)
PID:1376
-
-
C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1764
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f4a2a8a7d1d2c7b26f4e54ca2612f71a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1368
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:624
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
376.8MB
MD5740cafbe19fed52538056ba4f6a5bd68
SHA1bab8e503f47b724e79ab87177d0e33119f7881c8
SHA256ba6c93c7f436b63a6d264d455bab49040d32a1ef451caf2a771573c87bd9dbd2
SHA5124cfab680d8a5e71a89ec4cc6535e1afa79c1295f16bfffe6599c36a5de1299530550ac949115c3f55c63a65965c8f3d2ad6859262f9f5e5c29d27341b61a0386
-
Filesize
384.6MB
MD57b5b155aff3ca13f8618bd972a91a4a6
SHA158853c9f0b79536196129c2b7efffaf90e08d5d8
SHA256d24f3c8b5c3ff2de26ebf5dedf8b04a448eb2d0ed5f9d765bdc2dc8f63b1889d
SHA512fba98a7b6e4f3634e0e700fabe023f01751a3c02e2d28f6694a0d7862b6fde9bbcb6f2dd9e2683dc859737d59bad41b4bcb0118e3205b7022c5abe06acaa4ac4
-
Filesize
278.6MB
MD5605cc424e5da99ec913ee5164ecba3d5
SHA1049083730cb24af478b6bbf475cc9edcab4592f9
SHA256585dc173dc8feb18e401fd898c9013ae468fe1620b46617a01cc1c8890ee7c4c
SHA51284f8bfd6fedd16c4547ed62c679dfa11cc289ea65121f97a2aafbb2f906a27fc3ef20f7f2f56980960e32ed02e9fa920a08409b47c95d1bbfbffd0fb441aaf5e