Analysis
-
max time kernel
140s -
max time network
91s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
16/11/2022, 18:10
Static task
static1
Behavioral task
behavioral1
Sample
cd48383befb4dce49fb855d64f500ca1.exe
Resource
win7-20220812-en
General
-
Target
cd48383befb4dce49fb855d64f500ca1.exe
-
Size
1.2MB
-
MD5
cd48383befb4dce49fb855d64f500ca1
-
SHA1
af506733441826dbd789c972a2d627038c0c80af
-
SHA256
040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e
-
SHA512
193aa7aae1f12f70b692e4bf5ac7ce8846256da76cbbdc68c1a9fe5746931cb92196ea1505ed49aab81bd45616eb7811940fbd29a83383ed95dd5f0336a9183f
-
SSDEEP
24576:jolGO8/6YpXCGf+SK/ftRnMh9+bTLWdaVom4v7FF:j0GL6YpZmSat5LWdNhF
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1524 fofew gequa botovib moca loja faromemo sow nexonide hete.exe -
Deletes itself 1 IoCs
pid Process 364 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1660 cd48383befb4dce49fb855d64f500ca1.exe 1660 cd48383befb4dce49fb855d64f500ca1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 536 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 548 PING.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1660 cd48383befb4dce49fb855d64f500ca1.exe 1660 cd48383befb4dce49fb855d64f500ca1.exe 1660 cd48383befb4dce49fb855d64f500ca1.exe 1660 cd48383befb4dce49fb855d64f500ca1.exe 1660 cd48383befb4dce49fb855d64f500ca1.exe 1524 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 1524 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 1524 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 1524 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 1524 fofew gequa botovib moca loja faromemo sow nexonide hete.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1660 wrote to memory of 536 1660 cd48383befb4dce49fb855d64f500ca1.exe 30 PID 1660 wrote to memory of 536 1660 cd48383befb4dce49fb855d64f500ca1.exe 30 PID 1660 wrote to memory of 536 1660 cd48383befb4dce49fb855d64f500ca1.exe 30 PID 1660 wrote to memory of 536 1660 cd48383befb4dce49fb855d64f500ca1.exe 30 PID 1660 wrote to memory of 1524 1660 cd48383befb4dce49fb855d64f500ca1.exe 32 PID 1660 wrote to memory of 1524 1660 cd48383befb4dce49fb855d64f500ca1.exe 32 PID 1660 wrote to memory of 1524 1660 cd48383befb4dce49fb855d64f500ca1.exe 32 PID 1660 wrote to memory of 1524 1660 cd48383befb4dce49fb855d64f500ca1.exe 32 PID 1660 wrote to memory of 364 1660 cd48383befb4dce49fb855d64f500ca1.exe 33 PID 1660 wrote to memory of 364 1660 cd48383befb4dce49fb855d64f500ca1.exe 33 PID 1660 wrote to memory of 364 1660 cd48383befb4dce49fb855d64f500ca1.exe 33 PID 1660 wrote to memory of 364 1660 cd48383befb4dce49fb855d64f500ca1.exe 33 PID 364 wrote to memory of 332 364 cmd.exe 35 PID 364 wrote to memory of 332 364 cmd.exe 35 PID 364 wrote to memory of 332 364 cmd.exe 35 PID 364 wrote to memory of 332 364 cmd.exe 35 PID 364 wrote to memory of 548 364 cmd.exe 36 PID 364 wrote to memory of 548 364 cmd.exe 36 PID 364 wrote to memory of 548 364 cmd.exe 36 PID 364 wrote to memory of 548 364 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"2⤵
- Creates scheduled task(s)
PID:536
-
-
C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:332
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:548
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390.7MB
MD500d4784a97e31747292709dbacbbc45f
SHA1451cfa56a5fc08617a5605cc2d42fdea3af190f1
SHA256b5d29edcf7198ad654e07e426a050afa8ae0b1b09b7fc2cf1a18535ac1696afa
SHA51276c21f729c0e0c407f8231e9d0a4e57acfd63dc70c573f4c8d4b3cd97340a7589fae2b30bae3f4156db93f004ff81eb3ce0720000d168e70ca4abc4b03668c54
-
Filesize
353.2MB
MD5881fe614a1d4306c82791cd4fda48a2d
SHA15e62e63710d38046d36ff3ae6b77f8f3ab8752fd
SHA256271d164c315ef9ec879c1d2eee908ce4b2097c054f3833c1b9e9e28d9190c0ca
SHA512bf56eefe837b7494705542b08c46dc4e3c752fac68684a00976d096f0d8edbdb87147bfd81e9a94fa0644a041c35a31b02cbc465aba454c79c866e4cd6e6e239
-
Filesize
388.5MB
MD5eee17aab91c14e549cb82ef52cd7526d
SHA1c6680ca62a5c1c9661703513f0eceed6f9af0be5
SHA25623929e82afa41d2827a3a26f43dc9c2d28fb3b1d2531423a3e737ac511990af6
SHA512cf13bf0eb85ba0eb7564fb5d898c092f05ddc7780ea6f4af532fa3ebdd97afc8938a3fe48b57f5030ad5c796de24b8fdda333ff361ab6748fb4e1e811d7f54ae