Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2022, 18:10
Static task
static1
Behavioral task
behavioral1
Sample
cd48383befb4dce49fb855d64f500ca1.exe
Resource
win7-20220812-en
General
-
Target
cd48383befb4dce49fb855d64f500ca1.exe
-
Size
1.2MB
-
MD5
cd48383befb4dce49fb855d64f500ca1
-
SHA1
af506733441826dbd789c972a2d627038c0c80af
-
SHA256
040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e
-
SHA512
193aa7aae1f12f70b692e4bf5ac7ce8846256da76cbbdc68c1a9fe5746931cb92196ea1505ed49aab81bd45616eb7811940fbd29a83383ed95dd5f0336a9183f
-
SSDEEP
24576:jolGO8/6YpXCGf+SK/ftRnMh9+bTLWdaVom4v7FF:j0GL6YpZmSat5LWdNhF
Malware Config
Extracted
systembc
89.22.225.242:4193
195.2.93.22:4193
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4236 created 2548 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 51 -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 2156 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cd48383befb4dce49fb855d64f500ca1.exe -
Loads dropped DLL 1 IoCs
pid Process 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4236 set thread context of 4660 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1168 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB fofew gequa botovib moca loja faromemo sow nexonide hete.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 5c0000000100000004000000001000000b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9 fofew gequa botovib moca loja faromemo sow nexonide hete.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2636 PING.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4900 cd48383befb4dce49fb855d64f500ca1.exe 4900 cd48383befb4dce49fb855d64f500ca1.exe 4900 cd48383befb4dce49fb855d64f500ca1.exe 4900 cd48383befb4dce49fb855d64f500ca1.exe 4900 cd48383befb4dce49fb855d64f500ca1.exe 4900 cd48383befb4dce49fb855d64f500ca1.exe 4900 cd48383befb4dce49fb855d64f500ca1.exe 4900 cd48383befb4dce49fb855d64f500ca1.exe 4900 cd48383befb4dce49fb855d64f500ca1.exe 4900 cd48383befb4dce49fb855d64f500ca1.exe 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4900 wrote to memory of 1168 4900 cd48383befb4dce49fb855d64f500ca1.exe 86 PID 4900 wrote to memory of 1168 4900 cd48383befb4dce49fb855d64f500ca1.exe 86 PID 4900 wrote to memory of 1168 4900 cd48383befb4dce49fb855d64f500ca1.exe 86 PID 4900 wrote to memory of 4236 4900 cd48383befb4dce49fb855d64f500ca1.exe 88 PID 4900 wrote to memory of 4236 4900 cd48383befb4dce49fb855d64f500ca1.exe 88 PID 4900 wrote to memory of 4236 4900 cd48383befb4dce49fb855d64f500ca1.exe 88 PID 4900 wrote to memory of 4208 4900 cd48383befb4dce49fb855d64f500ca1.exe 89 PID 4900 wrote to memory of 4208 4900 cd48383befb4dce49fb855d64f500ca1.exe 89 PID 4900 wrote to memory of 4208 4900 cd48383befb4dce49fb855d64f500ca1.exe 89 PID 4208 wrote to memory of 5048 4208 cmd.exe 91 PID 4208 wrote to memory of 5048 4208 cmd.exe 91 PID 4208 wrote to memory of 5048 4208 cmd.exe 91 PID 4208 wrote to memory of 2636 4208 cmd.exe 92 PID 4208 wrote to memory of 2636 4208 cmd.exe 92 PID 4208 wrote to memory of 2636 4208 cmd.exe 92 PID 4236 wrote to memory of 4660 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 93 PID 4236 wrote to memory of 4660 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 93 PID 4236 wrote to memory of 4660 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 93 PID 4236 wrote to memory of 4660 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 93 PID 4236 wrote to memory of 4660 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 93 PID 4236 wrote to memory of 2156 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 94 PID 4236 wrote to memory of 2156 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 94 PID 4236 wrote to memory of 2156 4236 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 94
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
PID:2156
-
-
C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"2⤵
- Creates scheduled task(s)
PID:1168
-
-
C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"3⤵PID:4660
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:5048
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2636
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
428KB
MD54880886732471a6abbb919b2d9c94e03
SHA178d331eeff674b95bf5d9756a0da7c60b0dee7b4
SHA256c1f5411008304f15bcc5fa281bd9ee8eae70948f2a58db190290adaf259dcee0
SHA512b755b402d051d6ff777249ba5eb4754eeeb2a2c47baeb1d69dac3b7e67e88aa5ef83027a41fbfaf7e170cb2ec0f15065d8bb529f989fb15319d4c143b4900432
-
Filesize
1.8MB
MD5e716ffae131666d5e0e77e5d479b1e37
SHA142fea83d3a19beecb25d2c5bd46e547bb4a09319
SHA25632684b073e05d41b49611a2d49f25d4d53ca8182d5de134bc7a4924158bc577b
SHA512c559c52b40c5b593e0687d05c9ed54229b0eb62a517940caaecc6d09aa4d21bdc129552cfcd31509e4f5c35be069ee617457ce047460cc6a23270499ca14f75c
-
Filesize
769.2MB
MD587f8d18b597845376f06754a6cebf08b
SHA12585ce8d6f20de0da137f8cb87c47a547f6de4f3
SHA2567d8b26b5e0b54b824fbaee47222ec1401b8de4a757e3b6533fd6ca33fd023b4f
SHA5124089986fddcd7da6560a1028c3e77d16e26ec6191aae70467c0fafeffbc2d2999f3b48f0bdba0bfbe12f9730511efedcb33ff244c921a2cd7452eef162591292
-
Filesize
769.2MB
MD587f8d18b597845376f06754a6cebf08b
SHA12585ce8d6f20de0da137f8cb87c47a547f6de4f3
SHA2567d8b26b5e0b54b824fbaee47222ec1401b8de4a757e3b6533fd6ca33fd023b4f
SHA5124089986fddcd7da6560a1028c3e77d16e26ec6191aae70467c0fafeffbc2d2999f3b48f0bdba0bfbe12f9730511efedcb33ff244c921a2cd7452eef162591292