82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150

General

Target

82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
Size

5.2MB
MD5

65bc10aa24d76ec1b02a151a16d053c0
SHA1

81bfa89a47ef789ea1cc5c98f02df2bc2a038a4e
SHA256

82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150
SHA512

b0e22e0050090d6f8bc9ae8291005e406d3ab3ea60976aa9394f2c37f59645d8df0ddca7dfe927b0f604428092778da3a3a968da11bc73ea042dfc87d7b9d298
SSDEEP

98304:VXISESTXsUp7ZcjxlqSs/eAFe6WgdLzjnezZED:Vr5sjjxcz20pz6zZm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
848	quegego fatilila voy boji.exe

Deletes itself 1 IoCs

pid	Process
968	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1764	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1460	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
848	quegego fatilila voy boji.exe
848	quegego fatilila voy boji.exe
848	quegego fatilila voy boji.exe
848	quegego fatilila voy boji.exe
848	quegego fatilila voy boji.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1764	1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	29
PID 1480 wrote to memory of 1764	1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	29
PID 1480 wrote to memory of 1764	1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	29
PID 1480 wrote to memory of 1764	1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	29
PID 1480 wrote to memory of 848	1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	31
PID 1480 wrote to memory of 848	1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	31
PID 1480 wrote to memory of 848	1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	31
PID 1480 wrote to memory of 848	1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	31
PID 1480 wrote to memory of 968	1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	32
PID 1480 wrote to memory of 968	1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	32
PID 1480 wrote to memory of 968	1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	32
PID 1480 wrote to memory of 968	1480	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	32
PID 968 wrote to memory of 1660	968	cmd.exe	34
PID 968 wrote to memory of 1660	968	cmd.exe	34
PID 968 wrote to memory of 1660	968	cmd.exe	34
PID 968 wrote to memory of 1660	968	cmd.exe	34
PID 968 wrote to memory of 1460	968	cmd.exe	35
PID 968 wrote to memory of 1460	968	cmd.exe	35
PID 968 wrote to memory of 1460	968	cmd.exe	35
PID 968 wrote to memory of 1460	968	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
"C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1764
- C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe
  "C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe

Filesize
799.2MB

MD5
402fc19ea41764eae825bb44611370c2

SHA1
2a5e0557e5b2251cee061b00564e63319dece793

SHA256
7d914f1b84166e32dc13927248efbb2b8808818983e1d437b8a67a441717a570

SHA512
6f6d04a9a2764bedb45e2e28c3a27d262bba5a6dd9f13e6a21d0856d0fac16f20fd9a96f328c8f2c691547b69bc0e7ba74610b5644ab9a4883f4045b93a3d924

Download Submit
\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe

Filesize
799.2MB

MD5
402fc19ea41764eae825bb44611370c2

SHA1
2a5e0557e5b2251cee061b00564e63319dece793

SHA256
7d914f1b84166e32dc13927248efbb2b8808818983e1d437b8a67a441717a570

SHA512
6f6d04a9a2764bedb45e2e28c3a27d262bba5a6dd9f13e6a21d0856d0fac16f20fd9a96f328c8f2c691547b69bc0e7ba74610b5644ab9a4883f4045b93a3d924

Download Submit
\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe

Filesize
799.2MB

MD5
402fc19ea41764eae825bb44611370c2

SHA1
2a5e0557e5b2251cee061b00564e63319dece793

SHA256
7d914f1b84166e32dc13927248efbb2b8808818983e1d437b8a67a441717a570

SHA512
6f6d04a9a2764bedb45e2e28c3a27d262bba5a6dd9f13e6a21d0856d0fac16f20fd9a96f328c8f2c691547b69bc0e7ba74610b5644ab9a4883f4045b93a3d924

Download Submit
memory/848-78-0x0000000003EA0000-0x000000000439B000-memory.dmp

Filesize
5.0MB

Download
memory/848-77-0x00000000025A0000-0x0000000003E92000-memory.dmp

Filesize
24.9MB

Download
memory/848-76-0x000000000E570000-0x0000000010E0F000-memory.dmp

Filesize
40.6MB

Download
memory/848-75-0x000000000E570000-0x0000000010E0F000-memory.dmp

Filesize
40.6MB

Download
memory/848-73-0x0000000003EA0000-0x000000000439B000-memory.dmp

Filesize
5.0MB

Download
memory/848-70-0x00000000025A0000-0x0000000003E92000-memory.dmp

Filesize
24.9MB

Download
memory/848-79-0x000000000E570000-0x0000000010E0F000-memory.dmp

Filesize
40.6MB

Download
memory/848-80-0x0000000003EA0000-0x000000000439B000-memory.dmp

Filesize
5.0MB

Download
memory/848-72-0x0000000003EA0000-0x000000000439B000-memory.dmp

Filesize
5.0MB

Download
memory/848-71-0x00000000025A0000-0x0000000003E92000-memory.dmp

Filesize
24.9MB

Download
memory/1480-67-0x0000000003DF0000-0x00000000042EB000-memory.dmp

Filesize
5.0MB

Download
memory/1480-54-0x00000000024F0000-0x0000000003DE2000-memory.dmp

Filesize
24.9MB

Download
memory/1480-60-0x0000000003DF0000-0x00000000042EB000-memory.dmp

Filesize
5.0MB

Download
memory/1480-59-0x00000000024F0000-0x0000000003DE2000-memory.dmp

Filesize
24.9MB

Download
memory/1480-58-0x0000000003DF0000-0x00000000042EB000-memory.dmp

Filesize
5.0MB

Download
memory/1480-57-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1480-56-0x0000000003DF0000-0x00000000042EB000-memory.dmp

Filesize
5.0MB

Download
memory/1480-55-0x00000000024F0000-0x0000000003DE2000-memory.dmp

Filesize
24.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads