82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150

General

Target

82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
Size

5.2MB
MD5

65bc10aa24d76ec1b02a151a16d053c0
SHA1

81bfa89a47ef789ea1cc5c98f02df2bc2a038a4e
SHA256

82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150
SHA512

b0e22e0050090d6f8bc9ae8291005e406d3ab3ea60976aa9394f2c37f59645d8df0ddca7dfe927b0f604428092778da3a3a968da11bc73ea042dfc87d7b9d298
SSDEEP

98304:VXISESTXsUp7ZcjxlqSs/eAFe6WgdLzjnezZED:Vr5sjjxcz20pz6zZm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
752	quegego fatilila voy boji.exe

Deletes itself 1 IoCs

pid	Process
1124	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1772	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1988	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
752	quegego fatilila voy boji.exe
752	quegego fatilila voy boji.exe
752	quegego fatilila voy boji.exe
752	quegego fatilila voy boji.exe
752	quegego fatilila voy boji.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1772	960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	29
PID 960 wrote to memory of 1772	960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	29
PID 960 wrote to memory of 1772	960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	29
PID 960 wrote to memory of 1772	960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	29
PID 960 wrote to memory of 752	960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	31
PID 960 wrote to memory of 752	960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	31
PID 960 wrote to memory of 752	960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	31
PID 960 wrote to memory of 752	960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	31
PID 960 wrote to memory of 1124	960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	32
PID 960 wrote to memory of 1124	960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	32
PID 960 wrote to memory of 1124	960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	32
PID 960 wrote to memory of 1124	960	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	32
PID 1124 wrote to memory of 1952	1124	cmd.exe	34
PID 1124 wrote to memory of 1952	1124	cmd.exe	34
PID 1124 wrote to memory of 1952	1124	cmd.exe	34
PID 1124 wrote to memory of 1952	1124	cmd.exe	34
PID 1124 wrote to memory of 1988	1124	cmd.exe	35
PID 1124 wrote to memory of 1988	1124	cmd.exe	35
PID 1124 wrote to memory of 1988	1124	cmd.exe	35
PID 1124 wrote to memory of 1988	1124	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
"C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1772
- C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe
  "C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe

Filesize
779.2MB

MD5
d713a98cd83caf2394109c50efee112e

SHA1
d75e6cedf78c6af81f6ea3e6a625f5d86006e44b

SHA256
9adca27d1327cd327b7ae388ddacbdbe84553abd4c0fbea4c68348712cca6d59

SHA512
f166748dc529e4d75225850b06fc04370def8bbf11741d9856486431990af5e8d07d33f044e34b69a67c3cc8cd3daac19e07c2cfd822916d134ad8dd03a44f5a

Download Submit
\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe

Filesize
779.2MB

MD5
d713a98cd83caf2394109c50efee112e

SHA1
d75e6cedf78c6af81f6ea3e6a625f5d86006e44b

SHA256
9adca27d1327cd327b7ae388ddacbdbe84553abd4c0fbea4c68348712cca6d59

SHA512
f166748dc529e4d75225850b06fc04370def8bbf11741d9856486431990af5e8d07d33f044e34b69a67c3cc8cd3daac19e07c2cfd822916d134ad8dd03a44f5a

Download Submit
\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe

Filesize
779.2MB

MD5
d713a98cd83caf2394109c50efee112e

SHA1
d75e6cedf78c6af81f6ea3e6a625f5d86006e44b

SHA256
9adca27d1327cd327b7ae388ddacbdbe84553abd4c0fbea4c68348712cca6d59

SHA512
f166748dc529e4d75225850b06fc04370def8bbf11741d9856486431990af5e8d07d33f044e34b69a67c3cc8cd3daac19e07c2cfd822916d134ad8dd03a44f5a

Download Submit
memory/752-78-0x0000000003BF0000-0x00000000040EB000-memory.dmp

Filesize
5.0MB

Download
memory/752-77-0x00000000022F0000-0x0000000003BE2000-memory.dmp

Filesize
24.9MB

Download
memory/752-76-0x000000000E9C0000-0x000000001125F000-memory.dmp

Filesize
40.6MB

Download
memory/752-75-0x000000000E9C0000-0x000000001125F000-memory.dmp

Filesize
40.6MB

Download
memory/752-73-0x0000000003BF0000-0x00000000040EB000-memory.dmp

Filesize
5.0MB

Download
memory/752-68-0x00000000022F0000-0x0000000003BE2000-memory.dmp

Filesize
24.9MB

Download
memory/752-79-0x000000000E9C0000-0x000000001125F000-memory.dmp

Filesize
40.6MB

Download
memory/752-80-0x0000000003BF0000-0x00000000040EB000-memory.dmp

Filesize
5.0MB

Download
memory/752-72-0x0000000003BF0000-0x00000000040EB000-memory.dmp

Filesize
5.0MB

Download
memory/752-71-0x00000000022F0000-0x0000000003BE2000-memory.dmp

Filesize
24.9MB

Download
memory/960-60-0x0000000003E70000-0x000000000436B000-memory.dmp

Filesize
5.0MB

Download
memory/960-67-0x0000000003E70000-0x000000000436B000-memory.dmp

Filesize
5.0MB

Download
memory/960-54-0x0000000002570000-0x0000000003E62000-memory.dmp

Filesize
24.9MB

Download
memory/960-59-0x0000000002570000-0x0000000003E62000-memory.dmp

Filesize
24.9MB

Download
memory/960-58-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/960-57-0x0000000003E70000-0x000000000436B000-memory.dmp

Filesize
5.0MB

Download
memory/960-56-0x0000000003E70000-0x000000000436B000-memory.dmp

Filesize
5.0MB

Download
memory/960-55-0x0000000002570000-0x0000000003E62000-memory.dmp

Filesize
24.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads