3a6a8344c456313ab52c214caf2c86beae755e1f4c822699647b243e3d0bced5

General

Target

c0456dd63553c74b835ed7fc06c39344.exe
Size

1.2MB
MD5

c0456dd63553c74b835ed7fc06c39344
SHA1

1a0c64541eb2e9cb20d5d6e9ad55ff67f7c625c8
SHA256

3a6a8344c456313ab52c214caf2c86beae755e1f4c822699647b243e3d0bced5
SHA512

2f153a1bc5a4beed2ed8be84b1bdb7fafba7f85db4cc01f00dce8d1a95ac7e20a082f55eed585be751e2743e8efe1031bff9748d3ad6183568a1d9298a836e81
SSDEEP

24576:lgYjOjOE72fjkzv2kLpA9C43v3aNKByFvBJbpCJ2uWriFhuM1x1L4gir:l/OFafjIv2ki/oKwBa2unTu0T4x

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

doreledo kecoya bil.exe

pid process

1216 doreledo kecoya bil.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1704 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

c0456dd63553c74b835ed7fc06c39344.exe

pid process

1000 c0456dd63553c74b835ed7fc06c39344.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

988 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1900 PING.EXE

pid	process
1216	doreledo kecoya bil.exe

pid	process
1704	cmd.exe

pid	process
988	schtasks.exe

pid	process
1900	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

c0456dd63553c74b835ed7fc06c39344.exedoreledo kecoya bil.exe

pid	process
1000	c0456dd63553c74b835ed7fc06c39344.exe
1000	c0456dd63553c74b835ed7fc06c39344.exe
1000	c0456dd63553c74b835ed7fc06c39344.exe
1000	c0456dd63553c74b835ed7fc06c39344.exe
1000	c0456dd63553c74b835ed7fc06c39344.exe
1216	doreledo kecoya bil.exe
1216	doreledo kecoya bil.exe
1216	doreledo kecoya bil.exe
1216	doreledo kecoya bil.exe
1216	doreledo kecoya bil.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

c0456dd63553c74b835ed7fc06c39344.execmd.exe

description	pid	process	target process
PID 1000 wrote to memory of 988	1000	c0456dd63553c74b835ed7fc06c39344.exe	schtasks.exe
PID 1000 wrote to memory of 988	1000	c0456dd63553c74b835ed7fc06c39344.exe	schtasks.exe
PID 1000 wrote to memory of 988	1000	c0456dd63553c74b835ed7fc06c39344.exe	schtasks.exe
PID 1000 wrote to memory of 988	1000	c0456dd63553c74b835ed7fc06c39344.exe	schtasks.exe
PID 1000 wrote to memory of 1216	1000	c0456dd63553c74b835ed7fc06c39344.exe	doreledo kecoya bil.exe
PID 1000 wrote to memory of 1216	1000	c0456dd63553c74b835ed7fc06c39344.exe	doreledo kecoya bil.exe
PID 1000 wrote to memory of 1216	1000	c0456dd63553c74b835ed7fc06c39344.exe	doreledo kecoya bil.exe
PID 1000 wrote to memory of 1216	1000	c0456dd63553c74b835ed7fc06c39344.exe	doreledo kecoya bil.exe
PID 1000 wrote to memory of 1704	1000	c0456dd63553c74b835ed7fc06c39344.exe	cmd.exe
PID 1000 wrote to memory of 1704	1000	c0456dd63553c74b835ed7fc06c39344.exe	cmd.exe
PID 1000 wrote to memory of 1704	1000	c0456dd63553c74b835ed7fc06c39344.exe	cmd.exe
PID 1000 wrote to memory of 1704	1000	c0456dd63553c74b835ed7fc06c39344.exe	cmd.exe
PID 1704 wrote to memory of 672	1704	cmd.exe	chcp.com
PID 1704 wrote to memory of 672	1704	cmd.exe	chcp.com
PID 1704 wrote to memory of 672	1704	cmd.exe	chcp.com
PID 1704 wrote to memory of 672	1704	cmd.exe	chcp.com
PID 1704 wrote to memory of 1900	1704	cmd.exe	PING.EXE
PID 1704 wrote to memory of 1900	1704	cmd.exe	PING.EXE
PID 1704 wrote to memory of 1900	1704	cmd.exe	PING.EXE
PID 1704 wrote to memory of 1900	1704	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\c0456dd63553c74b835ed7fc06c39344.exe
"C:\Users\Admin\AppData\Local\Temp\c0456dd63553c74b835ed7fc06c39344.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Vikote pajiq losiw tojoyafe volij tohid\doreledo kecoya bil.exe"
2⤵
- Creates scheduled task(s)
PID:988

C:\Users\Admin\Vikote pajiq losiw tojoyafe volij tohid\doreledo kecoya bil.exe
"C:\Users\Admin\Vikote pajiq losiw tojoyafe volij tohid\doreledo kecoya bil.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\c0456dd63553c74b835ed7fc06c39344.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:672

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Vikote pajiq losiw tojoyafe volij tohid\doreledo kecoya bil.exe
Filesize
696.0MB

MD5
5508ad446d6b9ff8e8b87568387ee495

SHA1
49dd7d7c88e7a69b1d14f6ac8c7f0de9546f24e2

SHA256
1d87958708b2b2a332bceace7cdb965e907780e6c598d3becfffaae6d85b0502

SHA512
91f9de4d7c9983800560f28451dbeb680b6bd88ac5a0445bd310fa075971378504ca722725a2485c7fb81c8cc7dcb0bb99a59997ebd327451a75f8a825a8ea2b

Download Submit
\Users\Admin\Vikote pajiq losiw tojoyafe volij tohid\doreledo kecoya bil.exe
Filesize
696.1MB

MD5
c3cd5eed93f7fbd775d5e8343fa01c71

SHA1
18c1c30e54132fe04c655de230af3b6ceb59d888

SHA256
a3768858d65260ea1eae35f110ef8ab7ce36b4c865092d81a7a66a72c881029c

SHA512
c2478feed45b973f2bfc961ada9417e75be3e0e03ac5de91be67b54de57347638a3462396d121396f8110674c40e11921a349033da9c93ff25859131ee298187

Download Submit
memory/672-65-0x0000000000000000-mapping.dmp

Download
memory/988-59-0x0000000000000000-mapping.dmp

Download
memory/1000-58-0x00000000020A0000-0x00000000021AE000-memory.dmp

Filesize
1.1MB

Download
memory/1000-55-0x00000000020A0000-0x00000000021AE000-memory.dmp

Filesize
1.1MB

Download
memory/1000-57-0x0000000002380000-0x00000000028E6000-memory.dmp

Filesize
5.4MB

Download
memory/1000-54-0x0000000002380000-0x00000000028E6000-memory.dmp

Filesize
5.4MB

Download
memory/1000-56-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/1000-64-0x00000000020A0000-0x00000000021AE000-memory.dmp

Filesize
1.1MB

Download
memory/1216-61-0x0000000000000000-mapping.dmp

Download
memory/1216-67-0x0000000002350000-0x00000000028B6000-memory.dmp

Filesize
5.4MB

Download
memory/1216-68-0x0000000000A90000-0x0000000000B9E000-memory.dmp

Filesize
1.1MB

Download
memory/1216-70-0x000000000C4F0000-0x000000000C6AF000-memory.dmp

Filesize
1.7MB

Download
memory/1216-71-0x000000000C4F0000-0x000000000C6AF000-memory.dmp

Filesize
1.7MB

Download
memory/1216-72-0x0000000000A90000-0x0000000000B9E000-memory.dmp

Filesize
1.1MB

Download
memory/1704-63-0x0000000000000000-mapping.dmp

Download
memory/1900-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads