Analysis
-
max time kernel
331s -
max time network
333s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 01:51
Static task
static1
Behavioral task
behavioral1
Sample
82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
Resource
win7-20221111-en
General
-
Target
82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
-
Size
5.2MB
-
MD5
65bc10aa24d76ec1b02a151a16d053c0
-
SHA1
81bfa89a47ef789ea1cc5c98f02df2bc2a038a4e
-
SHA256
82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150
-
SHA512
b0e22e0050090d6f8bc9ae8291005e406d3ab3ea60976aa9394f2c37f59645d8df0ddca7dfe927b0f604428092778da3a3a968da11bc73ea042dfc87d7b9d298
-
SSDEEP
98304:VXISESTXsUp7ZcjxlqSs/eAFe6WgdLzjnezZED:Vr5sjjxcz20pz6zZm
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1744 quegego fatilila voy boji.exe -
Loads dropped DLL 2 IoCs
pid Process 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1304 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1508 wrote to memory of 1304 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 29 PID 1508 wrote to memory of 1304 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 29 PID 1508 wrote to memory of 1304 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 29 PID 1508 wrote to memory of 1304 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 29 PID 1508 wrote to memory of 1744 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 31 PID 1508 wrote to memory of 1744 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 31 PID 1508 wrote to memory of 1744 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 31 PID 1508 wrote to memory of 1744 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 31 PID 1508 wrote to memory of 912 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 32 PID 1508 wrote to memory of 912 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 32 PID 1508 wrote to memory of 912 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 32 PID 1508 wrote to memory of 912 1508 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe"C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe"2⤵
- Creates scheduled task(s)
PID:1304
-
-
C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe"C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe"2⤵
- Executes dropped EXE
PID:1744
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe"2⤵PID:912
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1520
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe
Filesize36.4MB
MD5d5e0663aa9ba2c68ae5c653fb4ee63ee
SHA160b87ca7480dcb1165de6586df31040d8c33c74c
SHA256bdc5b6c075b0352b71945ef14f4c4995667793ed15d0ed8f43c6888b775b9089
SHA51203a26c2567c040806dd8135a21cc6968a5682917b2927b0f4aac30a161fb4a7330bbec1b3a6bc29d7a75d97fdf8a1f4d4c49c26eb2390628050bd25b88db6150
-
\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe
Filesize38.9MB
MD5ded13864745ec48333141503584a9ee2
SHA1abe44f1d3614ffbbf5751768b13e0d96aea4d285
SHA256e3444ddfc339dcaf1397ecbb8f707bc9cfc90cdca70a5c52d10fab1ff747db42
SHA5122cc2d0c543749fcaff8f085ec8dda47b540601f1426b32274baaa9f8d4512ef123a53575013b3905d4d2ad4b48fdefd0be376e9886d5d42c964c2962efc28c42
-
\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe
Filesize37.4MB
MD566615452a24523b21eaf5bc9769aee84
SHA16a7dda0833691999fda781e30f3ff16c5108e325
SHA2561da30d22db39f72bebdc7a0181a682aa8195f86e0cbf3b9bf9d3859be8f72051
SHA512c571df4acd1ee8e912e83e979aa13973ebcf29dea56d751a1e333e9d59b710c8ffaf14585786911dc161297c1d8a916352111d42e9eb1c1bdb75742069a6350d