82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150

General

Target

82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
Size

5.2MB
MD5

65bc10aa24d76ec1b02a151a16d053c0
SHA1

81bfa89a47ef789ea1cc5c98f02df2bc2a038a4e
SHA256

82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150
SHA512

b0e22e0050090d6f8bc9ae8291005e406d3ab3ea60976aa9394f2c37f59645d8df0ddca7dfe927b0f604428092778da3a3a968da11bc73ea042dfc87d7b9d298
SSDEEP

98304:VXISESTXsUp7ZcjxlqSs/eAFe6WgdLzjnezZED:Vr5sjjxcz20pz6zZm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1744	quegego fatilila voy boji.exe

Loads dropped DLL 2 IoCs

pid	Process
1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1304	1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	29
PID 1508 wrote to memory of 1304	1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	29
PID 1508 wrote to memory of 1304	1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	29
PID 1508 wrote to memory of 1304	1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	29
PID 1508 wrote to memory of 1744	1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	31
PID 1508 wrote to memory of 1744	1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	31
PID 1508 wrote to memory of 1744	1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	31
PID 1508 wrote to memory of 1744	1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	31
PID 1508 wrote to memory of 912	1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	32
PID 1508 wrote to memory of 912	1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	32
PID 1508 wrote to memory of 912	1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	32
PID 1508 wrote to memory of 912	1508	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	32

C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
"C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1304
- C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe
  "C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe"
  2⤵
  PID:912
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe

Filesize
36.4MB

MD5
d5e0663aa9ba2c68ae5c653fb4ee63ee

SHA1
60b87ca7480dcb1165de6586df31040d8c33c74c

SHA256
bdc5b6c075b0352b71945ef14f4c4995667793ed15d0ed8f43c6888b775b9089

SHA512
03a26c2567c040806dd8135a21cc6968a5682917b2927b0f4aac30a161fb4a7330bbec1b3a6bc29d7a75d97fdf8a1f4d4c49c26eb2390628050bd25b88db6150

Download Submit
\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe

Filesize
38.9MB

MD5
ded13864745ec48333141503584a9ee2

SHA1
abe44f1d3614ffbbf5751768b13e0d96aea4d285

SHA256
e3444ddfc339dcaf1397ecbb8f707bc9cfc90cdca70a5c52d10fab1ff747db42

SHA512
2cc2d0c543749fcaff8f085ec8dda47b540601f1426b32274baaa9f8d4512ef123a53575013b3905d4d2ad4b48fdefd0be376e9886d5d42c964c2962efc28c42

Download Submit
\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe

Filesize
37.4MB

MD5
66615452a24523b21eaf5bc9769aee84

SHA1
6a7dda0833691999fda781e30f3ff16c5108e325

SHA256
1da30d22db39f72bebdc7a0181a682aa8195f86e0cbf3b9bf9d3859be8f72051

SHA512
c571df4acd1ee8e912e83e979aa13973ebcf29dea56d751a1e333e9d59b710c8ffaf14585786911dc161297c1d8a916352111d42e9eb1c1bdb75742069a6350d

Download Submit
memory/1508-58-0x0000000002300000-0x0000000003BF2000-memory.dmp

Filesize
24.9MB

Download
memory/1508-55-0x0000000002300000-0x0000000003BF2000-memory.dmp

Filesize
24.9MB

Download
memory/1508-59-0x0000000003C00000-0x00000000040FB000-memory.dmp

Filesize
5.0MB

Download
memory/1508-54-0x0000000002300000-0x0000000003BF2000-memory.dmp

Filesize
24.9MB

Download
memory/1508-57-0x0000000003C00000-0x00000000040FB000-memory.dmp

Filesize
5.0MB

Download
memory/1508-60-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1508-56-0x0000000003C00000-0x00000000040FB000-memory.dmp

Filesize
5.0MB

Download
memory/1508-68-0x0000000003C00000-0x00000000040FB000-memory.dmp

Filesize
5.0MB

Download
memory/1744-66-0x00000000022C0000-0x0000000003BB2000-memory.dmp

Filesize
24.9MB

Download
memory/1744-70-0x00000000022C0000-0x0000000003BB2000-memory.dmp

Filesize
24.9MB

Download
memory/1744-71-0x0000000003BC0000-0x00000000040BB000-memory.dmp

Filesize
5.0MB

Download
memory/1744-72-0x0000000003BC0000-0x00000000040BB000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads