7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d

General

Target

7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
Size

1.3MB
MD5

74079c12b9f2aac6e8c6589d02a61bae
SHA1

f3ee1c95814a8bb9f4924219820e84c8b63928b1
SHA256

7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d
SHA512

90a11fd92bab604b2d86a7b0b84b15dc60b68fc8979434930e86e3e7f57eea436ae21f5685ddf8ba9f3f3847ec397340015f32de314f7993e39dcd9b0a7d9e9c
SSDEEP

24576:ZmMuVE/AnaKAHh6akEKtkZf/UUsdAIAtJmzbN9RpMm/fi+oaWuBX/5:ZmMuGJ6nEKqJJxIoJmt97tfi+oa5Bv5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe

pid process

1788 Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

728 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe

pid process

1444 7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1636 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1512 PING.EXE

pid	process
1788	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe

pid	process
728	cmd.exe

pid	process
1636	schtasks.exe

pid	process
1512	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exeXigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe

pid	process
1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
1788	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
1788	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
1788	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
1788	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
1788	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.execmd.exe

description	pid	process	target process
PID 1444 wrote to memory of 1636	1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	schtasks.exe
PID 1444 wrote to memory of 1636	1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	schtasks.exe
PID 1444 wrote to memory of 1636	1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	schtasks.exe
PID 1444 wrote to memory of 1636	1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	schtasks.exe
PID 1444 wrote to memory of 1788	1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
PID 1444 wrote to memory of 1788	1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
PID 1444 wrote to memory of 1788	1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
PID 1444 wrote to memory of 1788	1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
PID 1444 wrote to memory of 728	1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	cmd.exe
PID 1444 wrote to memory of 728	1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	cmd.exe
PID 1444 wrote to memory of 728	1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	cmd.exe
PID 1444 wrote to memory of 728	1444	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	cmd.exe
PID 728 wrote to memory of 1144	728	cmd.exe	chcp.com
PID 728 wrote to memory of 1144	728	cmd.exe	chcp.com
PID 728 wrote to memory of 1144	728	cmd.exe	chcp.com
PID 728 wrote to memory of 1144	728	cmd.exe	chcp.com
PID 728 wrote to memory of 1512	728	cmd.exe	PING.EXE
PID 728 wrote to memory of 1512	728	cmd.exe	PING.EXE
PID 728 wrote to memory of 1512	728	cmd.exe	PING.EXE
PID 728 wrote to memory of 1512	728	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
"C:\Users\Admin\AppData\Local\Temp\7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Vika\Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe"
2⤵
- Creates scheduled task(s)
PID:1636

C:\Users\Admin\Vika\Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
"C:\Users\Admin\Vika\Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1512

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Vika\Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe

Filesize
801.3MB

MD5
8e40607b645e9838734ff555422caeb3

SHA1
b925fc0eb10a42c54caefaf23f87621bc4bfcdc5

SHA256
9583fd655824e2b5d89bfa35e2c239a4d080347b93a1adced5fe4a3f698401c4

SHA512
bb288f5b5c53ee18c5374c760a0118bba9d5dec20467ac8c9996c8a72eadb2eb99766247ce1f52dd1507febd9c5c448692bc09564d76d88b701215bf037a2661

Download Submit
\Users\Admin\Vika\Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe

Filesize
801.3MB

MD5
8e40607b645e9838734ff555422caeb3

SHA1
b925fc0eb10a42c54caefaf23f87621bc4bfcdc5

SHA256
9583fd655824e2b5d89bfa35e2c239a4d080347b93a1adced5fe4a3f698401c4

SHA512
bb288f5b5c53ee18c5374c760a0118bba9d5dec20467ac8c9996c8a72eadb2eb99766247ce1f52dd1507febd9c5c448692bc09564d76d88b701215bf037a2661

Download Submit
memory/728-61-0x0000000000000000-mapping.dmp

Download
memory/1144-63-0x0000000000000000-mapping.dmp

Download
memory/1444-62-0x00000000008E0000-0x00000000009DA000-memory.dmp

Filesize
1000KB

Download
memory/1444-55-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1444-56-0x00000000008E0000-0x00000000009DA000-memory.dmp

Filesize
1000KB

Download
memory/1444-54-0x00000000008E0000-0x00000000009DA000-memory.dmp

Filesize
1000KB

Download
memory/1512-64-0x0000000000000000-mapping.dmp

Download
memory/1636-57-0x0000000000000000-mapping.dmp

Download
memory/1788-59-0x0000000000000000-mapping.dmp

Download
memory/1788-68-0x0000000000B80000-0x0000000000CDC000-memory.dmp

Filesize
1.4MB

Download
memory/1788-67-0x00000000002D0000-0x00000000003CA000-memory.dmp

Filesize
1000KB

Download
memory/1788-69-0x00000000002D0000-0x00000000003CA000-memory.dmp

Filesize
1000KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads