e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b

General

Target

e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
Size

7.1MB
MD5

51dae8d6208cc255aea7ad0eaba77014
SHA1

dd949ae42f7bc491ac29d9d68b8d12379270bb1a
SHA256

e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b
SHA512

c3ab44e3e69e8baee8f215ab2297cab20d2fb9a56e375ae86e8e1102f7d43f683cee64bcd3bfcf59d60742bab80b371de3b18fd5519414787d1cf4eb2e992ed5
SSDEEP

196608:F7nmjqCE8cpmmTVPuF2O8ET7pbO0yA7GO:F7nYRE8cQmTVP2vnl7L

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1520	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe

Deletes itself 1 IoCs

pid	Process
760	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1160	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1908	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
1520	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
1520	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
1520	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
1520	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
1520	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
1520	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1160	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	28
PID 1248 wrote to memory of 1160	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	28
PID 1248 wrote to memory of 1160	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	28
PID 1248 wrote to memory of 1160	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	28
PID 1248 wrote to memory of 1520	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	30
PID 1248 wrote to memory of 1520	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	30
PID 1248 wrote to memory of 1520	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	30
PID 1248 wrote to memory of 1520	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	30
PID 1248 wrote to memory of 760	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	31
PID 1248 wrote to memory of 760	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	31
PID 1248 wrote to memory of 760	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	31
PID 1248 wrote to memory of 760	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	31
PID 760 wrote to memory of 1080	760	cmd.exe	33
PID 760 wrote to memory of 1080	760	cmd.exe	33
PID 760 wrote to memory of 1080	760	cmd.exe	33
PID 760 wrote to memory of 1080	760	cmd.exe	33
PID 760 wrote to memory of 1908	760	cmd.exe	34
PID 760 wrote to memory of 1908	760	cmd.exe	34
PID 760 wrote to memory of 1908	760	cmd.exe	34
PID 760 wrote to memory of 1908	760	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
"C:\Users\Admin\AppData\Local\Temp\e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Bel migomota yexiquiv tisax-newanax fab cegom\Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1160
- C:\Users\Admin\Bel migomota yexiquiv tisax-newanax fab cegom\Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
  "C:\Users\Admin\Bel migomota yexiquiv tisax-newanax fab cegom\Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1520
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Bel migomota yexiquiv tisax-newanax fab cegom\Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe

Filesize
795.1MB

MD5
481ca7865c2390386cc3d1aab80cec2a

SHA1
f3e807bb1b31ea6fd79797a5125a18e13dc40a90

SHA256
abc48f8a1ca507688aaffe601e0744607f516f28b7f2814f25c9f49b31bfc729

SHA512
a810031388d06da147b0abe59f9d3cdf81574d7a20bd43a61242d3395e5c61109185bb7833264a8034d07b8dc974e85e5bd212b9ed44986e2587cb2164536196

Download Submit
C:\Users\Admin\Bel migomota yexiquiv tisax-newanax fab cegom\Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe

Filesize
795.1MB

MD5
481ca7865c2390386cc3d1aab80cec2a

SHA1
f3e807bb1b31ea6fd79797a5125a18e13dc40a90

SHA256
abc48f8a1ca507688aaffe601e0744607f516f28b7f2814f25c9f49b31bfc729

SHA512
a810031388d06da147b0abe59f9d3cdf81574d7a20bd43a61242d3395e5c61109185bb7833264a8034d07b8dc974e85e5bd212b9ed44986e2587cb2164536196

Download Submit
\Users\Admin\Bel migomota yexiquiv tisax-newanax fab cegom\Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe

Filesize
795.1MB

MD5
481ca7865c2390386cc3d1aab80cec2a

SHA1
f3e807bb1b31ea6fd79797a5125a18e13dc40a90

SHA256
abc48f8a1ca507688aaffe601e0744607f516f28b7f2814f25c9f49b31bfc729

SHA512
a810031388d06da147b0abe59f9d3cdf81574d7a20bd43a61242d3395e5c61109185bb7833264a8034d07b8dc974e85e5bd212b9ed44986e2587cb2164536196

Download Submit
memory/1248-59-0x0000000002880000-0x0000000002974000-memory.dmp

Filesize
976KB

Download
memory/1248-56-0x0000000002880000-0x0000000002974000-memory.dmp

Filesize
976KB

Download
memory/1248-55-0x0000000000400000-0x0000000000D33000-memory.dmp

Filesize
9.2MB

Download
memory/1248-58-0x0000000000400000-0x0000000000D33000-memory.dmp

Filesize
9.2MB

Download
memory/1248-57-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1248-69-0x0000000002880000-0x0000000002974000-memory.dmp

Filesize
976KB

Download
memory/1248-68-0x0000000000400000-0x0000000000D33000-memory.dmp

Filesize
9.2MB

Download
memory/1248-54-0x0000000000400000-0x0000000000D33000-memory.dmp

Filesize
9.2MB

Download
memory/1520-66-0x0000000000400000-0x0000000000D33000-memory.dmp

Filesize
9.2MB

Download
memory/1520-65-0x0000000000400000-0x0000000000D33000-memory.dmp

Filesize
9.2MB

Download
memory/1520-71-0x0000000002790000-0x0000000002884000-memory.dmp

Filesize
976KB

Download
memory/1520-75-0x000000000BD30000-0x000000000BEF4000-memory.dmp

Filesize
1.8MB

Download
memory/1520-76-0x0000000002790000-0x0000000002884000-memory.dmp

Filesize
976KB

Download
memory/1520-77-0x0000000000400000-0x0000000000D33000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads