e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b

General

Target

e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
Size

7.1MB
MD5

51dae8d6208cc255aea7ad0eaba77014
SHA1

dd949ae42f7bc491ac29d9d68b8d12379270bb1a
SHA256

e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b
SHA512

c3ab44e3e69e8baee8f215ab2297cab20d2fb9a56e375ae86e8e1102f7d43f683cee64bcd3bfcf59d60742bab80b371de3b18fd5519414787d1cf4eb2e992ed5
SSDEEP

196608:F7nmjqCE8cpmmTVPuF2O8ET7pbO0yA7GO:F7nYRE8cQmTVP2vnl7L

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe

pid process

1520 Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

760 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe

pid process

1248 e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1160 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1908 PING.EXE

pid	process
1520	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe

pid	process
760	cmd.exe

pid	process
1160	schtasks.exe

pid	process
1908	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exeBovawata quaj kokeley gacebe meda loy bogodime vexevi.exe

pid	process
1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
1520	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
1520	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
1520	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
1520	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
1520	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
1520	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.execmd.exe

description	pid	process	target process
PID 1248 wrote to memory of 1160	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	schtasks.exe
PID 1248 wrote to memory of 1160	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	schtasks.exe
PID 1248 wrote to memory of 1160	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	schtasks.exe
PID 1248 wrote to memory of 1160	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	schtasks.exe
PID 1248 wrote to memory of 1520	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
PID 1248 wrote to memory of 1520	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
PID 1248 wrote to memory of 1520	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
PID 1248 wrote to memory of 1520	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
PID 1248 wrote to memory of 760	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	cmd.exe
PID 1248 wrote to memory of 760	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	cmd.exe
PID 1248 wrote to memory of 760	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	cmd.exe
PID 1248 wrote to memory of 760	1248	e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe	cmd.exe
PID 760 wrote to memory of 1080	760	cmd.exe	chcp.com
PID 760 wrote to memory of 1080	760	cmd.exe	chcp.com
PID 760 wrote to memory of 1080	760	cmd.exe	chcp.com
PID 760 wrote to memory of 1080	760	cmd.exe	chcp.com
PID 760 wrote to memory of 1908	760	cmd.exe	PING.EXE
PID 760 wrote to memory of 1908	760	cmd.exe	PING.EXE
PID 760 wrote to memory of 1908	760	cmd.exe	PING.EXE
PID 760 wrote to memory of 1908	760	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe
"C:\Users\Admin\AppData\Local\Temp\e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Bel migomota yexiquiv tisax-newanax fab cegom\Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe"
2⤵
- Creates scheduled task(s)
PID:1160

C:\Users\Admin\Bel migomota yexiquiv tisax-newanax fab cegom\Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
"C:\Users\Admin\Bel migomota yexiquiv tisax-newanax fab cegom\Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\e27ac6756cbebfb6679f7f6b8428aa24efca10a089aaf582f14b3b07ef1d044b.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1080

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Bel migomota yexiquiv tisax-newanax fab cegom\Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
Filesize
795.1MB

MD5
481ca7865c2390386cc3d1aab80cec2a

SHA1
f3e807bb1b31ea6fd79797a5125a18e13dc40a90

SHA256
abc48f8a1ca507688aaffe601e0744607f516f28b7f2814f25c9f49b31bfc729

SHA512
a810031388d06da147b0abe59f9d3cdf81574d7a20bd43a61242d3395e5c61109185bb7833264a8034d07b8dc974e85e5bd212b9ed44986e2587cb2164536196

Download Submit
C:\Users\Admin\Bel migomota yexiquiv tisax-newanax fab cegom\Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
Filesize
795.1MB

MD5
481ca7865c2390386cc3d1aab80cec2a

SHA1
f3e807bb1b31ea6fd79797a5125a18e13dc40a90

SHA256
abc48f8a1ca507688aaffe601e0744607f516f28b7f2814f25c9f49b31bfc729

SHA512
a810031388d06da147b0abe59f9d3cdf81574d7a20bd43a61242d3395e5c61109185bb7833264a8034d07b8dc974e85e5bd212b9ed44986e2587cb2164536196

Download Submit
\Users\Admin\Bel migomota yexiquiv tisax-newanax fab cegom\Bovawata quaj kokeley gacebe meda loy bogodime vexevi.exe
Filesize
795.1MB

MD5
481ca7865c2390386cc3d1aab80cec2a

SHA1
f3e807bb1b31ea6fd79797a5125a18e13dc40a90

SHA256
abc48f8a1ca507688aaffe601e0744607f516f28b7f2814f25c9f49b31bfc729

SHA512
a810031388d06da147b0abe59f9d3cdf81574d7a20bd43a61242d3395e5c61109185bb7833264a8034d07b8dc974e85e5bd212b9ed44986e2587cb2164536196

Download Submit
memory/760-67-0x0000000000000000-mapping.dmp

Download
memory/1080-70-0x0000000000000000-mapping.dmp

Download
memory/1160-60-0x0000000000000000-mapping.dmp

Download
memory/1248-59-0x0000000002880000-0x0000000002974000-memory.dmp

Filesize
976KB

Download
memory/1248-56-0x0000000002880000-0x0000000002974000-memory.dmp

Filesize
976KB

Download
memory/1248-55-0x0000000000400000-0x0000000000D33000-memory.dmp

Filesize
9.2MB

Download
memory/1248-58-0x0000000000400000-0x0000000000D33000-memory.dmp

Filesize
9.2MB

Download
memory/1248-57-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1248-69-0x0000000002880000-0x0000000002974000-memory.dmp

Filesize
976KB

Download
memory/1248-68-0x0000000000400000-0x0000000000D33000-memory.dmp

Filesize
9.2MB

Download
memory/1248-54-0x0000000000400000-0x0000000000D33000-memory.dmp

Filesize
9.2MB

Download
memory/1520-66-0x0000000000400000-0x0000000000D33000-memory.dmp

Filesize
9.2MB

Download
memory/1520-65-0x0000000000400000-0x0000000000D33000-memory.dmp

Filesize
9.2MB

Download
memory/1520-62-0x0000000000000000-mapping.dmp

Download
memory/1520-71-0x0000000002790000-0x0000000002884000-memory.dmp

Filesize
976KB

Download
memory/1520-75-0x000000000BD30000-0x000000000BEF4000-memory.dmp

Filesize
1.8MB

Download
memory/1520-76-0x0000000002790000-0x0000000002884000-memory.dmp

Filesize
976KB

Download
memory/1520-77-0x0000000000400000-0x0000000000D33000-memory.dmp

Filesize
9.2MB

Download
memory/1908-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads