bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef

General

Target

bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
Size

449.7MB
MD5

0d6dfaceb17ba1292c061758f9c9cc29
SHA1

49de8d4fb7bd9e74c33d84fd9c7e8e5c1016ff68
SHA256

bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef
SHA512

f9b462863b3bf547bd6e2d851a66884a0867d6566341d9893f3145899c7ed510cfbbf7d6ffb0d809bda3ff174396cb7ad8461d6788b73cc0cf5fd3e444cde19e
SSDEEP

24576:v5ar505yClYM/gCHWxXDPy0cphuST/3PW1ucqqwje973dxu0yLCiXt9jTWcq/:v5ariy4YMexJZw/Iucdp3IbXtFT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Quo_mox niquo niquopen quilo bom lekavasi.exe

pid process

380 Quo_mox niquo niquopen quilo bom lekavasi.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1672 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe

pid process

1476 bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

980 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

960 PING.EXE

pid	process
380	Quo_mox niquo niquopen quilo bom lekavasi.exe

pid	process
1672	cmd.exe

pid	process
980	schtasks.exe

pid	process
960	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exeQuo_mox niquo niquopen quilo bom lekavasi.exe

pid	process
1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
380	Quo_mox niquo niquopen quilo bom lekavasi.exe
380	Quo_mox niquo niquopen quilo bom lekavasi.exe
380	Quo_mox niquo niquopen quilo bom lekavasi.exe
380	Quo_mox niquo niquopen quilo bom lekavasi.exe
380	Quo_mox niquo niquopen quilo bom lekavasi.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.execmd.exe

description	pid	process	target process
PID 1476 wrote to memory of 980	1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	schtasks.exe
PID 1476 wrote to memory of 980	1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	schtasks.exe
PID 1476 wrote to memory of 980	1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	schtasks.exe
PID 1476 wrote to memory of 980	1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	schtasks.exe
PID 1476 wrote to memory of 380	1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	Quo_mox niquo niquopen quilo bom lekavasi.exe
PID 1476 wrote to memory of 380	1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	Quo_mox niquo niquopen quilo bom lekavasi.exe
PID 1476 wrote to memory of 380	1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	Quo_mox niquo niquopen quilo bom lekavasi.exe
PID 1476 wrote to memory of 380	1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	Quo_mox niquo niquopen quilo bom lekavasi.exe
PID 1476 wrote to memory of 1672	1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	cmd.exe
PID 1476 wrote to memory of 1672	1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	cmd.exe
PID 1476 wrote to memory of 1672	1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	cmd.exe
PID 1476 wrote to memory of 1672	1476	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	cmd.exe
PID 1672 wrote to memory of 900	1672	cmd.exe	chcp.com
PID 1672 wrote to memory of 900	1672	cmd.exe	chcp.com
PID 1672 wrote to memory of 900	1672	cmd.exe	chcp.com
PID 1672 wrote to memory of 900	1672	cmd.exe	chcp.com
PID 1672 wrote to memory of 960	1672	cmd.exe	PING.EXE
PID 1672 wrote to memory of 960	1672	cmd.exe	PING.EXE
PID 1672 wrote to memory of 960	1672	cmd.exe	PING.EXE
PID 1672 wrote to memory of 960	1672	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
"C:\Users\Admin\AppData\Local\Temp\bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe"
2⤵
- Creates scheduled task(s)
PID:980

C:\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe
"C:\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:900

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe

Filesize
1207.7MB

MD5
1847a06cc5cabb9299a612ae5dd71b85

SHA1
b031e35b73e324998f16db950bf833b38efee88a

SHA256
d565f96d445c375034db900194ed8bfa4e3bfc5020dc806e459321dfee51f6fa

SHA512
cfafa7ef01312342a32395ae1a059a4b97aabf6ba13ba4c6ce154b012beb07dfa6dfb228ebf04fccc38fe059761da31f190f45f4b550363d24c7ed030a7c32d9

Download Submit
\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe

Filesize
1207.7MB

MD5
1847a06cc5cabb9299a612ae5dd71b85

SHA1
b031e35b73e324998f16db950bf833b38efee88a

SHA256
d565f96d445c375034db900194ed8bfa4e3bfc5020dc806e459321dfee51f6fa

SHA512
cfafa7ef01312342a32395ae1a059a4b97aabf6ba13ba4c6ce154b012beb07dfa6dfb228ebf04fccc38fe059761da31f190f45f4b550363d24c7ed030a7c32d9

Download Submit
memory/380-63-0x00000000021A0000-0x00000000022E9000-memory.dmp

Filesize
1.3MB

Download
memory/380-67-0x00000000021A0000-0x00000000022E9000-memory.dmp

Filesize
1.3MB

Download
memory/380-64-0x000000000BF60000-0x000000000BFC6000-memory.dmp

Filesize
408KB

Download
memory/380-58-0x0000000000000000-mapping.dmp

Download
memory/900-65-0x0000000000000000-mapping.dmp

Download
memory/960-66-0x0000000000000000-mapping.dmp

Download
memory/980-56-0x0000000000000000-mapping.dmp

Download
memory/1476-62-0x00000000008E0000-0x0000000000A29000-memory.dmp

Filesize
1.3MB

Download
memory/1476-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1476-55-0x00000000008E0000-0x0000000000A29000-memory.dmp

Filesize
1.3MB

Download
memory/1672-61-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads