bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef

General

Target

bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
Size

449.7MB
MD5

0d6dfaceb17ba1292c061758f9c9cc29
SHA1

49de8d4fb7bd9e74c33d84fd9c7e8e5c1016ff68
SHA256

bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef
SHA512

f9b462863b3bf547bd6e2d851a66884a0867d6566341d9893f3145899c7ed510cfbbf7d6ffb0d809bda3ff174396cb7ad8461d6788b73cc0cf5fd3e444cde19e
SSDEEP

24576:v5ar505yClYM/gCHWxXDPy0cphuST/3PW1ucqqwje973dxu0yLCiXt9jTWcq/:v5ariy4YMexJZw/Iucdp3IbXtFT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Quo_mox niquo niquopen quilo bom lekavasi.exe

pid process

1792 Quo_mox niquo niquopen quilo bom lekavasi.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

908 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe

pid process

848 bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1104 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1128 PING.EXE

pid	process
1792	Quo_mox niquo niquopen quilo bom lekavasi.exe

pid	process
908	cmd.exe

pid	process
1104	schtasks.exe

pid	process
1128	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exeQuo_mox niquo niquopen quilo bom lekavasi.exe

pid	process
848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
1792	Quo_mox niquo niquopen quilo bom lekavasi.exe
1792	Quo_mox niquo niquopen quilo bom lekavasi.exe
1792	Quo_mox niquo niquopen quilo bom lekavasi.exe
1792	Quo_mox niquo niquopen quilo bom lekavasi.exe
1792	Quo_mox niquo niquopen quilo bom lekavasi.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.execmd.exe

description	pid	process	target process
PID 848 wrote to memory of 1104	848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	schtasks.exe
PID 848 wrote to memory of 1104	848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	schtasks.exe
PID 848 wrote to memory of 1104	848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	schtasks.exe
PID 848 wrote to memory of 1104	848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	schtasks.exe
PID 848 wrote to memory of 1792	848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	Quo_mox niquo niquopen quilo bom lekavasi.exe
PID 848 wrote to memory of 1792	848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	Quo_mox niquo niquopen quilo bom lekavasi.exe
PID 848 wrote to memory of 1792	848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	Quo_mox niquo niquopen quilo bom lekavasi.exe
PID 848 wrote to memory of 1792	848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	Quo_mox niquo niquopen quilo bom lekavasi.exe
PID 848 wrote to memory of 908	848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	cmd.exe
PID 848 wrote to memory of 908	848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	cmd.exe
PID 848 wrote to memory of 908	848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	cmd.exe
PID 848 wrote to memory of 908	848	bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe	cmd.exe
PID 908 wrote to memory of 432	908	cmd.exe	chcp.com
PID 908 wrote to memory of 432	908	cmd.exe	chcp.com
PID 908 wrote to memory of 432	908	cmd.exe	chcp.com
PID 908 wrote to memory of 432	908	cmd.exe	chcp.com
PID 908 wrote to memory of 1128	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 1128	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 1128	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 1128	908	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe
"C:\Users\Admin\AppData\Local\Temp\bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe"
2⤵
- Creates scheduled task(s)
PID:1104

C:\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe
"C:\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\bed801306842692dafa1aa5c7a23ae4effc9a214f765ca6572c7253630e434ef.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:432

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe
Filesize
1247.7MB

MD5
78e60d228cd9ea570e149f7ca013a303

SHA1
3ab1f3bfecc611284eec48e73f374efc4712b289

SHA256
8d20d37cd3c0746a4f88e929fa68350ff895cb19bbaac9231a16579b5dfe5c97

SHA512
76cf1bea10b48fe64b11a782aa18b7207e7970b9ccdf2b1f5846af72f9cebfe256560cb45a74d3dfbb83ab68cd6c0e59ee627e53c7eb0a04a5e9c48d0c16710b

Download Submit
\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe
Filesize
1247.7MB

MD5
78e60d228cd9ea570e149f7ca013a303

SHA1
3ab1f3bfecc611284eec48e73f374efc4712b289

SHA256
8d20d37cd3c0746a4f88e929fa68350ff895cb19bbaac9231a16579b5dfe5c97

SHA512
76cf1bea10b48fe64b11a782aa18b7207e7970b9ccdf2b1f5846af72f9cebfe256560cb45a74d3dfbb83ab68cd6c0e59ee627e53c7eb0a04a5e9c48d0c16710b

Download Submit
memory/432-65-0x0000000000000000-mapping.dmp

Download
memory/848-64-0x0000000000B90000-0x0000000000CD9000-memory.dmp

Filesize
1.3MB

Download
memory/848-54-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/848-55-0x0000000000B90000-0x0000000000CD9000-memory.dmp

Filesize
1.3MB

Download
memory/908-63-0x0000000000000000-mapping.dmp

Download
memory/1104-56-0x0000000000000000-mapping.dmp

Download
memory/1128-67-0x0000000000000000-mapping.dmp

Download
memory/1792-58-0x0000000000000000-mapping.dmp

Download
memory/1792-61-0x0000000000810000-0x0000000000959000-memory.dmp

Filesize
1.3MB

Download
memory/1792-62-0x000000000CD80000-0x000000000CDE6000-memory.dmp

Filesize
408KB

Download
memory/1792-66-0x0000000000810000-0x0000000000959000-memory.dmp

Filesize
1.3MB

Download
memory/1792-68-0x000000000CD80000-0x000000000CDE6000-memory.dmp

Filesize
408KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads