Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 14:12
Static task
static1
Behavioral task
behavioral1
Sample
871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
Resource
win10v2004-20221111-en
General
-
Target
871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
-
Size
1.4MB
-
MD5
65edcfa090755e408992785778955dce
-
SHA1
6eff23db579671e283798e729a9b57614612b6d9
-
SHA256
871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0
-
SHA512
f8325f5a27318da052d81a67f1b1f552dc1932577ef932e273c7ae61974e595881f305721fe92fedcaf32190ef28c7a90520303c4410e1f0d44701b6b861a837
-
SSDEEP
24576:eSUqKIqZHzOdysVKr+nXF1CutCtbDpKYxOBvwaWGAOpYyovkirp:cpHzOdysVKrG1KpKYxn60Mi
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1096 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
sasa dogolaf legifema yoyi vogot veg recaquik nivev.exepid process 1428 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe -
Loads dropped DLL 2 IoCs
Processes:
871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exepid process 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exesasa dogolaf legifema yoyi vogot veg recaquik nivev.exepid process 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 1428 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 1428 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 1428 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 1428 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 1428 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.execmd.exedescription pid process target process PID 1664 wrote to memory of 636 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe schtasks.exe PID 1664 wrote to memory of 636 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe schtasks.exe PID 1664 wrote to memory of 636 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe schtasks.exe PID 1664 wrote to memory of 636 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe schtasks.exe PID 1664 wrote to memory of 1428 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe PID 1664 wrote to memory of 1428 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe PID 1664 wrote to memory of 1428 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe PID 1664 wrote to memory of 1428 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe PID 1664 wrote to memory of 1096 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe cmd.exe PID 1664 wrote to memory of 1096 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe cmd.exe PID 1664 wrote to memory of 1096 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe cmd.exe PID 1664 wrote to memory of 1096 1664 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe cmd.exe PID 1096 wrote to memory of 1924 1096 cmd.exe chcp.com PID 1096 wrote to memory of 1924 1096 cmd.exe chcp.com PID 1096 wrote to memory of 1924 1096 cmd.exe chcp.com PID 1096 wrote to memory of 1924 1096 cmd.exe chcp.com PID 1096 wrote to memory of 896 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 896 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 896 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 896 1096 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe"C:\Users\Admin\AppData\Local\Temp\871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe"C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exeFilesize
632.3MB
MD5ab2e6021e12fb2cec933b914e75c3293
SHA18cbeeedf43dd3cd90841f39421536e8fcc6c6d47
SHA256d4443bec1787e662ae45ce852f2550070a9d471b1c23a0632b23a2bdb0e64dbe
SHA512d22ed3d0f4c891a046928f8fc9588d1afc495c4b8334dfbb4b7663ed1b132ccf32693c65d2794c70f956b5efbed63443b1f329f7fed89ce89a181b9805e744d7
-
\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exeFilesize
620.4MB
MD5cdc7fdb057017681b8fa92cc54101dfa
SHA1014641977b4fbf22d0ccd02207f927f729004d26
SHA25602c4a62213a3c3ac894c049fc2e2b4f8419ba005d462e5b03f026d9969634fa5
SHA5123de11c409e0551966e2bc1597f0dc76a30f4124004299e1e12d07b139b5cc11742f2b94ddbd97cc6b003d89eaeea68e3c274a812a98c4b1c95120b29d149d32b
-
\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exeFilesize
645.2MB
MD5daa127b8eab54ad362b93181a526fa70
SHA14048d34a964ac082777b4579671058fcd5849445
SHA2564ce33e3ded102277e5d8bc43b3a94cfe1236e52b6acdd668938ffb78aecc0109
SHA5129a7bc12b5d6dcfaa454fd48f1e45aa529898969d1e0e02005b6ca5fa56c4c12cc0c6b12edefaa70352ba65464805c9b0203826414ee8c2bba5c78011e4d2ea70
-
memory/636-56-0x0000000000000000-mapping.dmp
-
memory/896-68-0x0000000000000000-mapping.dmp
-
memory/1096-63-0x0000000000000000-mapping.dmp
-
memory/1428-59-0x0000000000000000-mapping.dmp
-
memory/1428-62-0x000000000DA50000-0x000000000DC25000-memory.dmpFilesize
1.8MB
-
memory/1428-65-0x0000000000240000-0x00000000003A7000-memory.dmpFilesize
1.4MB
-
memory/1428-66-0x000000000DA50000-0x000000000DC25000-memory.dmpFilesize
1.8MB
-
memory/1428-69-0x0000000000240000-0x00000000003A7000-memory.dmpFilesize
1.4MB
-
memory/1664-55-0x00000000011A0000-0x0000000001307000-memory.dmpFilesize
1.4MB
-
memory/1664-54-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/1664-64-0x00000000011A0000-0x0000000001307000-memory.dmpFilesize
1.4MB
-
memory/1924-67-0x0000000000000000-mapping.dmp