871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0

General

Target

871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
Size

1.4MB
MD5

65edcfa090755e408992785778955dce
SHA1

6eff23db579671e283798e729a9b57614612b6d9
SHA256

871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0
SHA512

f8325f5a27318da052d81a67f1b1f552dc1932577ef932e273c7ae61974e595881f305721fe92fedcaf32190ef28c7a90520303c4410e1f0d44701b6b861a837
SSDEEP

24576:eSUqKIqZHzOdysVKr+nXF1CutCtbDpKYxOBvwaWGAOpYyovkirp:cpHzOdysVKrG1KpKYxn60Mi

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1096 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe

pid process

1428 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe

pid	process
1096	cmd.exe

pid	process
1428	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe

Loads dropped DLL 2 IoCs

Processes:

871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe

pid	process
1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

636 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

896 PING.EXE

pid	process
636	schtasks.exe

pid	process
896	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exesasa dogolaf legifema yoyi vogot veg recaquik nivev.exe

pid	process
1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
1428	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1428	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1428	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1428	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1428	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.execmd.exe

description	pid	process	target process
PID 1664 wrote to memory of 636	1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	schtasks.exe
PID 1664 wrote to memory of 636	1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	schtasks.exe
PID 1664 wrote to memory of 636	1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	schtasks.exe
PID 1664 wrote to memory of 636	1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	schtasks.exe
PID 1664 wrote to memory of 1428	1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
PID 1664 wrote to memory of 1428	1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
PID 1664 wrote to memory of 1428	1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
PID 1664 wrote to memory of 1428	1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
PID 1664 wrote to memory of 1096	1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	cmd.exe
PID 1664 wrote to memory of 1096	1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	cmd.exe
PID 1664 wrote to memory of 1096	1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	cmd.exe
PID 1664 wrote to memory of 1096	1664	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	cmd.exe
PID 1096 wrote to memory of 1924	1096	cmd.exe	chcp.com
PID 1096 wrote to memory of 1924	1096	cmd.exe	chcp.com
PID 1096 wrote to memory of 1924	1096	cmd.exe	chcp.com
PID 1096 wrote to memory of 1924	1096	cmd.exe	chcp.com
PID 1096 wrote to memory of 896	1096	cmd.exe	PING.EXE
PID 1096 wrote to memory of 896	1096	cmd.exe	PING.EXE
PID 1096 wrote to memory of 896	1096	cmd.exe	PING.EXE
PID 1096 wrote to memory of 896	1096	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
"C:\Users\Admin\AppData\Local\Temp\871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe"
2⤵
- Creates scheduled task(s)
PID:636

C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
"C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1924

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
Filesize
632.3MB

MD5
ab2e6021e12fb2cec933b914e75c3293

SHA1
8cbeeedf43dd3cd90841f39421536e8fcc6c6d47

SHA256
d4443bec1787e662ae45ce852f2550070a9d471b1c23a0632b23a2bdb0e64dbe

SHA512
d22ed3d0f4c891a046928f8fc9588d1afc495c4b8334dfbb4b7663ed1b132ccf32693c65d2794c70f956b5efbed63443b1f329f7fed89ce89a181b9805e744d7

Download Submit
\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
Filesize
620.4MB

MD5
cdc7fdb057017681b8fa92cc54101dfa

SHA1
014641977b4fbf22d0ccd02207f927f729004d26

SHA256
02c4a62213a3c3ac894c049fc2e2b4f8419ba005d462e5b03f026d9969634fa5

SHA512
3de11c409e0551966e2bc1597f0dc76a30f4124004299e1e12d07b139b5cc11742f2b94ddbd97cc6b003d89eaeea68e3c274a812a98c4b1c95120b29d149d32b

Download Submit
\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
Filesize
645.2MB

MD5
daa127b8eab54ad362b93181a526fa70

SHA1
4048d34a964ac082777b4579671058fcd5849445

SHA256
4ce33e3ded102277e5d8bc43b3a94cfe1236e52b6acdd668938ffb78aecc0109

SHA512
9a7bc12b5d6dcfaa454fd48f1e45aa529898969d1e0e02005b6ca5fa56c4c12cc0c6b12edefaa70352ba65464805c9b0203826414ee8c2bba5c78011e4d2ea70

Download Submit
memory/636-56-0x0000000000000000-mapping.dmp

Download
memory/896-68-0x0000000000000000-mapping.dmp

Download
memory/1096-63-0x0000000000000000-mapping.dmp

Download
memory/1428-59-0x0000000000000000-mapping.dmp

Download
memory/1428-62-0x000000000DA50000-0x000000000DC25000-memory.dmp

Filesize
1.8MB

Download
memory/1428-65-0x0000000000240000-0x00000000003A7000-memory.dmp

Filesize
1.4MB

Download
memory/1428-66-0x000000000DA50000-0x000000000DC25000-memory.dmp

Filesize
1.8MB

Download
memory/1428-69-0x0000000000240000-0x00000000003A7000-memory.dmp

Filesize
1.4MB

Download
memory/1664-55-0x00000000011A0000-0x0000000001307000-memory.dmp

Filesize
1.4MB

Download
memory/1664-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1664-64-0x00000000011A0000-0x0000000001307000-memory.dmp

Filesize
1.4MB

Download
memory/1924-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads