Analysis
-
max time kernel
85s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
11-04-2023 09:10
Static task
static1
Behavioral task
behavioral1
Sample
b1d156c496219977a9cd4355094613f5.exe
Resource
win7-20230220-en
General
-
Target
b1d156c496219977a9cd4355094613f5.exe
-
Size
1.1MB
-
MD5
b1d156c496219977a9cd4355094613f5
-
SHA1
2f0476f22e05455ff4e56171438d16ff87291ea5
-
SHA256
a2bf4098b65e0efb8bc9cba70cfb5e36d01de5f591d100bb429a5dc3ef6c3bc3
-
SHA512
cf2b36778aa5a54b082de89b9e0e4404e00cf634ba9d7cfe8a8f21a8a39be0787a042328688af18f6fe6a144d869a73100267e1301cfbbd0701c7c3595dc81cc
-
SSDEEP
24576:kob9rHzThqel1mK5XJent7IL+PYL65XPr5JfQZZ0WgisS:kE9TTRlvS5YL6ptJfQZiWg3S
Malware Config
Extracted
systembc
45.138.74.200:4001
212.8.244.5:4001
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b1d156c496219977a9cd4355094613f5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation b1d156c496219977a9cd4355094613f5.exe -
Executes dropped EXE 1 IoCs
Processes:
Capeteka dileket xehe quele quipabim cokaho.exepid process 4472 Capeteka dileket xehe quele quipabim cokaho.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
b1d156c496219977a9cd4355094613f5.exeCapeteka dileket xehe quele quipabim cokaho.exepid process 4416 b1d156c496219977a9cd4355094613f5.exe 4416 b1d156c496219977a9cd4355094613f5.exe 4416 b1d156c496219977a9cd4355094613f5.exe 4416 b1d156c496219977a9cd4355094613f5.exe 4416 b1d156c496219977a9cd4355094613f5.exe 4416 b1d156c496219977a9cd4355094613f5.exe 4416 b1d156c496219977a9cd4355094613f5.exe 4416 b1d156c496219977a9cd4355094613f5.exe 4416 b1d156c496219977a9cd4355094613f5.exe 4416 b1d156c496219977a9cd4355094613f5.exe 4472 Capeteka dileket xehe quele quipabim cokaho.exe 4472 Capeteka dileket xehe quele quipabim cokaho.exe 4472 Capeteka dileket xehe quele quipabim cokaho.exe 4472 Capeteka dileket xehe quele quipabim cokaho.exe 4472 Capeteka dileket xehe quele quipabim cokaho.exe 4472 Capeteka dileket xehe quele quipabim cokaho.exe 4472 Capeteka dileket xehe quele quipabim cokaho.exe 4472 Capeteka dileket xehe quele quipabim cokaho.exe 4472 Capeteka dileket xehe quele quipabim cokaho.exe 4472 Capeteka dileket xehe quele quipabim cokaho.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
b1d156c496219977a9cd4355094613f5.execmd.exedescription pid process target process PID 4416 wrote to memory of 4332 4416 b1d156c496219977a9cd4355094613f5.exe schtasks.exe PID 4416 wrote to memory of 4332 4416 b1d156c496219977a9cd4355094613f5.exe schtasks.exe PID 4416 wrote to memory of 4332 4416 b1d156c496219977a9cd4355094613f5.exe schtasks.exe PID 4416 wrote to memory of 4472 4416 b1d156c496219977a9cd4355094613f5.exe Capeteka dileket xehe quele quipabim cokaho.exe PID 4416 wrote to memory of 4472 4416 b1d156c496219977a9cd4355094613f5.exe Capeteka dileket xehe quele quipabim cokaho.exe PID 4416 wrote to memory of 4472 4416 b1d156c496219977a9cd4355094613f5.exe Capeteka dileket xehe quele quipabim cokaho.exe PID 4416 wrote to memory of 2016 4416 b1d156c496219977a9cd4355094613f5.exe cmd.exe PID 4416 wrote to memory of 2016 4416 b1d156c496219977a9cd4355094613f5.exe cmd.exe PID 4416 wrote to memory of 2016 4416 b1d156c496219977a9cd4355094613f5.exe cmd.exe PID 2016 wrote to memory of 5092 2016 cmd.exe chcp.com PID 2016 wrote to memory of 5092 2016 cmd.exe chcp.com PID 2016 wrote to memory of 5092 2016 cmd.exe chcp.com PID 2016 wrote to memory of 4092 2016 cmd.exe PING.EXE PID 2016 wrote to memory of 4092 2016 cmd.exe PING.EXE PID 2016 wrote to memory of 4092 2016 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe"C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe"C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exeFilesize
752.1MB
MD5d852d875a402fdb6596a20c00d527ca7
SHA1c6d9a225b28e710ca7763e8a73845d0d259aa92f
SHA256c4c469c8c6a93e6ae49192da6d72abf516d20f6d1696f9499d7d20d3e19d3237
SHA512de29c8f849e3798a5a8137a748b65d3e72fc2f9303a26207fd420109d296cf220f3e03a8629cef90b776e08f25f39a122c67b5d397907294cbef3348ea2bce66
-
C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exeFilesize
690.1MB
MD5079889f810705b3eddbc547d4d6c7f41
SHA1a351109a048d5142ccc84c944367c9cde1dc8b66
SHA2569a5c05f7a4931a22d18b37e656a7113c3fab3a511ae009b2783156d469b51d2a
SHA512eeec33eab3d21842a3d79205e3adba5a8e7388213fa86f68182a10c7ff53fcc20770cb30dc30ebf29015009f1e864d4044c66db447756a6dc42ea2d7746bdf1b
-
C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exeFilesize
752.1MB
MD5d852d875a402fdb6596a20c00d527ca7
SHA1c6d9a225b28e710ca7763e8a73845d0d259aa92f
SHA256c4c469c8c6a93e6ae49192da6d72abf516d20f6d1696f9499d7d20d3e19d3237
SHA512de29c8f849e3798a5a8137a748b65d3e72fc2f9303a26207fd420109d296cf220f3e03a8629cef90b776e08f25f39a122c67b5d397907294cbef3348ea2bce66
-
memory/4472-144-0x000000000F7E0000-0x000000000F82B000-memory.dmpFilesize
300KB
-
memory/4472-145-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB