Analysis Overview
SHA256
a2bf4098b65e0efb8bc9cba70cfb5e36d01de5f591d100bb429a5dc3ef6c3bc3
Threat Level: Known bad
The file b1d156c496219977a9cd4355094613f5.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Runs ping.exe
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-11 09:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-11 09:10
Reported
2023-04-11 09:12
Platform
win7-20230220-en
Max time kernel
41s
Max time network
37s
Command Line
Signatures
SystemBC
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe
"C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe"
C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
"C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | igvjzqqm3pjqfabur3tp3pra.zfftzsfg6q | udp |
| AT | 45.138.74.200:4001 | tcp |
Files
memory/1324-54-0x0000000000450000-0x000000000053E000-memory.dmp
\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
| MD5 | f8f4d8224a4fec72fe8fbd2def93e776 |
| SHA1 | 54a864b13a0a14fc686f13850c9a5b61803668e6 |
| SHA256 | c62e3badeae1bff62f2642396c02faa7eb2157b149aa94bb087ab68341754c21 |
| SHA512 | 5dc06b3593d38d1a115a50f0c5735b0f67b5d678132f33850ce4b77df44f7d024d8645ca086e839a7e1ee76fb1ebb91a2ddc1e31db23a73bd538e29a2f4b8d2e |
C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
| MD5 | 6d9afe7db15eef56c1170f80b850d70a |
| SHA1 | 2f04d0642b79458e7eb5829b78505063305ef1a5 |
| SHA256 | f387e80789898cb4700958eddacd925f5d53ecdc22ea05268ce2ad56ca7d63aa |
| SHA512 | 741a769c31ac268115bad3e16b01ec07cfa486bc72ddfb9c7b9dd4e414ee16019e3e40641ae74b362e00136101519f5dc5c732d1d52d6c27d25e59da55440670 |
memory/1000-62-0x0000000000370000-0x000000000045E000-memory.dmp
C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
| MD5 | 244d5b1af7b9a373286ca558980ff774 |
| SHA1 | 011508582d678da9f10e7d2608d0dbff865e4b5c |
| SHA256 | a71310c32a0c243fbd20a7102a65c41b63171e34aed6c614985adbbebc6f88e5 |
| SHA512 | 69ee31f4243381da86c75fe5421aed5e1f3cf32166ea239ff838637504f1c3c2d1290833dc6004e87306e10e7f3b681f44e2baf8bd0d1511f58bb54c5ba2d9ed |
memory/1000-63-0x0000000000D00000-0x0000000000D4B000-memory.dmp
memory/1000-64-0x00000000002E0000-0x00000000002E6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-11 09:10
Reported
2023-04-11 09:12
Platform
win10v2004-20230221-en
Max time kernel
85s
Max time network
147s
Command Line
Signatures
SystemBC
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe
"C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe"
C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
"C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 52.137.108.250:443 | tcp | |
| US | 8.8.8.8:53 | igvjzqqm3pjqfabur3tp3pra.zfftzsfg6q | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | igvjzqqm3pjqfabur3tp3pra.zfftzsfg6q | udp |
| US | 52.182.141.63:443 | tcp | |
| AT | 45.138.74.200:4001 | tcp | |
| US | 8.8.8.8:53 | 200.74.138.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp |
Files
C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
| MD5 | d852d875a402fdb6596a20c00d527ca7 |
| SHA1 | c6d9a225b28e710ca7763e8a73845d0d259aa92f |
| SHA256 | c4c469c8c6a93e6ae49192da6d72abf516d20f6d1696f9499d7d20d3e19d3237 |
| SHA512 | de29c8f849e3798a5a8137a748b65d3e72fc2f9303a26207fd420109d296cf220f3e03a8629cef90b776e08f25f39a122c67b5d397907294cbef3348ea2bce66 |
C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
| MD5 | 079889f810705b3eddbc547d4d6c7f41 |
| SHA1 | a351109a048d5142ccc84c944367c9cde1dc8b66 |
| SHA256 | 9a5c05f7a4931a22d18b37e656a7113c3fab3a511ae009b2783156d469b51d2a |
| SHA512 | eeec33eab3d21842a3d79205e3adba5a8e7388213fa86f68182a10c7ff53fcc20770cb30dc30ebf29015009f1e864d4044c66db447756a6dc42ea2d7746bdf1b |
C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
| MD5 | d852d875a402fdb6596a20c00d527ca7 |
| SHA1 | c6d9a225b28e710ca7763e8a73845d0d259aa92f |
| SHA256 | c4c469c8c6a93e6ae49192da6d72abf516d20f6d1696f9499d7d20d3e19d3237 |
| SHA512 | de29c8f849e3798a5a8137a748b65d3e72fc2f9303a26207fd420109d296cf220f3e03a8629cef90b776e08f25f39a122c67b5d397907294cbef3348ea2bce66 |
memory/4472-144-0x000000000F7E0000-0x000000000F82B000-memory.dmp
memory/4472-145-0x0000000000400000-0x0000000000406000-memory.dmp