55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69

General

Target

55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe
Size

179KB
MD5

4254a38cd7d8fcda7bf9908659da9800
SHA1

131acfda848702a843cc2f8c41c9dc908c2137a3
SHA256

55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69
SHA512

69bef79c0dffdd06ecd4b265579d18ff0991cc8002efb7cf173b74ef1bae1c2d59d7df955b99ee44e66333502249c316d48d355395eeb6fdb67d4c4f48d58f2d
SSDEEP

3072:dBAp5XhKpN4eOyVTGfhEClj8jTk+0hEH3FnzbwM7jE:YbXE9OiTGfhEClq97H1YMs

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2032	WScript.exe
5	2032	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LuaZ\PTka\kroka.txt	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe
File opened for modification	C:\Program Files (x86)\LuaZ\PTka\_nekjg_jdkgsfkj.bat	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe
File opened for modification	C:\Program Files (x86)\LuaZ\PTka\nasdfsfgdfsdfgkrasit.vbs	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe
File opened for modification	C:\Program Files (x86)\LuaZ\PTka\i1_r2123r23r23r234at.vbs	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 840	1604	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	28
PID 1604 wrote to memory of 840	1604	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	28
PID 1604 wrote to memory of 840	1604	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	28
PID 1604 wrote to memory of 840	1604	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	28
PID 1604 wrote to memory of 2032	1604	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	30
PID 1604 wrote to memory of 2032	1604	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	30
PID 1604 wrote to memory of 2032	1604	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	30
PID 1604 wrote to memory of 2032	1604	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	30
PID 1604 wrote to memory of 2024	1604	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	31
PID 1604 wrote to memory of 2024	1604	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	31
PID 1604 wrote to memory of 2024	1604	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	31
PID 1604 wrote to memory of 2024	1604	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	31

C:\Users\Admin\AppData\Local\Temp\55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe
"C:\Users\Admin\AppData\Local\Temp\55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\LuaZ\PTka\_nekjg_jdkgsfkj.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\LuaZ\PTka\nasdfsfgdfsdfgkrasit.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\LuaZ\PTka\i1_r2123r23r23r234at.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LuaZ\PTka\_nekjg_jdkgsfkj.bat

Filesize
2KB

MD5
173c9456ba55dc96ae2f814d7dc8498d

SHA1
8be3e551437923443a674696bffddcf00feca5f6

SHA256
36a29ba74c9699a3669f7028e8e81407c7c33902bc8b0fd7ccbc0ee1874ddb66

SHA512
c590a297368ee6f7d7888105afca6cbca730086b3e614ccb4e38cde87497693ec410faf8e1e2586e5bceec4be0505f007fac04d93d05773a213729f064a9951a

Download Submit
C:\Program Files (x86)\LuaZ\PTka\i1_r2123r23r23r234at.vbs

Filesize
547B

MD5
95b51611c95969446d7f040364a432d9

SHA1
ab6ecb745d97b15c9643b9dc525c12852e05c200

SHA256
530bdad03da31c4ce33c5c2bf3eaadd36d907d9ae7c55b71a5489be86684af52

SHA512
9aa32ef67bc21a979f7d62178cfd4c6703f220fb853dfb18b48f31447744fed849e5bf0a76bb60ecb711d0008375623dcf8b5ce2d36b22a6f5dbe72a5dc5b70e

Download Submit
C:\Program Files (x86)\LuaZ\PTka\kroka.txt

Filesize
44B

MD5
e3bc75de29aaa206dbcf7a00e5044b55

SHA1
c4aae8959c0cbe2524e532806582ed93764e4997

SHA256
8d7f2d6aa8a170ecddeb3980e3519a522fdfd364a106b87da3b2d138207d8b6f

SHA512
ffd1dcbc08bf6b5d3da6271b24bd3f5cb1f9b4525169efa6943aebba4b6fb5e7af1ae22d68bc039144e9cc120c8fd558b73ad03f629df10cc695f7d66009acc3

Download Submit
C:\Program Files (x86)\LuaZ\PTka\nasdfsfgdfsdfgkrasit.vbs

Filesize
381B

MD5
a7a6ceb36ffee1ab53f843fe510ed946

SHA1
dadc4a91d8cace6e25d4f18c1198619e405202ca

SHA256
f86d6c0ae3e4159757eb2285d9e43eb1a0d96b152d5be3d469ae279324f1e9aa

SHA512
849ea144d89f787fa4654a727fc4e138efc7a2423f299fd7d1d072af0ef0247bb1294c8add800b911115f97a8a73c1aafe83ae677225ef2d66293a4c6859055f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
9b9285872ec42104cedb8def1ba2a600

SHA1
43526f37ebe628b5a031b2aa3e0ae978b62129a1

SHA256
4b587ccb2280a8b09dc0f770e1a2badeee96c9080a3f4a93d1078df93c118f96

SHA512
d7a37e15f12e3e9a752cec5b332dd2614a30149e7a63dbee7390d99f79ef0015c6eab45671197430cc12b8fc1cd14ab7443c26c0823eb93cda9ec9176a8989fd

Download Submit
memory/1604-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing