55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69

General

Target

55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe
Size

179KB
MD5

4254a38cd7d8fcda7bf9908659da9800
SHA1

131acfda848702a843cc2f8c41c9dc908c2137a3
SHA256

55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69
SHA512

69bef79c0dffdd06ecd4b265579d18ff0991cc8002efb7cf173b74ef1bae1c2d59d7df955b99ee44e66333502249c316d48d355395eeb6fdb67d4c4f48d58f2d
SSDEEP

3072:dBAp5XhKpN4eOyVTGfhEClj8jTk+0hEH3FnzbwM7jE:YbXE9OiTGfhEClq97H1YMs

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	5044	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LuaZ\PTka\kroka.txt	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe
File opened for modification	C:\Program Files (x86)\LuaZ\PTka\_nekjg_jdkgsfkj.bat	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe
File opened for modification	C:\Program Files (x86)\LuaZ\PTka\nasdfsfgdfsdfgkrasit.vbs	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe
File opened for modification	C:\Program Files (x86)\LuaZ\PTka\i1_r2123r23r23r234at.vbs	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 1360	4692	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	82
PID 4692 wrote to memory of 1360	4692	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	82
PID 4692 wrote to memory of 1360	4692	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	82
PID 4692 wrote to memory of 5044	4692	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	84
PID 4692 wrote to memory of 5044	4692	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	84
PID 4692 wrote to memory of 5044	4692	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	84
PID 4692 wrote to memory of 4316	4692	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	85
PID 4692 wrote to memory of 4316	4692	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	85
PID 4692 wrote to memory of 4316	4692	55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe	85

C:\Users\Admin\AppData\Local\Temp\55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe
"C:\Users\Admin\AppData\Local\Temp\55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\LuaZ\PTka\_nekjg_jdkgsfkj.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1360
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\LuaZ\PTka\nasdfsfgdfsdfgkrasit.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:5044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\LuaZ\PTka\i1_r2123r23r23r234at.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LuaZ\PTka\_nekjg_jdkgsfkj.bat

Filesize
2KB

MD5
173c9456ba55dc96ae2f814d7dc8498d

SHA1
8be3e551437923443a674696bffddcf00feca5f6

SHA256
36a29ba74c9699a3669f7028e8e81407c7c33902bc8b0fd7ccbc0ee1874ddb66

SHA512
c590a297368ee6f7d7888105afca6cbca730086b3e614ccb4e38cde87497693ec410faf8e1e2586e5bceec4be0505f007fac04d93d05773a213729f064a9951a

Download Submit
C:\Program Files (x86)\LuaZ\PTka\i1_r2123r23r23r234at.vbs

Filesize
547B

MD5
95b51611c95969446d7f040364a432d9

SHA1
ab6ecb745d97b15c9643b9dc525c12852e05c200

SHA256
530bdad03da31c4ce33c5c2bf3eaadd36d907d9ae7c55b71a5489be86684af52

SHA512
9aa32ef67bc21a979f7d62178cfd4c6703f220fb853dfb18b48f31447744fed849e5bf0a76bb60ecb711d0008375623dcf8b5ce2d36b22a6f5dbe72a5dc5b70e

Download Submit
C:\Program Files (x86)\LuaZ\PTka\kroka.txt

Filesize
44B

MD5
e3bc75de29aaa206dbcf7a00e5044b55

SHA1
c4aae8959c0cbe2524e532806582ed93764e4997

SHA256
8d7f2d6aa8a170ecddeb3980e3519a522fdfd364a106b87da3b2d138207d8b6f

SHA512
ffd1dcbc08bf6b5d3da6271b24bd3f5cb1f9b4525169efa6943aebba4b6fb5e7af1ae22d68bc039144e9cc120c8fd558b73ad03f629df10cc695f7d66009acc3

Download Submit
C:\Program Files (x86)\LuaZ\PTka\nasdfsfgdfsdfgkrasit.vbs

Filesize
381B

MD5
a7a6ceb36ffee1ab53f843fe510ed946

SHA1
dadc4a91d8cace6e25d4f18c1198619e405202ca

SHA256
f86d6c0ae3e4159757eb2285d9e43eb1a0d96b152d5be3d469ae279324f1e9aa

SHA512
849ea144d89f787fa4654a727fc4e138efc7a2423f299fd7d1d072af0ef0247bb1294c8add800b911115f97a8a73c1aafe83ae677225ef2d66293a4c6859055f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
23b7991984f0caf74fe68d99dcb84bde

SHA1
cd27fb48d1c647cb8160220d9bedee2c2dfdff68

SHA256
381f6d6d7ce6bdd8110b69ff6510fe09663a4af7f6bd1cedfa27f1d9bd27efe4

SHA512
998f406c07329efe1cd83f7cc5283f74686a12c9046993002acc0337eb4f3fa37265968f1c7ba8f7b28f03ae9da91e9f67c134b35d3b7074a400139412408de1

Download Submit

Analysis

Sharing