27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832

General

Target

27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe
Size

181KB
MD5

81d50d3dbd4adcb62a806ef96aa5181f
SHA1

f259bddfee5009ea6b01a4b05a1a9eec5e4e13ea
SHA256

27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832
SHA512

679da7bcac95e68a6eecf5f35f8a3c2b350ac82f6158f234d5c7327bc7017d9ca1f1b383c4c1f2dffeaf307023f44527412cf16eb5c9a104e088fcd51aae2afb
SSDEEP

3072:oBAp5XhKpN4eOyVTGfhEClj8jTk+0hzpMcWe8cBJP:fbXE9OiTGfhEClq9epMc/

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	524	WScript.exe
4	524	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\182be0c5cdcd5072bb1864cdee4d3d6e\1aabac6d068eef6a7bad3fdf50a05cc8\aa\pipi.ska	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe
File opened for modification	C:\Program Files (x86)\182be0c5cdcd5072bb1864cdee4d3d6e\1aabac6d068eef6a7bad3fdf50a05cc8\182be0c5cdcd5072bb1864cdee4d3d6e.bat	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe
File opened for modification	C:\Program Files (x86)\182be0c5cdcd5072bb1864cdee4d3d6e\1aabac6d068eef6a7bad3fdf50a05cc8\aa\182be0c5cdcd5072bb1864cdee4d3d6e.vbs	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe
File opened for modification	C:\Program Files (x86)\182be0c5cdcd5072bb1864cdee4d3d6e\1aabac6d068eef6a7bad3fdf50a05cc8\aa\32250170a0dca92d53ec9624f336ca24.vbs	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 632	1544	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe	26
PID 1544 wrote to memory of 632	1544	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe	26
PID 1544 wrote to memory of 632	1544	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe	26
PID 1544 wrote to memory of 632	1544	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe	26
PID 1544 wrote to memory of 524	1544	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe	28
PID 1544 wrote to memory of 524	1544	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe	28
PID 1544 wrote to memory of 524	1544	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe	28
PID 1544 wrote to memory of 524	1544	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe	28
PID 1544 wrote to memory of 1280	1544	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe	29
PID 1544 wrote to memory of 1280	1544	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe	29
PID 1544 wrote to memory of 1280	1544	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe	29
PID 1544 wrote to memory of 1280	1544	27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe	29

C:\Users\Admin\AppData\Local\Temp\27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe
"C:\Users\Admin\AppData\Local\Temp\27bfac7407fe4778aa9a6cd3fd90834e2dfdef3807c0881ed23b4e12a32b3832.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\182be0c5cdcd5072bb1864cdee4d3d6e\1aabac6d068eef6a7bad3fdf50a05cc8\182be0c5cdcd5072bb1864cdee4d3d6e.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:632
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\182be0c5cdcd5072bb1864cdee4d3d6e\1aabac6d068eef6a7bad3fdf50a05cc8\aa\182be0c5cdcd5072bb1864cdee4d3d6e.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:524
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\182be0c5cdcd5072bb1864cdee4d3d6e\1aabac6d068eef6a7bad3fdf50a05cc8\aa\32250170a0dca92d53ec9624f336ca24.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\182be0c5cdcd5072bb1864cdee4d3d6e\1aabac6d068eef6a7bad3fdf50a05cc8\182be0c5cdcd5072bb1864cdee4d3d6e.bat

Filesize
2KB

MD5
66cdecfe3e7053a843fa84bfa132024d

SHA1
bf85ece2386ff09b0975870e215dd7b7ce7c664a

SHA256
f20d71144a5c47c28cec42690a8a22f9ac4d1f96e4ac6806068da43df9eb7a24

SHA512
c08bbbc5b3a55fcad45577a0068ea9305ea0fcfbf4428913e785a522c6858bb39e87e587745f0b81c43ee3e8e394e0f55f9aeedcdce88b98cb9f40d1e14a4522

Download Submit
C:\Program Files (x86)\182be0c5cdcd5072bb1864cdee4d3d6e\1aabac6d068eef6a7bad3fdf50a05cc8\aa\182be0c5cdcd5072bb1864cdee4d3d6e.vbs

Filesize
331B

MD5
65ef52454ec4fad796651d951742ac72

SHA1
ec1ab5c35d9fc0e4c9431d4ece99c4f00d55acf3

SHA256
6e1a90de66de8272ea6eb60a00bb6077084690ab13fe0fe540aed0c4731e63be

SHA512
956381025948dcd3646564b7e5795d6206fe5e6cefc362fa47f1ff3a04d2c1020403250c8f2d647e1e8e7c77d3fa52acd7b37eabe48f7af917b9fb2b21769f95

Download Submit
C:\Program Files (x86)\182be0c5cdcd5072bb1864cdee4d3d6e\1aabac6d068eef6a7bad3fdf50a05cc8\aa\32250170a0dca92d53ec9624f336ca24.vbs

Filesize
442B

MD5
b3d44dba7a2924460569a8c1d2aec944

SHA1
4e508caa81f716f61d23c4298e2ca8f3629e55c9

SHA256
a7dc348818e8d96e1bc9edd6fb539148a2fd9e9b5e5c80d6061881e76447c94f

SHA512
5548d544baf2feebe02cd891a48c9955d16d816054b7e8a7ee19d3b38818380a0503a6c577242dc146ef0448e75ea713dd5f524e7e9bcf0194c91041e2504651

Download Submit
C:\Program Files (x86)\182be0c5cdcd5072bb1864cdee4d3d6e\1aabac6d068eef6a7bad3fdf50a05cc8\aa\pipi.ska

Filesize
44B

MD5
afd64f92d152febaf2ceb725ca35307a

SHA1
61865cd62682fa7f14bd3797e53d6a32aa8f78be

SHA256
86e5aef62dfdb50f4fe65db1d575db3f0031702b7b261ab330cd884a34eeb835

SHA512
b478898f94b238d3eb1f946e202cc2403eefdd2d2000c1d44c25ee67ff98ee5b9f8fe7f0f304fa38cbfc06c623d560b3177d84e91ae8a9a068165fc05a17e9c7

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
4fdcf8711479e4ade03fad2b5cd8d26b

SHA1
e0d1857a4559017760ce5c1e98006a91bdac02ec

SHA256
32cf7a01415f0396704592c345a238ec7e614315ace6a8ed888f3664702cfb63

SHA512
b2935827934dabe920a50e0a8c008dbbc114843d5702fc7e2a0f79c1d7d3bdc16aa6ce99bd256daac97955a0f76a608e40ab5188a25c8a4aab13e027ce3589ea

Download Submit
memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing