f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2

General

Target

f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe
Size

180KB
MD5

58e4b25974f8ea9740b7b077d96789a3
SHA1

534e032db43c4509b6add1f404880f1a2189f2ba
SHA256

f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2
SHA512

df76aa0f5590fcd0c42c38936d748e1107dfc3037c8ae1b64d0dc2ad998e79ec7d99123d968c491b7761f85ad5ab7afa711159d6860a297fa520052ce600a80f
SSDEEP

3072:CBAp5XhKpN4eOyVTGfhEClj8jTk+0h4tzQnV:RbXE9OiTGfhEClq919QV

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2012	WScript.exe
4	2012	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\she.he	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe
File opened for modification	C:\Program Files (x86)\The first evidence\Guatemala is a magical\08a4415e9d594ff960030b921d42b91e.bat	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe
File opened for modification	C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe
File opened for modification	C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1640	1372	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe	28
PID 1372 wrote to memory of 1640	1372	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe	28
PID 1372 wrote to memory of 1640	1372	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe	28
PID 1372 wrote to memory of 1640	1372	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe	28
PID 1372 wrote to memory of 2012	1372	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe	30
PID 1372 wrote to memory of 2012	1372	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe	30
PID 1372 wrote to memory of 2012	1372	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe	30
PID 1372 wrote to memory of 2012	1372	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe	30
PID 1372 wrote to memory of 1928	1372	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe	31
PID 1372 wrote to memory of 1928	1372	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe	31
PID 1372 wrote to memory of 1928	1372	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe	31
PID 1372 wrote to memory of 1928	1372	f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe	31

C:\Users\Admin\AppData\Local\Temp\f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe
"C:\Users\Admin\AppData\Local\Temp\f4e5825adc11aa823c341af66d0ce167c38852e6938c98023108f45e38183bf2.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\The first evidence\Guatemala is a magical\08a4415e9d594ff960030b921d42b91e.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\The first evidence\Guatemala is a magical\08a4415e9d594ff960030b921d42b91e.bat

Filesize
2KB

MD5
1d1d1efd72bb495b142adfbf180d0a73

SHA1
4a2c256b2a73fa1ded104e3b63f48ab55612bf75

SHA256
d7be2f0db1edc4cab7fd0e8c2c09257cc68fbf7b225a5c02b5d252c850eca665

SHA512
05cd1241388a1c37a07dc6c5ff7baa6d33efc675ab1a88775e9f1be26bc81a1072aed3a15ee82c4ad53b78c7c6f31be067194c2ee6d835a300f6da8f021ac684

Download Submit
C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs

Filesize
457B

MD5
952a243e1c2cbfc9d3ca933ef5a8e56c

SHA1
7c4ef7cf9f2a9d8a4ebd92a56f2b46e6aa1d4dd2

SHA256
17c00fa6190337603ed9a541ada19f968f889b300e1c72216bc7ceebf518b085

SHA512
2d839654856aac6a271094712b889bc53474b8b36b720342acacbdd31a011c135cebd33176cc4c7d5f5afa46dff9c23792b62eeb6f1832ac974167bfe13c542f

Download Submit
C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs

Filesize
506B

MD5
609cc7b7d6537e1ab504aeed44da620b

SHA1
2a60ac508db536d03fdaa0836e8fae6b38788c21

SHA256
72f4a80b5f9e06ee5369f3951903607fe4b9a52e5f993f1dbcbcff69d481c146

SHA512
4d96554fa9635b48bba9635a1322145d840624efd59c048de6e1acca3e154abc028b720d89798006ca92fb3b29618a75b4bf353c28c57452551d1944bd18fbe2

Download Submit
C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\she.he

Filesize
103B

MD5
72313cc7428b5073caaacf4cdb4f4442

SHA1
c1a3a5d48eab7b64b14ad3a9ab8446d4eedb8033

SHA256
d52aba80b29b254a4228bee044984a20ec61988d8e3abb40855d704d55bb73a4

SHA512
f91b7071560dde119be35f57034c3240d19aafebe0556f35928c659aa067b54772305101278a4aa0068bde798966adfbe9f9add9710d61838797996401512197

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
b9ce8b1d9b2e0cd9bfd40d888da0e8af

SHA1
4bc1fc31fd5c17080d5937bbadcdac27d7d856b0

SHA256
33a18e29d5e59e631098aaa40872c109691f1257cf744294cb2a6fe8582cfe93

SHA512
f7a360d44328e63a7403016e4d3c05666c2bbb6e932b7e1d7e3415c5a8f3c69a49dc1f85895dd40fc2bf9e3def8dc9758ae7ef3e67725f46c8d21fd01f33b845

Download Submit
memory/1372-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing