ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c

General

Target

ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe
Size

180KB
MD5

15a1666d54e2f96463a8bf70f343c034
SHA1

4ed409f495806f986ef93afb5cf578641dc7b173
SHA256

ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c
SHA512

63ccde1952196b48e0853e82cb116ea54f611ec4c46a0a9024700e483717d2edac8718570a610ca73dfc606346a90ce6948755b9b6c26d4d31094c71a7aa0870
SSDEEP

3072:TBAp5XhKpN4eOyVTGfhEClj8jTk+0h6eXmw:+bXE9OiTGfhEClq9deXb

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1484	WScript.exe
4	1484	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\popizdota.dot	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe
File opened for modification	C:\Program Files (x86)\na ulisdf\take me tsdf\333\why_do_you_cry_willy.bat	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe
File opened for modification	C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\____000000_hello__.vbs	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe
File opened for modification	C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\_hello______22222_______.vbs	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1232	1380	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe	27
PID 1380 wrote to memory of 1232	1380	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe	27
PID 1380 wrote to memory of 1232	1380	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe	27
PID 1380 wrote to memory of 1232	1380	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe	27
PID 1380 wrote to memory of 700	1380	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe	29
PID 1380 wrote to memory of 700	1380	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe	29
PID 1380 wrote to memory of 700	1380	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe	29
PID 1380 wrote to memory of 700	1380	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe	29
PID 1380 wrote to memory of 1484	1380	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe	30
PID 1380 wrote to memory of 1484	1380	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe	30
PID 1380 wrote to memory of 1484	1380	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe	30
PID 1380 wrote to memory of 1484	1380	ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe	30

C:\Users\Admin\AppData\Local\Temp\ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe
"C:\Users\Admin\AppData\Local\Temp\ae9bd2412b4e0da7bc88661f31b47a43911110cad21d251fd9e839004f95265c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\na ulisdf\take me tsdf\333\why_do_you_cry_willy.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1232
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\____000000_hello__.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\_hello______22222_______.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\na ulisdf\take me tsdf\333\why_do_you_cry_willy.bat

Filesize
1KB

MD5
aa506bef8fa798ddddf0ed9e70ec1207

SHA1
70e4fa8356ecedb4ddf88251d801580b944ec457

SHA256
fb63d748a48680fae56b5a06f91d1c1ec71055211196ae287597678657dd9f02

SHA512
121969898e89cc8369bbb7cf324b91a909c4eae0cc8cf68a6b7a1cf1409ee24d30d14dbd43e0d330d37d38badd976c485f64ee4a1b2f77b5d3c5efb0e2cade12

Download Submit
C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\____000000_hello__.vbs

Filesize
832B

MD5
df76155dbd96ed3fba4dae39b11d380a

SHA1
b92763f66c212d74ce657d7063b12f037f71911f

SHA256
cec520a813dad4bbb36f79d09034dbd2a27fd42d6a26a3697c781600e8b179d7

SHA512
6f97a45b6042a1654c85bc9e2c2e6e65c94345a7e77dac442ef20052e0a15adc8f60af2664b3c034d99dd97d46f276183ce80beefc29fd22d6c4de791a93f0b9

Download Submit
C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\_hello______22222_______.vbs

Filesize
620B

MD5
e3a6c856222acceb9bbb3f521b2d6f8a

SHA1
cafca047a208fe189513d7c206b453778d0564e1

SHA256
994947db4656545c01196676f84e8c1d866938e22986db53792a01c112955559

SHA512
bfed69e1c2bde450910651f699474ecaf022bef888db008a51f7ac60c0bba727faf3d5cb9261edc29a781d7791e2a8a5db317edeb4d8996909cf778bc2d429a3

Download Submit
C:\Program Files (x86)\na ulisdf\take me tsdf\poztfiz\popizdota.dot

Filesize
34B

MD5
f93ff4c36dd1a285ee95df1e0ef1b8fb

SHA1
3997123f4021f55fc184705a59e6a26dc7bafa45

SHA256
67e382332542d77877ee8c54e4dc4ba9e4b58330bc68d8d09bb6a7f40b633dd7

SHA512
a0ce702eeb5f95cda4c76b001f435191b90ec552d1d4f7d8b9d0cfea528ffbae8913498aae3be53bdd84642bc3516d1c595ebe8d1a7054e6f883d0498088eb1d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
df7153ef2ec6c9e7e49afd0773b068c8

SHA1
639714e6af6d094435dd07aba85da2e211b98b5e

SHA256
5380dff333334e37ad7ccfc2136d86610493444aec6a43d8608adc04354bb480

SHA512
546861da78339c7cbbd75b3e39a378b8a74bd78b6619356bb5256782a9516aca64c8535274ebe7b3b6d55a2e0f3a86cc0d97591421e096f32615fa6d49413da5

Download Submit
memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing