54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0

General

Target

54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe
Size

180KB
MD5

472a3300b7fb4060cbad0fcba5d99460
SHA1

1f433a46b4e26879e6aff56446b9ad08c678af02
SHA256

54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0
SHA512

a28cb6b378681453cc766539998ac062e1344f8d0cff7bc8e61ed0efef164bde8c541ab273b63727afe31efdfcfdffc7c936ad7942fc5d8a983fc32bbc5982f1
SSDEEP

3072:fBAp5XhKpN4eOyVTGfhEClj8jTk+0hD+V64pfPFtlY:ibXE9OiTGfhEClq9VzfPFPY

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1788	WScript.exe
7	1788	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\ebi_manya_kon.rud	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1416	1160	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe	26
PID 1160 wrote to memory of 1416	1160	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe	26
PID 1160 wrote to memory of 1416	1160	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe	26
PID 1160 wrote to memory of 1416	1160	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe	26
PID 1160 wrote to memory of 1456	1160	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe	28
PID 1160 wrote to memory of 1456	1160	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe	28
PID 1160 wrote to memory of 1456	1160	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe	28
PID 1160 wrote to memory of 1456	1160	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe	28
PID 1160 wrote to memory of 1788	1160	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe	29
PID 1160 wrote to memory of 1788	1160	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe	29
PID 1160 wrote to memory of 1788	1160	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe	29
PID 1160 wrote to memory of 1788	1160	54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe	29

C:\Users\Admin\AppData\Local\Temp\54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe
"C:\Users\Admin\AppData\Local\Temp\54cbc8e6854f25c1e7fa190b8d4458e79a95f44cbb862b626ddeae7949c27be0.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1416
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1456
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat

Filesize
2KB

MD5
1d1626d011dc2661ec722c9f2ea2eec4

SHA1
6b69f428fc7968443f027dd450e929c77e955fcb

SHA256
ce1d9d4790f36cf844a5bad5f9bf0260d25166a4df7c489f290cd0770e60cf00

SHA512
e9ab4adf8e3e1fb95982bc632a75345f6a9b9f450bdb510026f8c7e27d9db58fcbb7ed4f3b8c63178401e6eeb580afdc06a1605d413dba08b9cfabf36d185ba4

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\ebi_manya_kon.rud

Filesize
33B

MD5
c7e23fded201c85552ed2c02567e8289

SHA1
ea05abe3759daf7b38952ed1415357aa1eda7107

SHA256
46a3aa0f67b5c73e3bf11de97e4e2a5d859f7d9ef7b0cc307ff982f591ff15a0

SHA512
4fa82657b1a4483784559671f4221ff35919b7f26f6faa3d3cdd46d42e09f8d014c38df5e6da9ff20d8c0f670d830f1d2997424af26ccf25bd99b5d8c1228440

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs

Filesize
909B

MD5
7b492ffa8638ebfec98dc28d94d40b50

SHA1
b1c0142200aaecaa0ec81d915879265be6e429cb

SHA256
73ef3bffc757aa3b8b181a92a08f0c525996bac3a51935200690ac77e8e7be57

SHA512
be1b3563fc5c8b9c918ee217881bf00fdf4040d311dcca6a856526a5583e2dc538d86c25946dc30f19e02f2708e8bc2c28d645a7934b7f189a30f2556f67c77b

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs

Filesize
635B

MD5
a2d2ec3d8447064be489ff80607614eb

SHA1
15aa84b1a47f8f9c1a634bf0491172520008a3c7

SHA256
1e27c6d0bf78023e7156a02da0f5d91f6380e3caeca3b14b978c00de52c21969

SHA512
5a0d105f02b987706d869234bb8634cef297308463403fafaaa651e4f931bc59ee74ac1cb47b92390a0d1cb03d856372a6d55af3eb830fef4d44708c8a980530

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
3bfa0bc8b2e49a940bf6bd7e2fc910d3

SHA1
4973f24612f51dd293422a9ee5f3e291b4cae872

SHA256
67746cdadd6f848fc3ac24993afd230a8b0a9b6655fcc3954fd8d5b926976e5b

SHA512
86516cf4a74fa3975c5a448ee319c3a82b86b340bb2031204da552596feba45fca680e9418fc8e812d05b44556686e5c7ca6f5b441e4e25f485334778296ea6c

Download Submit
memory/1160-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing