13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23

General

Target

13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe
Size

168KB
MD5

6e9e80d1fb531f6dc3fed7bb456f5ff0
SHA1

3af891b7f088113133cdc403f406e98555ccf69f
SHA256

13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23
SHA512

faad7eab0b14d6b846ba96aba2b453094ab1bd68d2114deaa94292e3279f0e4f810735989dec1d16ad0bd3d78e6936ce902b394fc9e51758262b701246b17b0c
SSDEEP

3072:rBAp5XhKpN4eOyVTGfhEClj8jTk+0hKWuOVEXIC1YDuKPeTx:WbXE9OiTGfhEClq9IuOVEXIgY5GTx

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	4268	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\minet\miss\palachi_na_dibah.hhhh	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe
File opened for modification	C:\Program Files (x86)\minet\miss\shabash.log	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe
File opened for modification	C:\Program Files (x86)\minet\miss\TURboPenis_tehno_prank.bat	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe
File opened for modification	C:\Program Files (x86)\minet\miss\smoki_mo_mo_mo.vbs	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe
File opened for modification	C:\Program Files (x86)\minet\miss\horocho_bistro.bat	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe
File opened for modification	C:\Program Files (x86)\minet\miss\Uninstall.exe	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe
File created	C:\Program Files (x86)\minet\miss\Uninstall.ini	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe
File opened for modification	C:\Program Files (x86)\minet\miss\lock_docg_snop_dog.rrr	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe
File opened for modification	C:\Program Files (x86)\minet\miss\kjb4rtiyugwuiytefwil45hyopwegtruowet.sdfhisaugf	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe
File opened for modification	C:\Program Files (x86)\minet\miss\trehochkovi_ne_dlya.vbs	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 5036	2120	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe	81
PID 2120 wrote to memory of 5036	2120	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe	81
PID 2120 wrote to memory of 5036	2120	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe	81
PID 2120 wrote to memory of 4580	2120	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe	84
PID 2120 wrote to memory of 4580	2120	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe	84
PID 2120 wrote to memory of 4580	2120	13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe	84
PID 4580 wrote to memory of 5112	4580	cmd.exe	85
PID 4580 wrote to memory of 5112	4580	cmd.exe	85
PID 4580 wrote to memory of 5112	4580	cmd.exe	85
PID 4580 wrote to memory of 4268	4580	cmd.exe	86
PID 4580 wrote to memory of 4268	4580	cmd.exe	86
PID 4580 wrote to memory of 4268	4580	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe
"C:\Users\Admin\AppData\Local\Temp\13c0690f8502a4498119d42429573339394fc95b6751d5747565735657691b23.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\minet\miss\TURboPenis_tehno_prank.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:5036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\minet\miss\horocho_bistro.bat" "
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\minet\miss\smoki_mo_mo_mo.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:5112
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\minet\miss\trehochkovi_ne_dlya.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:4268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\minet\miss\TURboPenis_tehno_prank.bat

Filesize
1002B

MD5
e6544067c14194ed3aad4287a550ca34

SHA1
a4696d60f203d5cabddfa09f7cf76d7479c5071a

SHA256
b8dabf4a2a5b89daea016893e634eae6442dac4055b3f3644902393183e8eddf

SHA512
e6d691b3f322160798ca2dddf7acab25d9b7687963a0dd059045e55f166e0b6b0ee0ea41ccf216134d2e89f36e120c1a148564fa9dc5bd7596b19556fcd21ba3

Download Submit
C:\Program Files (x86)\minet\miss\horocho_bistro.bat

Filesize
74B

MD5
dfab498697ae778951b7e83e9490bacb

SHA1
944895997702cfa3c5a6119dd827e11564ec86b7

SHA256
8c605c4e8f2390ae1bd8a6deac2abab7640cf65098c908eea241e64776af472e

SHA512
8fe48e0fe420d9947fd18bd724519e786f2032bf92229fd2d44739894e6d5dd5e03bd6ac11531389f1dcbed8598773498697657d3ad9f2c6139eebd1eb82e082

Download Submit
C:\Program Files (x86)\minet\miss\lock_docg_snop_dog.rrr

Filesize
41B

MD5
7c7a14ba40f5a6b58e44d800b9045672

SHA1
a104302caf1297e2c2d634dcf43be564c8a98ef9

SHA256
9f32b86f0c233ef0cdf4f65b2dc5460659bd13b78400209d24313aed7c43d4fd

SHA512
d47feffbaa1c2e1d9af118ab1e43429e7e5c96a7eed2d2c811168b67463ddae810e58182843638fd68a37696a3ac71d1ebda3f7a65388a470a392b51ab99daa5

Download Submit
C:\Program Files (x86)\minet\miss\shabash.log

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\minet\miss\smoki_mo_mo_mo.vbs

Filesize
744B

MD5
0c3f12aca53136ac4d6ece456f477085

SHA1
0403e611c28d23113d4f59d83fc35db4b49970b5

SHA256
6bfaf8ec8bc891bb757df1db5b8430cd6079b4ad3c2c684546d09738d521dd0d

SHA512
5537a961ed7eff90abfe74b7671e2043abddde2f6bf308869bc0713eb79bbdcab81589bce051c127e8f0d86d9c216665561f33a56982a1a879098ebe0e177767

Download Submit
C:\Program Files (x86)\minet\miss\trehochkovi_ne_dlya.vbs

Filesize
277B

MD5
8fa05a4e0971a87daf9debdd52b84913

SHA1
a918aee2ed0391a2aabf7177fe0521a2e143badf

SHA256
3dae8d9315accee2a22500af58a93f5348542e7107238ff8a1bd66002518ad16

SHA512
51eb40837c9ddb31415fa00d3997aed568c82060a60c41cb4a1e6bada1091f18ded63c102a113880b899b34e116797d42f9fffb8d293907368bb720265139bd0

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
f9641f9b0d06696abe6d29e2841b2c7c

SHA1
b8e4e1b432b7dd572b16f850456043e23c0f2f76

SHA256
1cac219765e0726d74e0a1546d121e28843e661b29f9090115c7a4a56ebf5799

SHA512
d85bb9ab724c0255959dbff0cd679413807cd5d5307db5406c1b38902961727835efa46d932ce295482ee898be090ae89a9c13cf487ef9af53007901ba651128

Download Submit

Analysis

Sharing