Overview

overview

8

Static

static

819e16d2ef...ce.exe

windows7-x64

8

819e16d2ef...ce.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    68s
  • max time network
    82s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-10-2022 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    819e16d2ef713e67c084e9d7cb41de260ad00b598141e73811d9d32811c128ce.exe

  • Size

    158KB

  • MD5

    8229591dda962c90abf7da4e89ab073c

  • SHA1

    b878bae76f91de82b560a15d58ce8e93f0e6b875

  • SHA256

    819e16d2ef713e67c084e9d7cb41de260ad00b598141e73811d9d32811c128ce

  • SHA512

    62be0282a5a2237f9c7df2db75378afe8dd347818610584dc3c6425cedaf6ad581c7d30b963b387728f1081095fdbf83e55fd948c7a85ba7576be2e0fd902d96

  • SSDEEP

    3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6z5SU/Xbs140VBH39:PbXE9OiTGfhEClq9FKxIb/LxE139

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\819e16d2ef713e67c084e9d7cb41de260ad00b598141e73811d9d32811c128ce.exe
    "C:\Users\Admin\AppData\Local\Temp\819e16d2ef713e67c084e9d7cb41de260ad00b598141e73811d9d32811c128ce.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\So\Sa\yaveruchtoonadoidetdonasi.bat" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\So\Sa\begom_na_zore.vbs"
        3⤵
        • Drops file in Drivers directory
        PID:604
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\So\Sa\sasha_po_soshe.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:1348

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\So\Sa\begom_na_zore.vbs
    Filesize

    1KB

    MD5

    52dc884b1691895358b39b74d907737a

    SHA1

    194c1f390e14622eba542bcc17a48d9fd8694498

    SHA256

    e440ba6d1957e93f8dcff1c29df59574b51d4edc260734fca2121aa56fe5573e

    SHA512

    f81b2bb8995dff03e1d99ec7a8822d878cff1a335758aab7c4a9a4f37c90ea083ca74fff1dc5643c4d31b14d9b8eeef6dba0b74e6fb0be0a03dbbf0a81529447

    Download Submit

  • C:\Program Files (x86)\So\Sa\nalei_tr.af
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\So\Sa\niznitor.cho
    Filesize

    54B

    MD5

    beea41cb41b4b45edd76d06d66b656ec

    SHA1

    2bf62ebee7dc96e8c259acc1c030847c7530ffdf

    SHA256

    62d162dc92ff95a34980c8aaac56741de02d97ac1141f35a205864461a1a16fa

    SHA512

    802663e2849e08a55d0ecaeab227188e56a1f3e59369b4cf042f7991afb8731ab93e8ad26311698b91f200de5b215a6f9dbd29fe7f7f562c884d8557184b4a61

    Download Submit

  • C:\Program Files (x86)\So\Sa\sasha_po_soshe.vbs
    Filesize

    180B

    MD5

    53a3ae53942f187a433e6d5dc3a090e5

    SHA1

    07cb91e0ed92468d6580e96a16de16c4f4c9c33a

    SHA256

    e5db2b622beb0d1a9fec5bfe501dee23325d8834190be8aec58093a12df1bf9f

    SHA512

    1f233152fdc75266f5dbdeb9f057aa2633238c5f7158a846b79d88fb4aeaa7aa1d80fe94ef0dd4844b14086943f3f952926d4b03c816cd563db8cb85193e351e

    Download Submit

  • C:\Program Files (x86)\So\Sa\yaveruchtoonadoidetdonasi.bat
    Filesize

    1KB

    MD5

    13c69d1c602bc2597c5923c4876fa387

    SHA1

    93261274f58309642d3d7f31f747d25fe6914bc3

    SHA256

    5594fcaf7b34cbb8baa38d724a467d60df9bcc8dd68c9a4390428e33097a2894

    SHA512

    ced03cfcc3106872972dda3d90bdc2edd42895b80f4d8b425464d8dde857a8834fbce4e30983f577da5ef4e6f4142a28bde401097184b89b240325bbcf28d487

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    c1ce8d64ca4491c039fad68079d5562a

    SHA1

    439080b9ab05e7948785eaa2c5a6e04229690cde

    SHA256

    bc08b3f1dffa77b1af12eaf680d2d9f1351c9006e4a54a82e834b036b25f3a38

    SHA512

    b2c533b3524c0c0e9a905e609d462d3e2108092ef89fa2e6c56cfc5023fb02829c38713fa6989782bf8357de34bc217aeed5ec60dacdbe2949b8de710fbfd0a1

    Download Submit

  • memory/604-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1348-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1740-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1980-54-0x0000000075521000-0x0000000075523000-memory.dmp

    Filesize

    8KB

    Download