db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf

General

Target

db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
Size

237KB
MD5

79ab763baf4f85ddc8b87d47f3117ec0
SHA1

f311effc11ade55f64d2b044c6080fb0d9c52b1c
SHA256

db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf
SHA512

fc94d88b60975ab11d69d5cae7cc0f947a6bfe8aec3838c80ad0945efc6483a58e93ec6dfc81da5df93cad0a43770f3fdbbf81b2a274f551ae5ae6ee06871780
SSDEEP

3072:ZBAp5XhKpN4eOyVTGfhEClj8jTk+0hT6IPEaG562E3nV9uVSUO2u+Cgw5CKHq:cbXE9OiTGfhEClq9gTuPJJUq

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	3160	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\zaryadku\proebal\slonik.vbs	cmd.exe
File created	C:\Program Files (x86)\zaryadku\proebal\slonik.konchaet	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
File opened for modification	C:\Program Files (x86)\zaryadku\proebal\slonik.konchaet	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
File opened for modification	C:\Program Files (x86)\zaryadku\proebal\slonik.vbs	cmd.exe
File created	C:\Program Files (x86)\zaryadku\proebal\routerpoi.bat	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
File opened for modification	C:\Program Files (x86)\zaryadku\proebal\routerpoi.bat	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
File opened for modification	C:\Program Files (x86)\zaryadku\proebal\happenewyear.vbs	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
File created	C:\Program Files (x86)\zaryadku\proebal\pizdets.poezdets	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
File created	C:\Program Files (x86)\zaryadku\proebal\happenewyear.vbs	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
File opened for modification	C:\Program Files (x86)\zaryadku\proebal\pizdets.poezdets	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
File opened for modification	C:\Program Files (x86)\zaryadku\proebal\Uninstall.exe	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
File created	C:\Program Files (x86)\zaryadku\proebal\1.txt	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
File opened for modification	C:\Program Files (x86)\zaryadku\proebal\1.txt	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
File created	C:\Program Files (x86)\zaryadku\proebal\Uninstall.exe	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
File created	C:\Program Files (x86)\zaryadku\proebal\Uninstall.ini	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 4872	3724	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe	82
PID 3724 wrote to memory of 4872	3724	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe	82
PID 3724 wrote to memory of 4872	3724	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe	82
PID 4872 wrote to memory of 3160	4872	cmd.exe	84
PID 4872 wrote to memory of 3160	4872	cmd.exe	84
PID 4872 wrote to memory of 3160	4872	cmd.exe	84
PID 3724 wrote to memory of 4244	3724	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe	85
PID 3724 wrote to memory of 4244	3724	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe	85
PID 3724 wrote to memory of 4244	3724	db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe	85

C:\Users\Admin\AppData\Local\Temp\db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe
"C:\Users\Admin\AppData\Local\Temp\db9305960c6c139b2311ab9339c2dee51773dc4f51aeb4bd5de76b6344292fcf.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\zaryadku\proebal\routerpoi.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\zaryadku\proebal\slonik.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:3160
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\zaryadku\proebal\happenewyear.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\zaryadku\proebal\1.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\zaryadku\proebal\happenewyear.vbs

Filesize
594B

MD5
ea73b0667b42a0ab278f4a234c8f54cc

SHA1
984e6b1ccd9b32df64cfda3effb3df056f37d664

SHA256
6e2497a357b5881de52960c33fff83ee66ae48ccd2269c113970990985444df7

SHA512
9bd724178cfac1f889d954e53158f564edd1dc844bdd89dfdb995752499a20a644ab2b981f6322c2b47a2a0f081204247ecfb9481677fd27b8e0801478759922

Download Submit
C:\Program Files (x86)\zaryadku\proebal\pizdets.poezdets

Filesize
54B

MD5
07d145c7ac9ced0427fd980ec4c9b414

SHA1
33d7ece51fb6f0170224bddacd02b87747e20726

SHA256
c88625344f862433eac4cf98d94d1063f81d90dbd29e889504b5e3fe074d4f98

SHA512
9d670a85eaa2325d169f19c13d6a1980c4041ac73a7cad8daaf75624827a2895939b08b9041eb61293c17362b85963f9f9a90c30c15bc8a69e1a58e43d77de6a

Download Submit
C:\Program Files (x86)\zaryadku\proebal\routerpoi.bat

Filesize
1KB

MD5
46826267d5bbadaddcddc2c08d017752

SHA1
0ee6c038f6268e0ca00ea313944ccc0b4f020c45

SHA256
66e8d0006c718f7cc7550f4272d213f59fa86002fff1e0240d52ce9d1bc560fd

SHA512
bdb730e334d13c148e008bf34aaebde1e98781ba4b5fa068e90da534480b96ef4e56627ee85c4c9574c87ad3ac76d69aa9b6f94cd847bff51d2b8df6502d7c01

Download Submit
C:\Program Files (x86)\zaryadku\proebal\slonik.konchaet

Filesize
246B

MD5
e4b0e46540c36a24b8e36969992d076a

SHA1
ed0bda2b79804c6fcd3ef8b4d654f9cfe26fb8fa

SHA256
5faa87176017d0351f11dacb3036d07dc5860d7432739f9dbc72eac33bce41c9

SHA512
1b20d263776b5e4c35e067a8b40a7df1346f8bd68c33bc7ac33cf97b0cd7674d4aae54e8a994194a3e3f46a9d256a5d11a0517155e904293230ca31a4f406fe4

Download Submit
C:\Program Files (x86)\zaryadku\proebal\slonik.vbs

Filesize
246B

MD5
e4b0e46540c36a24b8e36969992d076a

SHA1
ed0bda2b79804c6fcd3ef8b4d654f9cfe26fb8fa

SHA256
5faa87176017d0351f11dacb3036d07dc5860d7432739f9dbc72eac33bce41c9

SHA512
1b20d263776b5e4c35e067a8b40a7df1346f8bd68c33bc7ac33cf97b0cd7674d4aae54e8a994194a3e3f46a9d256a5d11a0517155e904293230ca31a4f406fe4

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
8313c835bb334eb3761d4c1a61fdafdc

SHA1
29ccdbd5e112bce482e662a206804b4fb02d96c9

SHA256
3fed7a45106d5d6e981217319b20197cd38029e3e87b71422bcba4b16c347fd3

SHA512
74d0e7af6c2460d4c0732e5d276fc16398bd9095c3d37b16e557ddda70820e3781eb8cee1ec00ed76060e4f0cc8de4ca4207bd965cb0d81b7968de50bb551229

Download Submit

Analysis

Sharing