0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d

General

Target

0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
Size

169KB
MD5

4283ff6fdc51323418be4898f73b8590
SHA1

9a58752307f4883be5d7de8dd2f63905ce3f73e0
SHA256

0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d
SHA512

9aa89c4c970027094f9ea6194c8a51ef8091e39a7e8ba8cd10b5ba6a2939b1010cd34a4339e6f5c424ccc63e33287624df447f2d786baf10b6c96cb31c8e4405
SSDEEP

3072:3BAp5XhKpN4eOyVTGfhEClj8jTk+0hXusqqs2D80jorK48l1mDAcjhUsP:6bXE9OiTGfhEClq97qNZjA8TmfP

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1876	WScript.exe
4	1876	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\deli_jedi\spinogriz\TheInternationalFran.chi	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
File opened for modification	C:\Program Files (x86)\deli_jedi\spinogriz\401kfundstopurc.bat	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
File opened for modification	C:\Program Files (x86)\deli_jedi\spinogriz\or join your favorite.fran	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
File opened for modification	C:\Program Files (x86)\deli_jedi\spinogriz\Top10franchisesof2013.vbs	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
File opened for modification	C:\Program Files (x86)\deli_jedi\spinogriz\Uninstall.exe	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
File created	C:\Program Files (x86)\deli_jedi\spinogriz\Uninstall.ini	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
File opened for modification	C:\Program Files (x86)\deli_jedi\spinogriz\International Franchise.qq	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
File opened for modification	C:\Program Files (x86)\deli_jedi\spinogriz\seAssociationisyo.bat	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
File opened for modification	C:\Program Files (x86)\deli_jedi\spinogriz\ourceoffranchiseinf.or	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
File opened for modification	C:\Program Files (x86)\deli_jedi\spinogriz\ndresourcestoesea.vbs	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1428	1228	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe	27
PID 1228 wrote to memory of 1428	1228	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe	27
PID 1228 wrote to memory of 1428	1228	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe	27
PID 1228 wrote to memory of 1428	1228	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe	27
PID 1228 wrote to memory of 1168	1228	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe	29
PID 1228 wrote to memory of 1168	1228	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe	29
PID 1228 wrote to memory of 1168	1228	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe	29
PID 1228 wrote to memory of 1168	1228	0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe	29
PID 1168 wrote to memory of 2036	1168	cmd.exe	31
PID 1168 wrote to memory of 2036	1168	cmd.exe	31
PID 1168 wrote to memory of 2036	1168	cmd.exe	31
PID 1168 wrote to memory of 2036	1168	cmd.exe	31
PID 1168 wrote to memory of 1876	1168	cmd.exe	32
PID 1168 wrote to memory of 1876	1168	cmd.exe	32
PID 1168 wrote to memory of 1876	1168	cmd.exe	32
PID 1168 wrote to memory of 1876	1168	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe
"C:\Users\Admin\AppData\Local\Temp\0a4e865d405f78d2e347fd751b5fedf573e580ca9feb2eb8955c42b02351be7d.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\deli_jedi\spinogriz\seAssociationisyo.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\deli_jedi\spinogriz\401kfundstopurc.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\deli_jedi\spinogriz\ndresourcestoesea.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:2036
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\deli_jedi\spinogriz\Top10franchisesof2013.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\deli_jedi\spinogriz\401kfundstopurc.bat

Filesize
60B

MD5
258d8136cd3c8432f1a081b556a21506

SHA1
a7c0e77f17798c228e3474b468f1367fb6c60345

SHA256
ebb8f6bf622daa7419d7f4033a88e7f42f1b17884bc93227f39059a9220b0185

SHA512
217296f331d1004be31a635619cb558430f3f679d62e1775f386f093d7700826fb384daa19fc6fac4d2ae172d861800b46e13ad3632b1fc2a684b31cafd66276

Download Submit
C:\Program Files (x86)\deli_jedi\spinogriz\TheInternationalFran.chi

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\deli_jedi\spinogriz\Top10franchisesof2013.vbs

Filesize
352B

MD5
f4ae0b1ba546e671236d25fd080086ff

SHA1
dc7376d6cf3c1817d7075dfeb2a29794bb264e8b

SHA256
9f7e2f2c6be9a9aa9b73125ba4de5b545b4a531958b1871b782db4a176979b7a

SHA512
ce3eddfaa803e5374165553e60ac70cf57b0901635511b8e601ea54cc92f2b27824c2771b1c2a09ffc841e50c936260411d08777ea3a87139111183a7d18f38f

Download Submit
C:\Program Files (x86)\deli_jedi\spinogriz\ndresourcestoesea.vbs

Filesize
1KB

MD5
98e4ff92d90de50f2c4c5d49f2236bfb

SHA1
0f04889c92cf9cab3900a8cc1e1141803fa95fbf

SHA256
298c7e610f7bd5f1cda0a9da69fbfe469db7856af6b61de0019ba1bc52773805

SHA512
3d32a3d513da0179ad3722c3facb3da60ddb6ce3f5428976f247cf766e42be6ab19e8e5edc5daddf2285015c57fd63a0aa31938df793f78f489e88cd22ff0eca

Download Submit
C:\Program Files (x86)\deli_jedi\spinogriz\ourceoffranchiseinf.or

Filesize
56B

MD5
33243862ff997cdc12ddc6e5af696693

SHA1
09a7587fe08458cfde973d60a4d2dc992906b4e2

SHA256
6b7c065ccb61fc5c6c52e939e5f2dcfd3de99e46ee7f7d3632614aa2f6514162

SHA512
d3fdecb19fd5b063be5bae394597178f5643390c21808d4c9dea6361cbb4a764d613f802e9c8a3ea7a4c1bb96d6f805137ef2ad5e361875e68b6c5b01564ed6c

Download Submit
C:\Program Files (x86)\deli_jedi\spinogriz\seAssociationisyo.bat

Filesize
3KB

MD5
455d28196dd32bfdc43d98f03ba56578

SHA1
a22e664b456435b555e5e35aac63f1ade6a8f532

SHA256
6d3a4d67768bd3d1fa76cb7d0fcaf7b2f8322c084ce4ea1d19e00e9da7228f99

SHA512
4754238540c9f5ecea93343a74645c84b12a45ed6455408e822810b8e96f519482fa7b0766666e92cb93bc6865fb820c4208cead0ecfa44e09d1750bef702155

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
f07d07c7aba283275e6b90e2160fda7c

SHA1
c942ba833627345a8b01de4a667989864d8a1769

SHA256
2318fa9d3959912f8451541619fe23d4eed7a4b32d332154e106b013d63944c1

SHA512
efe99d973a0facc3f25a9de3672a528519939f7d9c83938d067a8f8ee27d7104e47f2379765b2bd725fd1b5ed3a21c16f7cb52c222e71ed71bdfead940d40e25

Download Submit
memory/1228-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing