b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215

General

Target

b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe
Size

168KB
MD5

81f4740853dfddd3e65dec9939642460
SHA1

2cd8b1cd5774b1d87842f904618a3cc7946c0fb8
SHA256

b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215
SHA512

c14073e555dfca834b0b5d58186028cd06cb8d01a7da006c6f10ed8be1d0f39e1ce07f364d85299b6e2c136b10692f0aa873e9ccc537fba67e79c3a9bdc5203b
SSDEEP

3072:pBAp5XhKpN4eOyVTGfhEClj8jTk+0hy2o2YMWva7E353HWE2:sbXE9OiTGfhEClq95kYvN2E2

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1976	WScript.exe
5	1976	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\dali_vseh\ya_lubov\Uninstall.exe	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe
File opened for modification	C:\Program Files (x86)\dali_vseh\ya_lubov\createyourmonkey.jon	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe
File opened for modification	C:\Program Files (x86)\dali_vseh\ya_lubov\MonkeyQuesthunderbow.vbs	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe
File opened for modification	C:\Program Files (x86)\dali_vseh\ya_lubov\FreeontheApp.bat	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe
File opened for modification	C:\Program Files (x86)\dali_vseh\ya_lubov\Worldsaccounn.vbs	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe
File opened for modification	C:\Program Files (x86)\dali_vseh\ya_lubov\BigTime.Rush	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe
File created	C:\Program Files (x86)\dali_vseh\ya_lubov\Uninstall.ini	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe
File opened for modification	C:\Program Files (x86)\dali_vseh\ya_lubov\Kids Virtual Worlds.yyy	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe
File opened for modification	C:\Program Files (x86)\dali_vseh\ya_lubov\MonkeyQuestsince.bat	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe
File opened for modification	C:\Program Files (x86)\dali_vseh\ya_lubov\Alreadyhava.Nickelodeon	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 896	368	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe	27
PID 368 wrote to memory of 896	368	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe	27
PID 368 wrote to memory of 896	368	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe	27
PID 368 wrote to memory of 896	368	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe	27
PID 368 wrote to memory of 1724	368	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe	29
PID 368 wrote to memory of 1724	368	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe	29
PID 368 wrote to memory of 1724	368	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe	29
PID 368 wrote to memory of 1724	368	b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe	29
PID 1724 wrote to memory of 2024	1724	cmd.exe	31
PID 1724 wrote to memory of 2024	1724	cmd.exe	31
PID 1724 wrote to memory of 2024	1724	cmd.exe	31
PID 1724 wrote to memory of 2024	1724	cmd.exe	31
PID 1724 wrote to memory of 1976	1724	cmd.exe	32
PID 1724 wrote to memory of 1976	1724	cmd.exe	32
PID 1724 wrote to memory of 1976	1724	cmd.exe	32
PID 1724 wrote to memory of 1976	1724	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe
"C:\Users\Admin\AppData\Local\Temp\b7938c1c53a8438ffe2715d22400a393918e79cbcfaef144b0ac2c2514351215.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\dali_vseh\ya_lubov\MonkeyQuestsince.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\dali_vseh\ya_lubov\FreeontheApp.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\dali_vseh\ya_lubov\Worldsaccounn.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:2024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\dali_vseh\ya_lubov\MonkeyQuesthunderbow.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\dali_vseh\ya_lubov\Alreadyhava.Nickelodeon

Filesize
70B

MD5
429058fac8b9b053494c1f9d13e24aad

SHA1
00bba26502786da9e43f66767b72679f09a1ee38

SHA256
04d5deb0eba617eaef51cf38ed0b24ab6c9b12b548edd58178e3e775d777450f

SHA512
f8923521a286ba056c7f9c105f7d106d74b815f78109090d906bc6700fbc41a0ce8bcb6d2564258f0c08cf7b6be1b31357a2ba99de046bc7992bbb9b8c53c745

Download Submit
C:\Program Files (x86)\dali_vseh\ya_lubov\FreeontheApp.bat

Filesize
92B

MD5
9a71bccbd5b077c00029faf68be58f41

SHA1
ca3a986146883af4c4aa02f4429b514cce6d2a8c

SHA256
bdfab74238a88e77c37f284f6c257b9717b2ed1925366a5fd5263cd8ce2fcb8c

SHA512
519e3bf353436cae18ac0fe4c7995febb0b4b454962187d7e88328d9773d0da41e58ac83e182258693bda50eb25ab4e2f3f3d2d9036c0ec8649f01d1d81899a7

Download Submit
C:\Program Files (x86)\dali_vseh\ya_lubov\MonkeyQuesthunderbow.vbs

Filesize
342B

MD5
b2f9d869bd81c988650bc860408c3e33

SHA1
1743040129a7a5096fc77b35440b79c40548eb24

SHA256
09b290317b27eb0e0f08b93041cfa613a966b367303feddc81ec2f5ee0fb514f

SHA512
0733d8f50afe257fca1bbd3b45bb33395f41c314de05a11778c02c30483afbe43c71023f0a9eb5551bd8df7112d0ca0895477ec1cd1e5d84275a83193fdee3fe

Download Submit
C:\Program Files (x86)\dali_vseh\ya_lubov\MonkeyQuestsince.bat

Filesize
2KB

MD5
42eb9172d67f02ab1c89999d84a8612c

SHA1
57cf388006379833b1924428ffe88075e3282786

SHA256
306a260b1bf4b36fb1b4d5fc2243ba77af217d327a34671262dbd4ee227cc879

SHA512
c5d266e3cd6f0d4029eb255c9306de43b4ed8b03965b10bf1ac6398a19df6460462f237cab9daee1ddf29af7027e2e9e2792eafbb6c12b2dbc484d26d512025f

Download Submit
C:\Program Files (x86)\dali_vseh\ya_lubov\Worldsaccounn.vbs

Filesize
833B

MD5
4eecc6e4b094d4440e7ea88540d763c0

SHA1
28d04cf76dfd72716c72105b74f08cd3aa342ec4

SHA256
18a8dc1e02c56a8445d501708a715a785d74cb22d738e3defdc1343d89564de2

SHA512
21ec9f86a410eb1ef7ced828c95d87645ad87eddd444b9dd0f9d49c4a01f051c21580396b90ea36c38e545426fe0b1263586c8569c723c094da80c9ec068434f

Download Submit
C:\Program Files (x86)\dali_vseh\ya_lubov\createyourmonkey.jon

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
95314eb23b2ba658504e275c659caa57

SHA1
782daa5d7baebd7e378a10a0fdcfb447628a1d89

SHA256
e129e2ca9b2133e0a84b954640d88088520c3f0744d6f1233a63a4adf89ea9d9

SHA512
64e9b2e7c4c276de22d62742a00fc5137bfdb29b4ea3fcf33e802fa0d97725b14a1705d3fb2c824af36dbc83fb14f325cc8fd0dc2e259fee9eb16e91618500df

Download Submit
memory/368-54-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing