c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5

General

Target

c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe
Size

167KB
MD5

8f88db6fe0d709495c4e5ea39f6a6ebd
SHA1

0b5134afef9070737400368e2ca89ee4472f07df
SHA256

c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5
SHA512

960c88cc7697211fb62b0608b63886e256007cbe2709fcf8aa464a429c5acdc8b010d4624669a6684c7872d5c57d588cc47dd43dbcf88ef568123eb1040d6f93
SSDEEP

3072:mBAp5XhKpN4eOyVTGfhEClj8jTk+0hAa8nYcT9IsMGTz:dbXE9OiTGfhEClq928nYeMGTz

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	588	WScript.exe
5	588	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\i chaya\telochka\nuzki.luzki	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\nikloka.bat	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\numerovat.naoborot.str	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\valera.alera.valera	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\Uninstall.exe	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\surzik_masurzik.alo	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\zeloboika_karen.vbs	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\runer.bat	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe
File created	C:\Program Files (x86)\i chaya\telochka\Uninstall.ini	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe
File opened for modification	C:\Program Files (x86)\i chaya\telochka\taktakanton.vbs	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 1448	808	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe	27
PID 808 wrote to memory of 1448	808	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe	27
PID 808 wrote to memory of 1448	808	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe	27
PID 808 wrote to memory of 1448	808	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe	27
PID 808 wrote to memory of 628	808	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe	29
PID 808 wrote to memory of 628	808	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe	29
PID 808 wrote to memory of 628	808	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe	29
PID 808 wrote to memory of 628	808	c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe	29
PID 628 wrote to memory of 1012	628	cmd.exe	31
PID 628 wrote to memory of 1012	628	cmd.exe	31
PID 628 wrote to memory of 1012	628	cmd.exe	31
PID 628 wrote to memory of 1012	628	cmd.exe	31
PID 628 wrote to memory of 588	628	cmd.exe	32
PID 628 wrote to memory of 588	628	cmd.exe	32
PID 628 wrote to memory of 588	628	cmd.exe	32
PID 628 wrote to memory of 588	628	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe
"C:\Users\Admin\AppData\Local\Temp\c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\i chaya\telochka\nikloka.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\i chaya\telochka\runer.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\i chaya\telochka\taktakanton.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:1012
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\i chaya\telochka\zeloboika_karen.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\i chaya\telochka\nikloka.bat

Filesize
2KB

MD5
5c907084bd16fc42558740f8d8649599

SHA1
df7e92dcffdee2fcdb4db9a062919535f6860c49

SHA256
140d511d2bc28102cd12a6cfcdd2cdccc865d926bf753a826c609a2317190d34

SHA512
070c1a17378675d1ec1df9c5c546b3a3300093d5eec7c679444a4e71b2712714bebb2844fb22406af4fb2b590fce7d534d86e3495c47a42a9274adcdbae1bb64

Download Submit
C:\Program Files (x86)\i chaya\telochka\numerovat.naoborot.str

Filesize
63B

MD5
631cae64a11cb8db07414957be3ae7c7

SHA1
40f93feb9a12f99b83e82a4338323de9b06547f9

SHA256
5aeac4b9682895a4945d38d04927cd239841b600e51276a93e84bdc86fb7f979

SHA512
2f8f43d6d1494e8ad7e19ee309e9a61bbcf190ed7a9ad1d7ab0819678dac2b2e35361b0bb866815ebd512407941c909b29c509e445c7faa7cd51753f6615b9f0

Download Submit
C:\Program Files (x86)\i chaya\telochka\nuzki.luzki

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\i chaya\telochka\runer.bat

Filesize
80B

MD5
d6aa3c15f47dec3766bff078c22dae78

SHA1
585997ddcefa664bbf93032207fef7a752ade6e9

SHA256
cc57d8204a122c24aab7efcae281bff5e434b213f915483d9e0636f8b26bd375

SHA512
5fdb00ad07c03f27c1af7645d804910fd02a0b199cd6e9a6cc76cb85515afec9ae3b207b353a10f70a6922ece0639fbf337847cb9aeed2519ec25cfd887493d4

Download Submit
C:\Program Files (x86)\i chaya\telochka\taktakanton.vbs

Filesize
957B

MD5
9afcf9602d883b06c58ef35f39009f6f

SHA1
81b08bab5e681fd5954fa3cac70a5788f4643968

SHA256
5046db56bb42a138c80c1b83a84995c8db8337e4c299ffbd4c8d8d9cb526e0a4

SHA512
6be88f969aa9b552b0f51a4db848bdc99fce6b50a2f6aee2c11b2a8e0d3c2097ea59eac90d1cfd21c04cca9c15678468ed831dcebe011c018dc20f3300b55f3f

Download Submit
C:\Program Files (x86)\i chaya\telochka\zeloboika_karen.vbs

Filesize
421B

MD5
83048123e2f50b3a46b7d310d39f3984

SHA1
ad7854ea16d5fb44e9aa54c80afcd93515ef94ed

SHA256
f45478f9f85c6a81e210b8886dc678a057146aeda63002ce472aea5cb850426e

SHA512
7727d926702dbdb3f72513479427c8a8ab27b43bc0442bade9e335848b4ea7bac64c771ca72894a005db809c0a86f953c989ddce184f3720bb108b92de3423f9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
edea7a5b546c0c41d27e6c6bdc852350

SHA1
b22bfe2037c0f68d0356744ad5666734fc93bbc1

SHA256
5d804d513d15ce7e5092c6b04faf2f5063551e7a69d17836bba5ca25b0a45e0d

SHA512
89e8771404ab7ca0590b5127a3b24dd8d8f555bdb95e268bae51667401b226e7c8d45af861265cd80838bb688329a3282f98a0a9fc2ef808dbc228cf0d59340e

Download Submit
memory/808-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing