Overview

overview

8

Static

static

c9496ac545...d5.exe

windows7-x64

8

c9496ac545...d5.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    171s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2022 11:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe

  • Size

    167KB

  • MD5

    8f88db6fe0d709495c4e5ea39f6a6ebd

  • SHA1

    0b5134afef9070737400368e2ca89ee4472f07df

  • SHA256

    c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5

  • SHA512

    960c88cc7697211fb62b0608b63886e256007cbe2709fcf8aa464a429c5acdc8b010d4624669a6684c7872d5c57d588cc47dd43dbcf88ef568123eb1040d6f93

  • SSDEEP

    3072:mBAp5XhKpN4eOyVTGfhEClj8jTk+0hAa8nYcT9IsMGTz:dbXE9OiTGfhEClq928nYeMGTz

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe
    "C:\Users\Admin\AppData\Local\Temp\c9496ac545f5a510a7b7e9d126454505925ee887c88e5755c36408aff47ac3d5.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\i chaya\telochka\nikloka.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:4392
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\i chaya\telochka\runer.bat" "
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\i chaya\telochka\taktakanton.vbs"
        3⤵
        • Drops file in Drivers directory
        PID:2112
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\i chaya\telochka\zeloboika_karen.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:4176

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\i chaya\telochka\nikloka.bat
    Filesize

    2KB

    MD5

    5c907084bd16fc42558740f8d8649599

    SHA1

    df7e92dcffdee2fcdb4db9a062919535f6860c49

    SHA256

    140d511d2bc28102cd12a6cfcdd2cdccc865d926bf753a826c609a2317190d34

    SHA512

    070c1a17378675d1ec1df9c5c546b3a3300093d5eec7c679444a4e71b2712714bebb2844fb22406af4fb2b590fce7d534d86e3495c47a42a9274adcdbae1bb64

    Download Submit

  • C:\Program Files (x86)\i chaya\telochka\numerovat.naoborot.str
    Filesize

    63B

    MD5

    631cae64a11cb8db07414957be3ae7c7

    SHA1

    40f93feb9a12f99b83e82a4338323de9b06547f9

    SHA256

    5aeac4b9682895a4945d38d04927cd239841b600e51276a93e84bdc86fb7f979

    SHA512

    2f8f43d6d1494e8ad7e19ee309e9a61bbcf190ed7a9ad1d7ab0819678dac2b2e35361b0bb866815ebd512407941c909b29c509e445c7faa7cd51753f6615b9f0

    Download Submit

  • C:\Program Files (x86)\i chaya\telochka\nuzki.luzki
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\i chaya\telochka\runer.bat
    Filesize

    80B

    MD5

    d6aa3c15f47dec3766bff078c22dae78

    SHA1

    585997ddcefa664bbf93032207fef7a752ade6e9

    SHA256

    cc57d8204a122c24aab7efcae281bff5e434b213f915483d9e0636f8b26bd375

    SHA512

    5fdb00ad07c03f27c1af7645d804910fd02a0b199cd6e9a6cc76cb85515afec9ae3b207b353a10f70a6922ece0639fbf337847cb9aeed2519ec25cfd887493d4

    Download Submit

  • C:\Program Files (x86)\i chaya\telochka\taktakanton.vbs
    Filesize

    957B

    MD5

    9afcf9602d883b06c58ef35f39009f6f

    SHA1

    81b08bab5e681fd5954fa3cac70a5788f4643968

    SHA256

    5046db56bb42a138c80c1b83a84995c8db8337e4c299ffbd4c8d8d9cb526e0a4

    SHA512

    6be88f969aa9b552b0f51a4db848bdc99fce6b50a2f6aee2c11b2a8e0d3c2097ea59eac90d1cfd21c04cca9c15678468ed831dcebe011c018dc20f3300b55f3f

    Download Submit

  • C:\Program Files (x86)\i chaya\telochka\zeloboika_karen.vbs
    Filesize

    421B

    MD5

    83048123e2f50b3a46b7d310d39f3984

    SHA1

    ad7854ea16d5fb44e9aa54c80afcd93515ef94ed

    SHA256

    f45478f9f85c6a81e210b8886dc678a057146aeda63002ce472aea5cb850426e

    SHA512

    7727d926702dbdb3f72513479427c8a8ab27b43bc0442bade9e335848b4ea7bac64c771ca72894a005db809c0a86f953c989ddce184f3720bb108b92de3423f9

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    edea7a5b546c0c41d27e6c6bdc852350

    SHA1

    b22bfe2037c0f68d0356744ad5666734fc93bbc1

    SHA256

    5d804d513d15ce7e5092c6b04faf2f5063551e7a69d17836bba5ca25b0a45e0d

    SHA512

    89e8771404ab7ca0590b5127a3b24dd8d8f555bdb95e268bae51667401b226e7c8d45af861265cd80838bb688329a3282f98a0a9fc2ef808dbc228cf0d59340e

    Download Submit