872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d

General

Target

872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe
Size

180KB
MD5

7e401837eb093f039dc2ad7ebcd3d267
SHA1

e180683f987cd557b387189b026122f874a42c58
SHA256

872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d
SHA512

44014fd0d14be849a0ccd34aa79a883f79f863c49b4e3a140b0031c6c34857a08987e019dbafc955426d5b7cf56fc0a1d7a0157aeaf327bcc59b6b3c0701e1a7
SSDEEP

3072:+BAp5XhKpN4eOyVTGfhEClj8jTk+0hxG8jQExTlO:VbXE9OiTGfhEClq99W9xg

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1376	WScript.exe
4	1376	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\na ulitsah\take me to the\aguram\____000000_____.vbs	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe
File opened for modification	C:\Program Files (x86)\na ulitsah\take me to the\aguram\_______22222_______.vbs	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe
File opened for modification	C:\Program Files (x86)\na ulitsah\take me to the\aguram\popizdota.dot	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe
File opened for modification	C:\Program Files (x86)\na ulitsah\take me to the\333\123456789876______________432.bat	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 932	1064	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe	27
PID 1064 wrote to memory of 932	1064	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe	27
PID 1064 wrote to memory of 932	1064	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe	27
PID 1064 wrote to memory of 932	1064	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe	27
PID 1064 wrote to memory of 564	1064	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe	29
PID 1064 wrote to memory of 564	1064	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe	29
PID 1064 wrote to memory of 564	1064	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe	29
PID 1064 wrote to memory of 564	1064	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe	29
PID 1064 wrote to memory of 1376	1064	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe	30
PID 1064 wrote to memory of 1376	1064	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe	30
PID 1064 wrote to memory of 1376	1064	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe	30
PID 1064 wrote to memory of 1376	1064	872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe	30

C:\Users\Admin\AppData\Local\Temp\872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe
"C:\Users\Admin\AppData\Local\Temp\872ec2673f1bf43c1a97f3b72bf416ab3b7832a1472a535fa5eb1b3374be943d.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\na ulitsah\take me to the\333\123456789876______________432.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulitsah\take me to the\aguram\____000000_____.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulitsah\take me to the\aguram\_______22222_______.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\na ulitsah\take me to the\333\123456789876______________432.bat

Filesize
1KB

MD5
60d0caf3db1ec9296b66e00243e2fca4

SHA1
561c76d6dc1e0964e8047c464afbcc0460cc132e

SHA256
5f69f74a7a0fd9adc862e4c2b3caa9e9a3d8c35570c479f82c9305ed2784a285

SHA512
c1ae05794f14780d04dcfc9efa34a68b644349f52f11237dea2c71c02d7b1501b77b13621780f5bfc579c4a625d43859c5b0ffb6b7e2f1141167fbbbb0b2a8e7

Download Submit
C:\Program Files (x86)\na ulitsah\take me to the\aguram\____000000_____.vbs

Filesize
896B

MD5
7842b8da4aa9b49764b8422e9d347f62

SHA1
1b69590c4e2e5b799a9c0116aa8e9b3ca5b82b8a

SHA256
514778e27d95bfd3569d39e8dd20c63b36b7ae040de691b0760a6bd72584b00f

SHA512
ac2213187a4a62c95618ff10701e5bada5f9e6981db71a2e15155b7f83d3513b2237cb2dbfd794831780eb13caa8f764fd4b08f357eeb2c32519c33adcbb10c0

Download Submit
C:\Program Files (x86)\na ulitsah\take me to the\aguram\_______22222_______.vbs

Filesize
597B

MD5
a14fbb31c657fd17d4f744133ce34066

SHA1
0993eb124701b76bcc75b6ac85ff84c685b8535a

SHA256
f9e466b7a037d6d3fd70ea99da48394bfc8a1ff6ee2c0146f951175dee8ca0c3

SHA512
1dc0da6660dc73702def7e70af3883295603d36dce80abec83c049ab5a6eed6c71c455a4720941b1d76bdb714988858c2d60a112128048b92d55d407d27a0f11

Download Submit
C:\Program Files (x86)\na ulitsah\take me to the\aguram\popizdota.dot

Filesize
39B

MD5
55fc67036fdede3dcb4ed05b93add19d

SHA1
173166aa9bf5045c6fab3dd524ffdc241d38b855

SHA256
a16a831ec1584f9856ea3eef9051241cac6b2d5cd586583592019224be90db15

SHA512
a5f96a7684a896543d76789e739566fe2733b722bd65ae0b3f18b6eb6e8bcf9cb030dc278cf4b45df0dc363aaefd70ebc3dd64b6b1c2e3303b674783e95f8177

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
3340d48c16b0d87a593c16557a5a7fff

SHA1
7d832e32cbc75244ea305a75e5fb8a4ad0f84432

SHA256
3627919231fb0106fd42441761877eedf7d187862d988508302ff0814a9f55af

SHA512
4d132127d02107a39f61dee872eeb8ac1da70e3172791f4a21a6902bcb7ee142bf4b5f578bbb762f9e236e12e9cde3b640fbb1cd9b6fcb33b8b23853a91333c1

Download Submit
memory/564-57-0x0000000000000000-mapping.dmp

Download
memory/932-55-0x0000000000000000-mapping.dmp

Download
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1376-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing