Analysis
-
max time kernel
200s -
max time network
221s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 06:51
Static task
static1
Behavioral task
behavioral1
Sample
6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe
Resource
win10v2004-20221111-en
General
-
Target
6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe
-
Size
241KB
-
MD5
bcfac5bc01c61811fb62470e9b23bd38
-
SHA1
0fd0506958682877a7a599112786ab0ac0b2f9ab
-
SHA256
6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab
-
SHA512
05b1509f5ba3c7e3f1488d92d8a58ea46b8f53ad33b0ee8fefa5ebae779a0e377f5b4842f2aadff551d44d58e7a9c66f01efa4ece853da9d4c2d3f3574878267
-
SSDEEP
6144:zZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876NKx6afRstZzwU:lXmwRo+mv8QD4+0N46NKx6KbU
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 34 2556 WScript.exe -
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 5 IoCs
Processes:
6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exedescription ioc process File opened for modification C:\Program Files (x86)\Insata\Ikars\1.txt 6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe File opened for modification C:\Program Files (x86)\Insata\Ikars\Uninstall.exe 6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe File created C:\Program Files (x86)\Insata\Ikars\Uninstall.ini 6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe File opened for modification C:\Program Files (x86)\Insata\Ikars\sanodo.vbs 6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe File opened for modification C:\Program Files (x86)\Insata\Ikars\albur.bat 6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.execmd.exedescription pid process target process PID 380 wrote to memory of 216 380 6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe cmd.exe PID 380 wrote to memory of 216 380 6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe cmd.exe PID 380 wrote to memory of 216 380 6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe cmd.exe PID 216 wrote to memory of 2556 216 cmd.exe WScript.exe PID 216 wrote to memory of 2556 216 cmd.exe WScript.exe PID 216 wrote to memory of 2556 216 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe"C:\Users\Admin\AppData\Local\Temp\6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Insata\Ikars\albur.bat" "2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Insata\Ikars\sanodo.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Insata\Ikars\1.txtFilesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
C:\Program Files (x86)\Insata\Ikars\albur.batFilesize
890B
MD57e849d41e38ab830968b4571e928f932
SHA1ce6473a24bfe3efe9702fa2138686991632afa12
SHA25666cdc2ee349bc429ebb4fb7a940030c1659d0a8447bb0ead56b1e785c210a479
SHA51239d02b11e7152b67a7f70de110f29679829e8affe902880a9f9db8dfc4c1bb264e72c9efd429258809cfe54889c6f69edbe96fa552fd9443f0e9eeb21d2c77b7
-
C:\Program Files (x86)\Insata\Ikars\sanodo.vbsFilesize
184B
MD565c4b3a3e24b7b00d8b52ceefdeac383
SHA17c3f1e013b32460544f7692a29fd1447e0fe3212
SHA256d85a00da258b5c553342f8aab2dc630f3c6e6bf6256dbc59b03e7b5e7b094726
SHA5127fbfceb78aca9c41d10f209f8a81adb9ca2a623519f970b937e1825e1689c63c2e016121dc05f7bbdd8fdb510681d8589ebe31ecaee3865206cfa8d0d22f5ecd
-
memory/216-132-0x0000000000000000-mapping.dmp
-
memory/2556-136-0x0000000000000000-mapping.dmp