b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0

General

Target

b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.exe
Size

241KB
MD5

192bb6f516a7dd558a35e599542633c8
SHA1

c6b9074a8e7117a91592da68325031cba9dd6ac7
SHA256

b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0
SHA512

3d7ccc87342fc9a8df64687120fd136c1d2a94cc3566ed2199c325e15aa170957359190634b7905f3215ff309933a0f9b848643441c2a33d14bbc1c0285f7f30
SSDEEP

6144:zZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876NKxYR0:lXmwRo+mv8QD4+0N46NKxYR0

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

11 2184 WScript.exe
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe

flow	pid	process
11	2184	WScript.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

Processes:

b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.exe

description	ioc	process
File created	C:\Program Files (x86)\Insata\Ikars\Uninstall.ini	b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\sanodo.vbs	b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\albur.bat	b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\1.txt	b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\Uninstall.exe	b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.execmd.exe

description	pid	process	target process
PID 5004 wrote to memory of 1428	5004	b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.exe	cmd.exe
PID 5004 wrote to memory of 1428	5004	b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.exe	cmd.exe
PID 5004 wrote to memory of 1428	5004	b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.exe	cmd.exe
PID 1428 wrote to memory of 2184	1428	cmd.exe	WScript.exe
PID 1428 wrote to memory of 2184	1428	cmd.exe	WScript.exe
PID 1428 wrote to memory of 2184	1428	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.exe
"C:\Users\Admin\AppData\Local\Temp\b88f30b61aa073e834c926c2df412a4b591ae28fb25741892cfed7b8f848cea0.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Insata\Ikars\albur.bat" "
2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Insata\Ikars\sanodo.vbs"
3⤵
- Blocklisted process makes network request
PID:2184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Insata\Ikars\1.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Insata\Ikars\albur.bat

Filesize
1019B

MD5
9fb36ab0a4f0eeb94f9faf2d7a2ed918

SHA1
03a6df75c45d10f37c4a739ffbd769ed8cbdbf40

SHA256
868944bb79168f8deb87e030273a84b68d4c7991d98a6856e2479735bb4003ed

SHA512
ae6756a9ae7afcec9e56f55767ad0e5a7c8c4279ecd7ec3e0a18553984465b360492c3fbb2f389d0f379c53c58945a8429dcf1deb9f903a04ad2ee3e0b6d7aec

Download Submit
C:\Program Files (x86)\Insata\Ikars\sanodo.vbs

Filesize
196B

MD5
4446c060847829ae046fe3fe5e1b6440

SHA1
16a9bdc6c146586e9466f295188e3cc341baa7dd

SHA256
143a2a78718ea34d37e66ca81b6ac892c9e95a7b18d64b5bc8d40a18f8c3b92f

SHA512
333db482150593fdfba69e33560d95a733c02003fba6fa1632fe796bc4c1c96fa215a112351941c6bbed2d35bda56e06af7c464620d6fae036e0b93d8ebc30c1

Download Submit
memory/1428-132-0x0000000000000000-mapping.dmp

Download
memory/2184-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads