021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e

General

Target

021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.exe
Size

241KB
MD5

7140593ad4bf56a07d7f63b1f3af6b1e
SHA1

cbe16be9232431e721ee3042b8b0873853acf695
SHA256

021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e
SHA512

96ef2a539db34b8c82a4084ff7fcbe47e100b2f4f41cebab3e1b48a60e84cdc03c0aadbf710d1a3406dfa8633a9364fe8d69c837e0dedb51f09a45b43b2cd5e7
SSDEEP

6144:zZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876NKxzUVO0IJO:lXmwRo+mv8QD4+0N46NKxzyzIJO

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

12 4800 WScript.exe
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe

flow	pid	process
12	4800	WScript.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

Processes:

021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Insata\Ikars\sanodo.vbs	021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\albur.bat	021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\1.txt	021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\Uninstall.exe	021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.exe
File created	C:\Program Files (x86)\Insata\Ikars\Uninstall.ini	021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.execmd.exe

description	pid	process	target process
PID 616 wrote to memory of 5012	616	021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.exe	cmd.exe
PID 616 wrote to memory of 5012	616	021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.exe	cmd.exe
PID 616 wrote to memory of 5012	616	021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.exe	cmd.exe
PID 5012 wrote to memory of 4800	5012	cmd.exe	WScript.exe
PID 5012 wrote to memory of 4800	5012	cmd.exe	WScript.exe
PID 5012 wrote to memory of 4800	5012	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.exe
"C:\Users\Admin\AppData\Local\Temp\021c55e0f80853f48684eea06f4956ffe8449d0e13c29634182da6e231c6301e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Insata\Ikars\albur.bat" "
2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Insata\Ikars\sanodo.vbs"
3⤵
- Blocklisted process makes network request
PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Insata\Ikars\1.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Insata\Ikars\albur.bat

Filesize
881B

MD5
5ffa1475973db3d152b567f202abc697

SHA1
13020f92a1aee835a92e6e3e3ba21808ea844fa7

SHA256
eb6936431ae10daf17e96aebb392053357c462c7f6a11370ce14dfe54426b8f5

SHA512
17e2a3fd691b027facec171ccda726a7835f1c150e286c6a0415f02748fe1c80f92d739cfd2e39f64b980e85ea62b90f47693757e0297ce2b045646e8fcd4c8e

Download Submit
C:\Program Files (x86)\Insata\Ikars\sanodo.vbs

Filesize
163B

MD5
66e0e995cd8207abcadc9c2e4a76a4ff

SHA1
c180e1c0d551ad0e6af23921e5db99f017931715

SHA256
c9fb83dd8675bf81171859b5d736390aa73aded5a2f4c008286249a9cf27b712

SHA512
ef51b8c6307f65b55b1f0a4fe00f2d45634939b4cd1016a46f3326aa5ea84e60ab133615b355f659418d6da3a20d72a35888577b689e87327f8d08be303b654d

Download Submit
memory/4800-136-0x0000000000000000-mapping.dmp

Download
memory/5012-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads