e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676

Analysis

max time kernel
58s
max time network
43s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676.exe
Size

241KB
MD5

32e42ab434c0f650929be9eed7a09649
SHA1

123441fe918d7072a9c402c21d4b9996a4e0c0e2
SHA256

e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676
SHA512

0dab029975c3bd50d39e0bbaebb7f009ec7215285b72e0acd0a8bc4ef08751f6a0ced311796747201d890e9e0e0f462349eaa5eb605526d1df3cab7bdec98aa9
SSDEEP

6144:zZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876NKxXCATB1Z:lXmwRo+mv8QD4+0N46NKxXRZ

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

3 1912 WScript.exe
4 1912 WScript.exe
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
3	1912	WScript.exe
4	1912	WScript.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Drops file in Program Files directory 5 IoCs

Processes:

e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Insata\Ikars\1.txt	e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\Uninstall.exe	e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676.exe
File created	C:\Program Files (x86)\Insata\Ikars\Uninstall.ini	e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\sanodo.vbs	e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\albur.bat	e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 1984	2036	e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676.exe	cmd.exe
PID 2036 wrote to memory of 1984	2036	e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676.exe	cmd.exe
PID 2036 wrote to memory of 1984	2036	e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676.exe	cmd.exe
PID 2036 wrote to memory of 1984	2036	e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676.exe	cmd.exe
PID 1984 wrote to memory of 1912	1984	cmd.exe	WScript.exe
PID 1984 wrote to memory of 1912	1984	cmd.exe	WScript.exe
PID 1984 wrote to memory of 1912	1984	cmd.exe	WScript.exe
PID 1984 wrote to memory of 1912	1984	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676.exe
"C:\Users\Admin\AppData\Local\Temp\e48ac1ba65a8acaa7000a4f5c237bba7a95386e4b0fd021afa33e1bd8215b676.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\Insata\Ikars\albur.bat" "
2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Insata\Ikars\sanodo.vbs"
3⤵
- Blocklisted process makes network request
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Insata\Ikars\1.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Insata\Ikars\albur.bat

Filesize
993B

MD5
1476947ed3907af63f07b1dc1a046e24

SHA1
5e84a82670c1041515e14fda7a9bf758b16561a9

SHA256
203646661662540630e44dd5f0e20a1c8a2c9775b7ca486086c0a47ce3261697

SHA512
018f62d8f8d8812bbe097b55c45014339627f03be5c4a0b25faad06c5335732a7c982ea11abc30d8b3a77b32cfb913b2aeb9ed9925973f56a7fd61c01fbd0ae7

Download Submit
C:\Program Files (x86)\Insata\Ikars\sanodo.vbs

Filesize
160B

MD5
feff9dce1512eff1e5a05a297b0c5996

SHA1
37012cb3d4010b7f20c55607294616bfc9b01105

SHA256
21f415e325056efecc23dc8542f9f0a56b8d9ea53d571c89d156753c75f6d176

SHA512
a2d80090c1f6d484aa858fa6a0536e24b98a476619932c9cf500cff311622ccb430f6ba3709e2b96278e82ad3f7b466c5cfd4267b89e1feb93058bacdca921d9

Download Submit
memory/1912-60-0x0000000000000000-mapping.dmp

Download
memory/1984-55-0x0000000000000000-mapping.dmp

Download
memory/2036-54-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download