4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055

Analysis

max time kernel
63s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe
Size

241KB
MD5

af1f4f86dc4594add73e35f73011e2b8
SHA1

51cf43f667dba267a27f43b3eb4818564359bd0b
SHA256

4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055
SHA512

850c1aa4c4be581879c24ee67aba986de6c19f2a419ccec13c34a63277c9f3fb6021c04cf863aa558790fd65d4b317d2844e32d652b8c11c7e2bd426bf4a0d5d
SSDEEP

6144:zZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876NKxCpQ0wxFT+g:lXmwRo+mv8QD4+0N46NKxCyHxl

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

3 940 WScript.exe
4 940 WScript.exe
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
3	940	WScript.exe
4	940	WScript.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Drops file in Program Files directory 5 IoCs

Processes:

4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe

description	ioc	process
File created	C:\Program Files (x86)\Insata\Ikars\Uninstall.ini	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\sanodo.vbs	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\albur.bat	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\1.txt	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\Uninstall.exe	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.execmd.exe

description	pid	process	target process
PID 1424 wrote to memory of 1204	1424	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe	cmd.exe
PID 1424 wrote to memory of 1204	1424	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe	cmd.exe
PID 1424 wrote to memory of 1204	1424	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe	cmd.exe
PID 1424 wrote to memory of 1204	1424	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe	cmd.exe
PID 1204 wrote to memory of 940	1204	cmd.exe	WScript.exe
PID 1204 wrote to memory of 940	1204	cmd.exe	WScript.exe
PID 1204 wrote to memory of 940	1204	cmd.exe	WScript.exe
PID 1204 wrote to memory of 940	1204	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe
"C:\Users\Admin\AppData\Local\Temp\4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\Insata\Ikars\albur.bat" "
2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Insata\Ikars\sanodo.vbs"
3⤵
- Blocklisted process makes network request
PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Insata\Ikars\1.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Insata\Ikars\albur.bat

Filesize
900B

MD5
a628d3720e3c252fa5f2d34c16b68189

SHA1
a70ee2d2497c0bdd4936bbadc725c0cf4d5d5597

SHA256
d76717361021bf589669ce37c57c7126a4b1985347067b3fb6106d1844d9fc8c

SHA512
976959f10415c16da7bfc39ec10ea8832ee6555310758666ed83ffbd41917ea81af1b3c7abb49fc718c6699611d57218feedf924b0e74243e4821fc050e1fefc

Download Submit
C:\Program Files (x86)\Insata\Ikars\sanodo.vbs

Filesize
189B

MD5
e3a71ecbb9fc743aa29239c5b03a2fbe

SHA1
8aba26e09c8fd903f1dec0dd142115a431a0e0bd

SHA256
8736e87a88ae6a1fa7dbc8722c39251af1ba49eb51329056bd1f68cf309df57d

SHA512
e8301456e4582758d6375b25bea72750d2491082170510f0030ab5f9fc4b372b243d057f06451a0ae555f63e38172a859fd8565edd2db4acc33cd6f55f79af69

Download Submit
memory/940-60-0x0000000000000000-mapping.dmp

Download
memory/1204-55-0x0000000000000000-mapping.dmp

Download
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download